Speaker intro: Melanie Rieback

5 September 2016

In anticipation for the SingularityU NL Summit, we will post an interview a day, each with one of the Summit speakers introducing us to their subject matter and the research area that they are so passionate about. This time we sat down with Melanie Rieback:

So tell us, who’s Melanie? 

I’m the CEO and co-founder of Radically Open Security. That’s a not for profit computer security consulting company. that means that we’re a computer security consulting company that is set up and optimized for the public good. We give back to the community and we’re trying to positively change the world with computer security. I don’t have to change the whole world, but we can use computer security to make people more secure, make organizations more secure. The world is becoming data driven place as is the economy. As more of our life moves online, the greater the need for security.


In what way do you work differently from traditional security companies?

We test security systems of different kinds. We allow the stakeholder and whoever hires us, to actually look over our shoulder to watch what we’re doing so they can actively learn while we’re working.

We work in chatrooms and we invite customers and other stakeholders to join so they can hear everything we’re saying and see everything we’re doing. When we hack a system or investigate an incident.


What are the exponential challenges in your field?

I think there’s a set of outdated opinions that security has to be closed and that security shouldn’t be shared. A lot of people think that you have to keep everything secret if you have some intrusion or data breach. The same with regards to internal security defenses and posture. Everybody feels that you have to hold cybersecurity information really tight to your chest and not share anything. The truth is that the attackers are working together, the attackers are also sharing with one another. If we don’t take a more open stance as defenders, a more giving and collaborative stance, we’ll never be able to defend ourselves.

I think that companies are reasonably aware that security is becoming an issue. All you need to do is open the newspaper to see examples of companies getting hacked or security going wrong. What companies aren’t aware of yet is that collaboration, data sharing and open source can provide incredibly great gains. But that defies common wisdom, thinking that secrecy and proprietary solutions are the answer. The truth is that everybody’s inventing their own wheels, we’re not working together, and us as a whole is less able to defend ourselves.

What organizations will benefit from the changes you’re achieving in your field?

We try to change the way of working and bring hackers together with people in industries, government. By sharing data and releasing our software in the open source we want to promote a sharing and collaborative attitude. On a grass roots level, but also on a commercial level we want to incentivize organizations to do the right thing.

Large organizations, whether it’s governments, healthcare providers or banks, have compliance requirements so they are required to have a certain number of audits on their systems. The problem is that there’s a compliance industry that consists of checkbox ticking. Trying to comply with minimal standards. The truth is, we can do much better than that. It requires a quite a sweeping cultural change, an attitude change to take the emphasis from managers covering their risk to proactively pursuing solutions that make a meaningful and impactful difference.

Isn’t that wishful thinking?

A number of managers is quite open minded. In particular, many security officers and chief information security officers come from the hacker community and understand that openness and information sharing are important things. But it’s their job to navigate the bureaucracy that they’re located within, to try and take some of their values and propagate these within their own organization. It’s only people who’re embedded within their own bureaucracies that can actually change their own bureaucracy. I can change the immediate environment that I’m in, myself and my company perhaps, but I can’t change everybody else’s company. I can try and get the right people in the right positions, I can try and get them thinking differently. Then they can change their own organization from their position.

We used to have linear ways of thinking in security. We need to move to more exponential ways of thinking. To put it in SingularityU terms: One of the problems is that there’s a scarcity mindset, we need to come up with our own security solutions. Thus we need to keep this for ourselves, we want to not share it with anyone. But again, this is extremely counterproductive and the point is that we need to start thinking in more exponential solutions. Being able to leverage networks and communities. We need to decentralize our solutions. We can’t keep trying to maintain tight control, because when we do, it tends to backfire.

I’m wording it this way because we just spent a week in San Fransisco being trained with the Faculty of Singularity University. We met a lot of people, including Peter Diamandis. Throughout the week we heard a couple of their presentations and learn a bit of the lingo. As individuals we agree more with some things than with other things. But I do think that their optimism and their emphasis on building exponential platforms which you can then leverage are very appropriate for security.


Do you see big cultural differences between SingularityU The Netherlands and the United States?

I think that the culture of Dutch SingularityU community is a bit different than the Singularity culture in Silicon Valley. This makes sense as the culture of the Valley is very different from The Netherlands. We’re probably a bit less commercial here. I think that the Netherlands is a very social country, some might even say, sorta socialist. Social-capitalist anyway. But I think that The Netherlands has always found a really great balance between commerce and business on the one hand, versus being social and taking care of its own citizens on the other hand. Well, it’s important. I think a certain amount of this is necessary to foster entrepreneurship. When I started my company in the Netherlands I knew that I wouldn’t fall through the cracks if I would’ve failed. I would at least be in a position to start over. I would probably have been a lot more risk averse had I lived in the United States.

One thing that American culture, especially the Bay area, is extremely good at, is pushing change and taking risk. Could be Personal risks, but especially organizational risk. They definitely have a entrepreneurial cowboy culture that the Netherlands doesn’t quite have.

In Dutch culture we have this phrase “doe maar normaal. Be normal and then you’re crazy enough. In the U.S. the attitude is “let’s be as crazy as possible and see what comes out of it.” With SingularityU Nl we’re trying to find a synergy between those two attitudes.

In general, my stories have been well received here. I’m American by origin and have a little of that “be crazy” in me. But Dutch people definitely appreciate what I’m trying to do with Radically Open Security. I have to say that I’ve got nothing but an extremely warm and positive reception here.


What are your expectations for the Summit?

I’d be curious to know why you’ve come to the Summit. What is it that you hope to learn? Who are you and what do you want to take away from this.

I’m looking forward to the other speaker stories. Some of the stories I know, others I haven’t heard yet. So I’m looking forward to learning from the content during the Summit.


Why do you think people should come to the Summit?

CEOs are coming to the Summit because they want to know how to future proof their businesses. There’s a lot of different areas of technology that are rapidly changing and part of the utility of this summit is that we can show what’s happening at the very fringes, the absolute edges of forward thinking research. CEOs can then take these things into account and work that into their longer term strategies.

I think there’s a lot of smaller individual stories. The fact that technologies are changing quickly Moore’s law and all that, is not a surprise. That’s not what the Summit is about. This Summit is about a number of different individual people’s stories. Each of them is on the forefront of their field, pushing the boundaries of research and of the way that people think. That’s the part that is going to add value (to me). Not just yet another description of Moore’s law.