Since September 2024, Matthijs van Amelsfort has been director of the National Cybersecurity Center (NCSC). After a career in cybercrime detection with the police, his focus shifts to prevention and crisis management. Giving space to professionals characterizes his leadership style. "Keep an eye on the ball and especially on the team."
Van Amelsfort witnessed the development of the cybersecurity field from the beginning. In 2001, he worked as a digital forensics investigator with the police on his first hacking case. "A very different time. The awareness of hackers, for example, was not yet high; they hardly shielded their own identity." The cyber world has totally changed since then. "Digitalization has increased explosively, hackers are becoming more and more resourceful; with that, cyber threats are increasing. I have witnessed that growth up close in the police force."
He chose leadership positions in the cyber field after a time because he felt that cyber knowledge is also important in them. "As a subject matter expert, I often thought: how is anyone going to defend my interests if I have to keep explaining to them what an IP address is?" His background helps him better understand what cyber experts need to function properly. "I think that recognition is nice." At his farewell to the police force, he was presented by his colleagues with presented him with a 'Blue Heart'(link to other website), in appreciation for his pleasant manner of leadership and the space he gives for development.
Cybercrime differs from other crime in a number of ways, explains Van Amelsfort "You can't 'arrest your way out of it,' but rather you have to do a lot of work on resilience against it. In this context, I often use a saying by Loesje: 'It's nicer mopping up when someone is fixing the faucet.' With the knowledge and experience I bring from the police, it is nice to work at the NCSC on that stronger resilience. I get a lot of energy from that."
That energy is certainly needed, as the NCSC is on the eve of some major changes. The Cybersecurity Act - the implementation law for the NIS2 directive - is coming, which will greatly increase the number of organizations the NCSC serves. This will make the NCSC the go-to agency for cybersecurity within the government. To that end, it is merging with the Digital Trust Center (DTC), among others. With the DTC Act(link to other website) the new NCSC will from now on also inform and advise the non-vital business community about digital vulnerabilities, cyber threats and incidents.
To serve this rapidly growing target group timely and well, Van Amelsfort is committed to further developing data-driven work at the NCSC. "Speed is crucial in the cyber world. The enormous task we face requires more data-driven processes so we can execute. In addition, the NCSC is receiving more information, for example, because of the reporting obligation in the Cybersecurity Act(link to other website); our information position continues to increase."
Cyber resilience is kind of a puzzle, he says. "Everyone has their own piece of information about digital incidents and threats; you have to get that together for the overall picture." Data-driven collaboration brings that information together. "Only then can we understand what is going on and determine how we can best protect the Netherlands together. The NCSC cannot do that alone, but so can the police and intelligence services and even the government as a whole. Public-private cooperation is therefore very important."
Van Amelsfort explains the role of the NCSC in a crisis using an example. "Suppose a hospital is the victim of a cyber attack. Our role is then to cooperate with Z-CERT(link to other website) (the CERT for healthcare institutions, ed.) to understand as quickly as possible what is going on in terms of cyber: what vulnerability caused the incident? Who and what should we connect to ensure that the hospital's systems are back up and running as soon as possible? What can we do to prevent other organizations from becoming victims as well? What is the action perspective? Who should we inform, who should we notify? Perhaps this vulnerability also plays out in the energy sector. So that information also has to flow between the sectors." That task of the NCSC is always to in three pillars, he argues: "Understanding, connecting, preventing." For the NCSC, it is important here that we can share the information we collect across sectors. To that end, the public-private collaboration within the Cyber Resilience Network(link to other website) Netherlands is crucial.
The Cybersecurity Assessment Netherlands 2024(link to other website) shows large and diverse threats. As a result, awareness of cyber risks is increasing, Van Amelsfort observes. "With the geopolitical tension and the threat that comes with it, there is more realism. It's up to executives to take that next step, and translate that awareness to the organization. What are your crown jewels; what do you have to protect? And how is that managed? As a director, can you sleep well with that situation?"
That administrative responsibility for cybersecurity policy is therefore included in the Cybersecurity Act. Van Amelsfort sees the NCSC's role in this more at a distance. "The NCSC offers a lot of tips and advice and is happy to think along, the responsibility lies with the organization itself."
How can an executive get properly in the cybersecurity saddle? That has to be organized. "Look at what you need within your own processes. For example, good unbiased information is crucial, because you need to understand what's going on in order to make the right decisions. Therefore, make sure you also have the good people next to you to interpret that information."
This is especially true in a cyber crisis situation, something that can happen to any organization. Van Amelsfort advises leaders of a crisis team to also keep an eye on the human aspect: "Keep an eye on the ball, but also on the team." He explains, "In a crisis, you often notice that the leadership style becomes more directive, because decisions have to be made quickly. But you have to find a balance in that, to be well informed about the impact of your decisions. That requires you to give space to the professionals. There is the question: are you running a sprint or is it a marathon? That obviously requires something different from the setup and how you deploy your people."
Once the crisis is resolved, the aftercare phase is crucial to learn lessons from the events. "We as NCSC also learn from this every time. It is important to look in retrospect at how things went. And then what does that mean for our organization? How can we then do our work even better? But aftercare is also for the employees themselves. The impact of a cyberattack can affect people at affected organizations."
The Government-wide Cyber Program also aims to involve the Caribbean part of the Kingdom. Van Amelsfort worked for the police for some time in Curaçao. "It is good to join forces in the Cyber Resilience Network and make sure we exchange as much information with each other as possible, because cyber resilience obviously does not stop at country or municipal borders." Yet there are also differences that matter. "We have to look mainly at what fits there, i.e. the local context, in the advice we give."
This is how it works for all the collaborations the NCSC enters into. "Every desire for collaboration starts with the question: what exactly is the need? And what are the legal possibilities in that collaboration? Ultimately, you also want to ensure in a data-driven way that you can share the information as quickly and well as possible. So that they can also act timely and appropriately and the resilience goes up." That takes time. In the meantime, much can already be done. "All our advice is also available for colleagues in the Caribbean part of the Kingdom on NCSC.nl."
This cyber interview is brought to you by the Government-wide cyber program organized on behalf of the Ministry of the Interior and Kingdom Relations. Also appeared in this series:
Interview with Jori Kalkman of the Defense Academy: "Big impact on the people who have to solve crises"
Interview Art de Blauw: "Taking digital resilience to the next level together"
Interview with Simon Sibma and Arnoud Bakker (SVB): "The digital resilience of our organization is top priority"
