How would you briefly describe your company and services?
Jan Martijn Broekhof: ‘Guardian360 is a Dutch information security software house. We help managed service providers, IT service providers, web application developers and consultancy organizations to gain more control over their information security. We do this through subscription services that support their customers on the technical, preventive, process and detection side of information security. And we do this on the axis of people, process and technology.’
You are best known for your scanning software. Could you say that’s your crown jewel?
Broekhof: ‘No, it’s mainly the combination of services in our platform that sets us apart. Vulnerability scanning is certainly an important part, but those scans also feed our compliance module. As a result, we can not only provide technical preventive insight, but also support organizations to comply with standards and legislation such as NIS2. We combine this with detection of criminals in networks, which leads to a dashboard on which various insights come together.’
Are you mainly active in certain sectors or is it very diverse?
Broekhof: ‘It’s very diverse. We mainly focus on Managed Services Providers that primarily serve SMBs. Our end-customer portfolio includes a wide range of companies, such as administrative offices, factories, large webshops, and more. Anyone with office automation, a network and/or a web application can become a customer of ours. We do serve customers who already have the basics reasonably in order and who understand the importance of information security. At the same time, our pricing is appropriate for an SME organization that does not have a large budget for information security.”
Can you tell us something about the combination of modules you use?
Broekhof: ‘We have customers who outsource their IT management to partners who take care of system and network management. Many of these customers hear about advanced solutions like SIEM and SOC, but often can’t afford them or don’t have the people to use them. We offer a solution for this. We make a complete scan of the office automation environment every day. This provides insight into more than 150,000 potential vulnerabilitiesvulnerabilities in a network’s security, such as weak passwords and new devices.”
‘In addition, we provide insight into compliance with standards such as NEN 7510, ISO 27001, and legislation such as GDPR and NIS2. If a criminal does penetrate a network, we quickly detect it and send a text message or e-mail alert to prevent high damages. Soon we will also introduce our mobile app, which can be used to receive push messages when there is an alert.’
With the advent of NIS2, your service becomes even more important, right? Especially since companies have a duty to report.
Broekhoef: ‘Yes, that’s right. Our tooling is essential to be able to report data breaches, but of course we strive to prevent them as much as possible. With our scans, we map out all potential entry points through which something could go wrong, before anything happens. Because it is automated, little manual work is required, which is very convenient given the staff shortage in many IT departments’.
You are also involved in Cyber Safe Netherlands. Can you tell us a bit more about that?
Broekhof: ‘Yes, we were one of the eight parties that stood at the cradle of Cyber Safe Netherlands. In 2017, we noticed that many new entrants entered the information security market. It became increasingly difficult for end customers to separate the wheat from the chaff. Anyone could offer information security services, which led to a kind of wild west situation. We wanted to increase transparency and quality in our industry to help customers choose better and make them feel good about selecting the right providers.”
What has that initiative achieved so far?
Broekhof: ‘There are now more than 120 parties that are members of Cyber Safe Netherlands. We have released a cyber dictionary to translate complicated information security terminology into normal human language. We have also developed a quality mark for pentesters, which allows a customer to ask directly whether a provider has the quality mark.’
You work together with Samen Digitaal Veilig and the NIS2 Quality Mark. How do you view this from your expertise?
Broekhof: ‘What appeals to me is that companies can use this quality mark to demonstrate that they are doing their best to comply with new rules regarding cyber security without having to undergo a heavy certification such as ISO 27001 right away. It does not focus on scaremongering, but helps companies improve their security in a practical way. It’s also good that the RDI is behind it.’
What do you think of the NIS2 Quality Mark ladder model?
Broekhof: ‘The ladder model is attractive to SMEs because it offers them step-by-step initiatives. It shows that you don’t have to have everything perfect right away, but that you can start with basic cyber hygiene and grow from there. And that at some point it’s good enough. This model helps customers who are starting from scratch or who already have some foundation and want to grow further towards a more complete information security posture.”
Large companies will still opt for ISO 27001 standards, but what about smaller suppliers?
Broekhof: ‘Yes, for those smaller suppliers, who may not immediately see the resources or the need for a strict standard such as ISO 27001, the NIS2 Quality Mark seems to be a good fit. Their day-to-day business takes precedence, but cybersecurity remains important. The Quality Mark offers them a viable way to meet relevant security standards without being overwhelmed.”
In any case, the NIS2 regulations are coming. Do you notice that this is alive among your customers, or is there still a lot of work to be done to prepare them?
Broekhof: ‘It’s certainly alive, but at the same time we still have to work hard to get the message across in the right way. Many entrepreneurs are still somewhat overwhelmed by new regulations and legislation. They have questions such as “Who exactly has to comply, how do you arrange that and what will it all cost?” There is still a lot of clarity to be gained about this.’
How do you deal with the concerns of entrepreneurs and SMEs about regulations and their implications?
Broekhof: ‘As chairman of VNO-NCW in the province of Utrecht, I speak to a lot of entrepreneurs. We try to take a pragmatic approach to cyber security by providing concrete tips and advice without directly selling our products or promising immediate compliance. That seems to work well. We reassure organizations and tell entrepreneurs that they don’t have to undergo heavy certifications or fear fines right away. But at the same time, they have to get to work. NIS2 offers opportunities. If you can show that you have your affairs in order and your competitor doesn’t, then you have an advantage in tenders. This distinction between companies that do and do not comply will eventually separate the wheat from the chaff.’
