Data is the New Uranium: Critical Infrastructure, CISOCommunity & AI with Dimitri van Zantvliet (NS)

Data is the New Uranium: Critical Infrastructure, CISOCommunity & AI with Dimitri van Zantvliet (NS)

A SecurityCafe special, recorded live at CISOday 2026 with Dimitri van Zantvliet — CISO & Cybersecurity Director at Nederlandse Spoorwegen (NS), Chairman of the CISO Community NL and co-founder of CISOday. Host Menno van der Horst is joined by co-host Quint Ketting for a wide-ranging conversation on what it actually takes to defend critical infrastructure in a world where the geopolitical, technological and threat landscape is shifting faster than ever. In this episode: - Why CISOday and the CISO Community NL exist, and how community accelerates maturity across the sector - Becoming a NIS1 critical entity in 2021 and how the war in Ukraine reshaped NS's threat model overnight - Belarusian railway wiperware, Iranian-aligned activity, and the recent railway incident in Florida - Working with NCSC, NCTV, AIVD, the Rail-ISAC and Dutch ISAC to exchange threat intel - Building an in-house CTI team of five — strategic, tactical, operational and technical - The NS Cyber Academy: training people from train drivers to office staff into cyber roles, plus SANS, CISSP and CISA tracks - Why stamina and curiosity beat a classic IT background when hiring — including the case for ex-Olympians, HYROX athletes and journalists - The cultural shift from "my threat intel is my IP" to active two-way sharing across the ecosystem - Supplier risk as a knock-out criterion: no ISO 27001 / SOC 2 Type 2, no business - AI and Gen.AI [http://Gen.AI] as the new frontier — from "data is the new gold" to "data is the new uranium" - Quantum on the horizon, and why the impact reaches far beyond encryption - The basics still decide everything: MFA, passwords, segmentation — and the move toward real-time patching - Autonomous agents as the next attack vector we don't yet fully understand - Historical parallels, from the AIDS Trojan on floppy disk to ILOVEYOU and SQL Slammer - Nassim Taleb's Antifragile — and why "prepare, respond, adapt" is the cycle every organisation needs - Cybersecurity is no longer an IT conversation; it's geopolitics, brand, and business continuity Book of the episode: - Antifragile — Nassim Nicholas Taleb About the guest: Dimitri van Zantvliet is CISO & Cybersecurity Director at NS, Chairman of the CISO Community NL and co-founder of CISOday. He joined NS five years ago and has led the organisation's response to the post-2021 shift in geopolitical and cyber risk affecting European critical infrastructure. Working at NS: Dimitri's team is hiring. If cybersecurity at one of the Netherlands' most critical infrastructure providers sounds like your kind of challenge, check the openings at werkenbijns.nl [http://werkenbijns.nl]. About SecurityCafe: SecurityCafe is hosted by Menno van der Horst with co-host Quint Ketting — an open conversation about the strategic, technical and human sides of cybersecurity. Produced by Quint Ketting. Subscribe wherever you get your podcasts. This CISOday special was made possible in partnership with Atos.

SecurityCafe Special | Mythos – Facts, Fiction and What You Need to Do Now

About this episode In this special edition of SecurityCafe, Quint Ketting and Koen Maris join host Menno van der Horst for an open, no-nonsense conversation about Mythos — Anthropic's frontier AI model expected to become more widely available around mid-August. No panic, no hype — just an honest look at what will actually change, and what your organization should already have been doing. ---------------------------------------- What we cover Mythos: revolution or evolution? Koen opens with a sharp reality check: if it takes five days to build an exploit today and Mythos brings that down to twenty hours — how much really changes? The hype around Mythos risks drawing attention away from what's already happening. Claude Opus 4.7 is already live, carrying many of the same capabilities, with barely anyone noticing. The real shift: accessibility The barrier to sophisticated attacks is dropping fast. It's not that experts are becoming more dangerous — it's the new wave of attackers without deep technical skills that warrants concern. Quint illustrates the point with his own experience using Claude: from building custom tools to recovering audio from a faulty recording. What this means for your organization * Cyber hygiene first. If your foundations aren't in order, you already have a problem — Mythos just makes it more visible and more urgent. * Third-party contracts. Patch response clauses of 90 days or more are no longer viable. Time to renegotiate. * Asset management. If you don't know what you have, you don't know what to protect. A scan often reveals 40% more assets than organizations think they manage. * Exposure management. Unmanaged assets are exactly where attackers will strike first. * Patch cycles. Microsoft recently released 250 patches in a single Patch Tuesday — normally 10 to 20. That pattern is not a coincidence. Prepare, Respond, Adapt Koen introduces the PRA framework: we are currently in a fragile peace. Use this window well. Organizations that prepare thoroughly will weather the storm quickly. Those that don't may find themselves in a prolonged and costly recovery. Frontier AI: the next buzzword — and what it actually means Mythos is part of a broader phenomenon. Vendors like Palo Alto are already embedding the same AI engines into their defensive toolsets. The question isn't whether this will affect you — it's whether you'll be ready. Project Glasswing & responsible disclosure Anthropic has given early access to a select group of major technology companies, resulting in both an explosion of patches and new AI-powered defenses. Responsible management of this capability is exactly the right approach — and a model the industry should follow. ---------------------------------------- Key takeaways * Start an internal working group now. Structure it with proper governance, board-level reporting, and weekly progress reviews. * Review your third-party agreements: do your SLAs still hold in a world of 24/7 patching? * Don't wait for Mythos to get your basics right. A low security maturity level cannot be fixed in two months. * Frontier AI is the bigger frame. Follow developments across Anthropic, Google, and others — not just the Mythos headlines. ---------------------------------------- Guests * linkedin.com/in/menno-van-der-horst-74710794 [http://linkedin.com/in/menno-van-der-horst-74710794] * linkedin.com/in/koen-maris [http://linkedin.com/in/koen-maris] * linkedin.com/in/quintketting [http://linkedin.com/in/quintketting]

Navigating the Future of Cybersecurity, Frontier-AI, and Society: Insights from the Security Café

SECURITYCAFE – LIESBETH HOLTERMAN, CYBERVEILIG NEDERLAND Hosts: Quint Ketting & Menno Recorded: Eindhoven Studio (our first ever in-person guest!) > We always say: Prepare. Respond. Adapt. — Quint's microphone broke mid-recording. We practiced what we preached. 🎙️💀 ---------------------------------------- ABOUT OUR GUEST Liesbeth Holterman is Managing Director of Cyberveilig Nederland [https://cyberveilignederland.nl/] — the Dutch trade association for the cybersecurity industry, focused on improving quality, transparency, and the digital resilience of the Netherlands. ---------------------------------------- WHAT WE DISCUSSED Data leaks — daily news, preventable problems Breaches are no longer weekly — they're daily. Social engineering, not sophisticated hacking, is the attacker's weapon of choice. The Odido case is a perfect example. Basic cyber hygiene remains the answer. Check your credentials: 👉 HaveIBeenPwned.com [http://HaveIBeenPwned.com] AI & Mythos — marketing or menace? Agentic AI can scan environments and find zero-days at scale. Bad actors have been using LLMs for a while already — what's new is that low-skill attackers now have access too. Bruce Schneier calls some of the fear "marketing hype" — but the underlying shift is real. The good news: in 4–5 years, defence will benefit just as much. 👉 Schneier on Security [https://www.schneier.com/] NIS2 & EU legislation Don't know where to start with cyber hygiene? Read NIS2 Article 21 — it's a solid baseline checklist. Legislation is finally getting boards to ask the right questions. 👉 NIS2 Directive [https://digital-strategy.ec.europa.eu/en/policies/nis2-directive] | Article 21 [https://www.nis-2-directive.com/NIS_2_Directive_Article_21.html] Dutch critical infrastructure The Netherlands' legendary efficiency — remote dikes, interconnected logistics, everything online — is also its biggest attack surface. The cybersecurity workforce of tomorrow AI will reshape roles like pen testing and SOC analysis. But the need for cyber professionals is still enormous. The sector isn't thinking strategically enough about what this means. Liesbeth's call: reach out, collaborate, have the conversation. 👉 cyberveilignederland.nl [http://cyberveilignederland.nl] ---------------------------------------- 🎬 RECOMMENDATIONS Quint → Hanna (Amazon Prime) A girl targeted by a CIA program for what an algorithm predicts she'll do — not what she's done. A thought-provoking lens on AI, surveillance, and pre-emptive power. 👉 IMDb [https://www.imdb.com/title/tt6932244/] Liesbeth → The Boys (Amazon Prime) Superheroes in the hands of a private corporation guided by profit, not public interest. Sound familiar? 👉 IMDb [https://www.imdb.com/title/tt1190634/] ---------------------------------------- SecurityCafe — because good security conversations deserve good coffee.

The Rise of the Agents & Modern Geopolitics

Host: Menno van der Horst Regular Guest & Chief Storyteller: Quint Ketting Special Guest: Jan Paul Oosterom (EMEA Regional Business Lead for Security, Microsoft) EPISODE SUMMARY In this episode, the trio dives into the rapidly shifting threat landscape. While geopolitical tensions remain the "elephant in the room," the real tactical shift is happening within the realm of AI Agents. Jan Paul explains why identity management is no longer just about people—it’s about governing the thousands of non-human entities now operating within corporate environments. The team discusses the "Assume Breach" mindset, the death of "badly written" phishing emails, and why protecting your Intellectual Property (IP) requires a deep understanding of who exactly is targeting you. ---------------------------------------- KEY TAKEAWAYS * The Identity of Agents: We are moving beyond managing human access. Organizations now face the challenge of managing non-human identities (AI Agents) that have their own permissions, access levels, and potential for "rogue" behavior. * Assume Breach as a Culture: Security isn't just a set of tools; it’s a mindset. "Assume Breach" means every employee and executive must operate with the default action of verifying before acting, especially regarding financial transactions or data access. * The Intellectual Property Target: Threat intelligence isn't one-size-fits-all. A camera manufacturer faces different risks (IP theft) than a national tax office (financial disruption). Knowing your "Why" helps you build the right "How." ---------------------------------------- TIMESTAMPED HIGHLIGHTS * [01:10] – Jan Paul Oosterom’s role at Microsoft and his remit across EMEA. * [03:45] – The "Elephant in the Room": Geopolitical risks and the pace of AI evolution. * [05:50] – The 10,000 Agent Problem: How one customer already has a massive fleet of autonomous agents running. * [07:20] – Deep dive into Identity Management: Protecting non-human identities. * [12:15] – The evolution of phishing: Why attackers are now "spot on" with their messaging. * [15:30] – The "Assume Breach" mindset: Moving from "Can we stop it?" to "How do we respond when it fails?" * [18:45] – Threat Intel: Identifying your specific enemies based on your business IP. * [24:10] – Closing thoughts: Why the Board needs to be challenged on security. ---------------------------------------- MEMORABLE QUOTES > "The days that we were able to easily recognize something bad are over." — Jan Paul Oosterom > "What you need to protect is probably not what you have budget for. You need to get those things in line." — Quint Ketting > "If you cannot truly verify that what you see is real or good—stop it and start asking questions." — Jan Paul Oosterom ---------------------------------------- THE RECOMMENDATION CORNER * Movie: Minority Report (Recommended by Jan Paul Oosterom) * Why: It explores the philosophical and ethical boundaries of "Predictive Systems"—how far can we go in flagging "criminal behavior" before a crime is even committed? * Quint was referring to a movie which was actually a Serie called: Hannah

Bonus Episode: The AI Shift: From Script Kiddies to Agentic Warfare

SECURITYCAFE PODCAST: BONUS EPISODE THE AI SHIFT: FROM SCRIPT KIDDIES TO AGENTIC WARFARE In this unplanned, deep-dive "after-talk," Menno Van Der Horst, Quint Ketting, and Max Heinemeyer peel back the curtain on the rapid evolution of AI in cybersecurity. Recorded just weeks after a massive shift in the landscape, the trio discusses why the "old ways" of hacking are being supercharged by AI agents and what this means for national resilience. ---------------------------------------- KEY TAKEAWAYS * The Scaling of Social Engineering: Data leaks (passports, IBANs, addresses) are no longer just static dumps; AI can now process these at scale to create hyper-personalized phishing campaigns for thousands of victims simultaneously. * The "Agentic" Shift: We are moving from static scripts to AI Agents. Unlike traditional malware, agents can make autonomous decisions, potentially making them more effective but also far more unpredictable and dangerous (the "Stuxnet with a brain" scenario). * The Defender’s Dilemma: While attackers don't care about "breaking" systems as long as they get in, defenders and penetration testers must remain deterministic and safe—a gap that AI is currently making harder to bridge. * Systemic Resilience: Cybersecurity is no longer just about protecting a single company; it’s about the "ecosystem." National security now depends on how well the entire supply chain—from big telcos to small vendors—is defended. ---------------------------------------- TIMESTAMPED HIGHLIGHTS * [00:41] The Four-Week Shift: Max explains how AI has hit the mainstream for both attackers and personal assistance (OpenCloud, NotebookLM). * [01:15] Weaponizing Data Dumps: How AI turns old-school data leaks into targeted, automated social engineering machines. * [02:45] From SQLi to Prompt Injection: Quint draws a parallel between the early days of SQL injection and the modern "hobby" of breaking LLM guardrails. * [04:48] Nation-State Guardrails: A look at how China and other actors use Western AI infrastructure and the risks of "spillover" (WannaCry style) in AI-led operations. * [08:27] The "Autonomous Stuxnet": What happens when an attack isn't run by a human, but by an agent with its own prompts? * [09:38] The Car Wash Paradox: Menno shares a hilarious (yet scary) anecdote about an AI losing the plot, illustrating why "hallucinations" in autonomous pen-testing are a major liability. * [12:39] The End of the Human Bottleneck: Max discusses how AI is removing the "human hands" requirement for vulnerability research and exploit development. * [16:40] The "Football Team" Analogy: Quint argues that cybersecurity needs to move past silos—even the best "players" (companies) lose if they don't play as a coordinated unit. * [21:17] Reason for Optimism: Why Max believes NIS2 and the rise of ML-driven SOC operations give defenders a fighting chance to regain the upper hand. ---------------------------------------- LINKS & RESOURCES MENTIONED * Backtrack / Kali Linux: The "old school" penetration testing roots. * DARPA Grand Challenge (2016): The early race for autonomous cyber defense (Shellphish & Mayhem). * NIS2 Directive: The evolving European legislation for cybersecurity. * Sven Herpig: Mentioned as a leading researcher on nation-state cyber policy.