Many cyber security firms focus on just two main items. The first is tools, technical stuff and software solutions, the other is rigidly ticking off checklists based on international standards and norms of which there are so many.

Pretty easy to do and it has led to many cyber companies who may be classified as cyberclowns: yet another specialist that comes in, does something expensive of which no one understands what and why and then disappears. The effect is that the customers are not seriously interested any more. That’s where the real danger is.

The real danger in the broad field of cyber security is not the bad guys. It is not the foreign state or non-state actors, but the intended victims. People who are oblivious, ignorant or have other priorities then security. Companies who consider cyber security too expensive, not necessary now (may be next week), irrelevant, not ‘my cup of tea’, no time, too busy, nothing will happen anyway, not interested, or any other excuse to postpone to a later date or all together.

Cyber security should very much more focus on security awareness, training, education, informing the public that cyber security is fun! It is sexy! It is lovely to do, and important. Just as important as getting your drivers license, insurance, and wearing your safety belts when driving an motorcar. Only then it is time to discuss standards and software.

As long as cyber focuses wrongly, nothing will happen. As long as “information capabilities” is not a compulsory subject in primary and secondary schools, no one will take the matter seriously. Information capabilities such as open source research, programming, validation techniques, network analysis, network configuration, etc.

(extract from the presentation I planned to deliver at CyberSec Netherlands 2025)

Cybersec Netherlands hashtag#OSINT