Company: PostNL
Client in lead: Gunther Cleijn
Client's role: CSO
Another day, another client case. This time we speak to Gunther Cleijn, CSO at PostNL, about cyber security and working with Zerocopter.
After a career as an army reconnaissance specialist, Gunther went back to civilian life in 2008. From then on and before starting as a Cyber Security Officer at PostNL in 2017, he fulfilled several roles regarding digital risk in different business areas. Now, as a CSO at Holland's biggest and most important postal company, he’s responsible for all strategic and tactical cyber security challenges within the organisation, like running projects to improve PostNL’s digital risk profile. His personal goal is ‘to provide cyber security services at the speed of business’.
“PostNL is a big company with more than 46.000 employees, of which the most are responsible for mail and parcel delivery.”
“We have a Strategic & Tactical team, and a Tactical & Operational team, both with their own responsibilities in the cyber security field. The business side is represented by our so-called Cyber Security Champions.”
“We can consider PostNL as an IT company that delivers mail and parcels where we rely heavily on data, so cyber security is at the highest level of importance.”
Gunther Cleijn, CSO at PostNL
“We can consider PostNL as an IT company that delivers mail and parcels where we rely heavily on data, so cyber security is at the highest level of importance.”
“Well, three things actually. What struck me positively was the high level of awareness of senior management for the importance of cyber security. The other was the professionality of all the people working at PostNL, and thirdly, the speed at which IT projects evolve - which is a positive that can turn into a negative if you’re not alert.”
“One of the first things I initiated was additional reporting to the CIO and about cyber security related events to create and stimulate situational awareness. And if a product or service is developed and just a little bit of that awareness still lingers, then that counts as a profit for me and thus for PostNL.”
“The answer to this question is very simple as far as I am concerned: provide cyber security services at the speed of business. If my colleagues in the business or operations want real-time insight into our security profile, I have to be able to give them just that.
“What makes me most proud is that our team is working with the business, enabling our active involvement in projects and developments. It wasn’t always like this at PostNL, so I’m happy and proud that our efforts have resulted in this situation.”
“The guys and girls of Zerocopter drop a report and give effective advice on how to solve the problem. That’s really worth gold.”
“As Warren Buffett once said: ‘It takes 20 years to build a reputation and 5 minutes to ruin it’. If you think about that and let it sink in, you'll do things differently.”
“About six years ago I started working together with other organizations for sharing knowledge and experiences in the field of cyber security. This is how we, together, try to bridge the existing information gap. Looking back, I, or we, should’ve done this much earlier because it’s not only helping me and PostNL but all the other organizations as well.
“To be honest: if you look at how and how little threat-information is being shared now, then much can be improved. The situation we have now is that organisations and individuals are at risk without even knowing it. And that’s bad, because the impact of organizations like PostNL being hacked, is huge. As far as I am concerned, that is also a neglected child: organizations tend to forget that they are dependent on each other. For example, if our business is compromised, online retailers will feel the pain as well, and vice versa.”
“Collaborate the way they do, because it’s too complicated to do it on your own. This is exactly why we’re working together with Zerocopter. I don’t see it as an arms race, because that suggests that we’re constantly in defensive mode, awaiting attacks. That’s not the case, since we’re actively working on our defences.”
“I met Zerocopter when I had just started working at PostNL. From that moment on I was immediately charmed by the concept and the people behind it, because I like working with people that think out of the box and are not limited by company boundaries. What I also like, is that Zerocopter plays a really important role in bringing ethical hackers and organisations and businesses together. We started out with Zerocopter for running our responsible disclosure program. From there on we expanded to the bug bounty programs. Currently, together with Zerocopter, we’re looking into an alternative for the traditional pentest, a method that suits our fast-paced way of working better.”
“Good! We just started a new bug bounty program which has shown that there is real commitment from the hackers who participate in it. Most of them have worked with and for us before, which is great. And what’s really worth gold is that those guys and girls don’t just drop a findings report on your desk, they drop a report and give effective advice on how to solve the problem. So in short, I’m really happy with the cooperation.”
“Cyber security is a must-have if you have a presence in the digital domain. It’s not some kind of nice-to-have or status symbol. As Warren Buffett once said: ‘It takes 20 years to build a reputation and 5 minutes to ruin it’. If you think about that and let it sink in, you'll do things differently. Put that in the context of cyber security and you realize how important it is.”
“The pleasure was all mine.”
Sharing is caring
“Threat intel needs to be shared more proactively between organisations and businesses, whether they are critical or not, to facilitate better decision making. This doesn’t mean buying more threat intel or hiring another consultant. Put your organisation in the actual operational context and then decide what the change in information need is.”
Practice what you preach
“Actually practice digital risk strategies instead of focussing on checkmarks. Digital risk is just another (though complex) business risk that can negatively impact every investment made in organisations.”
Educate the ignorant
“Show them in what context they operate and what they can do to minimize the negative impact of digital risks."
Get to know everything about Zerocopter