PostNL logo

PostNL and Zerocopter: provide cyber security services at the speed of business

Company: PostNL

Client in lead: Gunther Cleijn

Client's role: CSO

NautaDutilh Zerocopter

Another day, another client case. This time we speak to Gunther Cleijn, CSO at PostNL, about cyber security and working with Zerocopter.


After a career as an army reconnaissance specialist, Gunther went back to civilian life in 2008. From then on and before starting as a Cyber Security Officer at PostNL in 2017, he fulfilled several roles regarding digital risk in different business areas. Now, as a CSO at Holland's biggest and most important postal company, he’s responsible for all strategic and tactical cyber security challenges within the organisation, like running projects to improve PostNL’s digital risk profile. His personal goal is ‘to provide cyber security services at the speed of business’.

About PostNL and cyber security

Number of employees

“PostNL is a big company with more than 46.000 employees, of which the most are responsible for mail and parcel delivery.”

How is cyber security organised at PostNL?

“We have a Strategic & Tactical team, and a Tactical & Operational team, both with their own responsibilities in the cyber security field. The business side is represented by our so-called Cyber Security Champions.”

At what level of importance is cyber security for your organisation

“We can consider PostNL as an IT company that delivers mail and parcels where we rely heavily on data, so cyber security is at the highest level of importance.”

Dennis Langhorst

Gunther Cleijn, CSO at PostNL

“We can consider PostNL as an IT company that delivers mail and parcels where we rely heavily on data, so cyber security is at the highest level of importance.”

Gunther, when you started working at PostNL, what was the first thing you noticed from your point of view?

“Well, three things actually. What struck me positively was the high level of awareness of senior management for the importance of cyber security. The other was the professionality of all the people working at PostNL, and thirdly, the speed at which IT projects evolve - which is a positive that can turn into a negative if you’re not alert.”

And what were the first things you did to improve PostNL’s digital risk profile?

“One of the first things I initiated was additional reporting to the CIO and about cyber security related events to create and stimulate situational awareness. And if a product or service is developed and just a little bit of that awareness still lingers, then that counts as a profit for me and thus for PostNL.”

What goal(s) are you and your team working towards?

“The answer to this question is very simple as far as I am concerned: provide cyber security services at the speed of business. If my colleagues in the business or operations want real-time insight into our security profile, I have to be able to give them just that. 

Which results of your and/or your team’s work make you proud?

“What makes me most proud is that our team is working with the business, enabling our active involvement in projects and developments. It wasn’t always like this at PostNL, so I’m happy and proud that our efforts have resulted in this situation.”

Want to know everything about Zerocopter?

Download our brochure
Want to know everything about Zerocopter?

“The guys and girls of Zerocopter drop a report and give effective advice on how to solve the problem. That’s really worth gold.”

“As Warren Buffett once said: ‘It takes 20 years to build a reputation and 5 minutes to ruin it’. If you think about that and let it sink in, you'll do things differently.”

What has been an eye-opener or something about which you can now say “we (or I) should have done this much earlier”?

“About six years ago I started working together with other organizations for sharing knowledge and experiences in the field of cyber security. This is how we, together, try to bridge the existing information gap. Looking back, I, or we, should’ve done this much earlier because it’s not only helping me and PostNL but all the other organizations as well.

What is a neglected child in IT security? What should be given more attention to?

“To be honest: if you look at how and how little threat-information is being shared now, then much can be improved. The situation we have now is that organisations and individuals are at risk without even knowing it. And that’s bad, because the impact of organizations like PostNL being hacked, is huge. As far as I am concerned, that is also a neglected child: organizations tend to forget that they are dependent on each other. For example, if our business is compromised, online retailers will feel the pain as well, and vice versa.”

Working on cyber security can be complicated, with a constant arms race against cyber criminals. How do you manage that? 

“Collaborate the way they do, because it’s too complicated to do it on your own. This is exactly why we’re working together with Zerocopter. I don’t see it as an arms race, because that suggests that we’re constantly in defensive mode, awaiting attacks. That’s not the case, since we’re actively working on our defences.”

Why and for what did you partner-up with Zerocopter?

“I met Zerocopter when I had just started working at PostNL. From that moment on I was immediately charmed by the concept and the people behind it, because I like working with people that think out of the box and are not limited by company boundaries. What I also like, is that Zerocopter plays a really important role in bringing ethical hackers and organisations and businesses together. We started out with Zerocopter for running our responsible disclosure program. From there on we expanded to the bug bounty programs. Currently, together with Zerocopter, we’re looking into an alternative for the traditional pentest, a method that suits our fast-paced way of working better.”

And how’s the cooperation going so far?

“Good! We just started a new bug bounty program which has shown that there is real commitment from the hackers who participate in it. Most of them have worked with and for us before, which is great. And what’s really worth gold is that those guys and girls don’t just drop a findings report on your desk, they drop a report and give effective advice on how to solve the problem. So in short, I’m really happy with the cooperation.”

Final question: which insight does every organisation in your industry need to have regarding cyber security?

“Cyber security is a must-have if you have a presence in the digital domain. It’s not some kind of nice-to-have or status symbol. As Warren Buffett once said: ‘It takes 20 years to build a reputation and 5 minutes to ruin it’. If you think about that and let it sink in, you'll do things differently. Put that in the context of cyber security and you realize how important it is.”

That’s all, thanks Gunther!

“The pleasure was all mine.”

Three security must-do’s according to CSO Gunther Cleijn

Sharing is caring
“Threat intel needs to be shared more proactively between organisations and businesses, whether they are critical or not, to facilitate better decision making. This doesn’t mean buying more threat intel or hiring another consultant. Put your organisation in the actual operational context and then decide what the change in information need is.”

Practice what you preach
“Actually practice digital risk strategies instead of focussing on checkmarks. Digital risk is just another (though complex) business risk that can negatively impact every investment made in organisations.”

Educate the ignorant
“Show them in what context they operate and what they can do to minimize the negative impact of digital risks."

Zerocopter Read the Survival Guide

Download our brochure

Get to know everything about Zerocopter