We need to stop reacting to events and start rethinking how we build our systems. This is the overarching message from Martijn Neef, Coordinator of Knowledge and Innovation Cybersecurity at the Dutch Ministry of Economic Affairs. According to Martijn, the current approach of constantly patching and fixing vulnerabilities is no longer sustainable.
This is especially true for mobile communication, as in recent years mobile phones have grown to the point where people essentially carry their entire lives in their pockets—something that brings a lot of vulnerabilities with it.
Finding a balance between security and usability
With a background in cognitive artificial intelligence and over twenty years of experience at TNO Defense and Security, Martijn began his role at the Ministry of Economic Affairs in 2023, where he works closely with dcypher and the National Cyber Security Centre. From his experience, he has seen the threat landscape expand and evolve—along with the security measures.
In mobile security, the fundamental challenge lies in finding the right balance between security measures and usability, says Martijn. As we add more security features and protective measures, devices become increasingly complex and less user-friendly. This complexity not only impacts end users but also creates challenges for suppliers who must manage an ever-expanding network of security measures, processes, and configurations.
“The question is whether the costs of usability will eventually outweigh the benefits,” Martijn states.
The current approach of constantly patching and fixing vulnerabilities is essentially like putting a band-aid on after the bleeding has started, he suggests. While more and more tech companies, like Samsung and Apple, try to make security a selling point, the reality remains that systems remain vulnerable to attackers.
Back to basics
Martijn advocates for a fundamental shift in how we approach security design. Instead of continuously adding layers of security to existing systems, we should rethink how systems are built from the ground up. This includes not only the technical aspects but also the human elements, processes, rules, training, competencies, and what he calls the ‘rules of engagement.’
“If we look ten to fifteen years ahead, I think we need to rebuild our systems in a completely different way,” says Martijn. Many consumer electronics, including IoT devices, were not designed with security in mind from the start. This fundamental design flaw must be addressed at the system level, according to Martijn.
“We need to go back to basics,” says Martijn. “When it comes to mobile devices in organizations, we need to look at what we actually need. Anything we don’t need, we shouldn’t allow.”
More awareness is needed
Current security training within organizations is insufficient, Martijn argues. Instead, security awareness should go far beyond the current approach of basic password training and security courses. “You need to learn to be alert, to recognize weak signals,” he explains. “Are my systems behaving strangely? Have I been somewhere that makes me more vulnerable? These are important questions you need to keep asking yourself.”
Organizations need to foster a culture where everyone is aware of security implications, not just the security team. This includes, for example, learning to recognize abnormal system behavior and understanding when you might be vulnerable. However, many non-technical employees may struggle to identify security threats. The fact that security teams are often quite isolated from other teams in an organization contributes to this problem, says Martijn.
Hybrid threats require hybrid perspectives
There are many organizations working on cybersecurity, but they can all suffer from a kind of tunnel vision, Martijn observes. “If you’re so focused on your own strategy and solutions, you can end up with a kind of entrenched worldview: I suffer from it too. But what if we could, in a good way, infect each other with new perspectives?”
The current threat landscape requires this, he adds. “We are under fire from hybrid threats coming from multiple angles, threats that are no longer standard. This means our standard approach is no longer good enough.” Therefore, we must remain open to alternative ways of thinking, says Martijn.
“Here in the cybersecurity world, we’ve been stuck in our creative innovation processes for a while. That needs to change.”
