Company: NautaDutilh
Client in lead: Dennis Langhorst
Client's role: CISO
When Dennis Langhorst started as CISO at NautaDutilh (an international law firm), the organisation was at the beginning of their true digitization. Almost everyone still had a fixed workplace with a desktop and hardly anyone worked from home. At that time, NautaDutilh only had a corporate website and its online presence was still rather limited.
From that moment on, major steps have been taken together with the ICT and Innovation team. All employees can now work from home. In addition, NautaDutilh now has Portals to work with clients and offers several online services to its clients. However, digitization also requires a different approach when offering online services, and security has become increasingly important throughout the process.
“Close to a 1000 people work for NautaDutilh. We have offices in Amsterdam, Rotterdam, Brussels, London, Luxembourg and New York.”
“It’s all the way at the top, where it should be, and is part of our strategy and company policy. We’re an international law firm and, just like every lawyer that works for us, we’ve promised our clients that we will treat their information with confidentiality and integrity. Every client can trust that we do absolutely everything we can to secure and protect their data. The same goes for our employees.”
“I’m the CISO for NautaDutilh and I report to the Executive Committee and the Director of ICT and Innovations. My team consists of three people that are specialized in security on a strategic level. On an operational level, we rely on facility management, IT management and other departments to stay on top of our security game.”
Dennis Langhorst, CISO at NautaDutilh
“My name is Dennis Langhorst, I’m 40 years old, and I’ve been working for NautaDutilh since 2007. First as an IT consultant and from 2012 until now as CISO.
“Remember when the ILOVEYOU virus emerged in 2000? That’s when I decided I wanted to work in IT Security. It was so simple and yet so effective; it blew my mind and captured my imagination. It stuck, and well, here I am. What’s left of that inspiration is that I still look closely at recent and past security incidents to learn from and improve our own security.”
“It was so simple and yet so effective; it blew my mind and captured my imagination.”
“Invest in knowledge and people, not in tools and magic boxes alone”
“When I started, there was already a very high level of awareness among all NautaDutilh employees about the importance of integrity and confidentiality, and thus security. That made life much easier for me as CISO. On the other hand, NautaDutilh was just starting in the field of digitalization.
“Well, not head over heels. We had to do this together, from a business and IT (security) perspective, and we really took the time for it because it was so important for the future of the company. To get to where we are now, we mapped out all business processes, from what happens between the opening and closing of a case to how employees communicate with clients. Having, and, more importantly, understanding this information was vital to catch up and lay the foundation for a fool- and future-proof IT security structure.”
“First of all, what I like about Zerocopter is that through them, I have access to a wealth of knowledge and skills. Not of just one person, but of a whole group of experts that understand my ‘language’. That’s one reason. Secondly, we’ve partnered up with them to constantly improve our IT security. Some people believe that it can be done through audits alone, but those are for compliancy – not the real improvements. For that, you really need the services Zerocopter offers.”
“Spotless until now. If they keep this high level of service up, I’ll never have to complain about them. Which is a shame, because complaining is a Dutch tradition.”
“It was my pleasure.”
Continuous vulnerability management
"You have to know what you have, what the security level is and what vulnerabilities there are - and solve them immediately. Furthermore, as a CISO you have to accept that the time of ‘if it isn’t broken, don’t fix it’ has passed.”
Invest in knowledge and people, not in tools and magic boxes alone
“My experience has taught me that suppliers are very good at telling what protection their products/services offers, but not the other way round. They’ll never tell you where their solution is insufficient.”
Stop accusing end-users
“Instead, do everything to improve your employees’ security awareness level and always keep in mind that people are prone to make mistakes. Take that into account when setting up IT security and don’t let it solely depend on the security awareness level of your colleagues.”
Get to know everything about Zerocopter