"Cybersecurity is not black magic"

The company Radically Open Security is radically different and radically open. Exactly like co-founder and CEO Melanie Rieback herself, in fact. Defiant and heading on her intuition and ideals, she has proven that it can be done: a successful non-profit cybersecurity consultancy. Radically Open Security tests clients' cyber resilience, provides security training and is called into cyber attacks. Everything is done as transparently as possible and the software developed is open-sourced online. In addition, the company donates ninety percent of all profits to the NLnet foundation, whose mission is an open Internet for all.

Both her parents worked at Bell Labs in Florida, so you could say she was brought up with IT. "They are both retired now, but they taught me a lot about computers and programming early on," Rieback says. Yet engineering was not her first choice. She hesitated about studying music ("I had a great passion for the oboe"), but her parents thought she should become a lawyer or a doctor.

Human genome

"I knew I didn't want to become a lawyer in any case, so I started studying biology at the University of Miami. American universities have a broad undergraduate curriculum and so I took my first course in computer science. I found that extremely interesting. All my friends went to medical school after undergrad, but I needed time to think about what I really wanted. I applied for a job at the Human Genome Project at MIT. There I worked on mapping the human genome, very interesting. But I found out that just an undergraduate degree won't get you very far. I also realised that I wanted to travel."

Millennium change at Dam Square

So she went backpacking across Europe. She celebrated the turn of the millennium on Dam Square in Amsterdam, where she counted down the last 10 seconds of the century in Dutch. "That planted the seed. When I was back in the US, I started learning Dutch from a cassette tape. But maybe I needed to live in the Netherlands for a while, to learn the language properly? I could do a master's degree in computer science at TU Delft. When I told my parents, they were furious: you're leaving MIT to go where?!"

The first RFID virus

After her studies, Rieback got a PhD position at the VU. There, she created the first RFID virus to demonstrate the security holes in this technology, which is used in passports, among other things. "It became front-page news. I received hundreds of emails, from love letters to death threats and everything in between. Once, when I visited Philips' high-tech campus, the chief privacy officer there said: your research is bad for my company." Treated: "That's when I knew I had really made it."

Camino de Santiago

After working as an associate lecturer at VU University and subsequently as a senior engineering manager at Citrix in Vancouver, followed by a mass lay-off at Citrix, she decides to walk the Camino de Santiago in Spain. In search of what, as a workaholic without a job, she really wants. "I had job offers in Silicon Valley, but that didn't feel right. Then I thought: you know what, I'll look on Facebook where most of the people I love live and I'll go there. And that was Amsterdam."

Suit, tie and fat bill

She got a position there as chief investigator in ING's cybercrime team. "At the time, the bank became a victim of a DDoS attack. All systems were offline. We engaged a cybersecurity consulting firm. The consultants came parachuting in, in their suits and ties. They said: we are the experts, stand back, and we will solve everything for you. And afterwards, you get a report and a fat bill."

Very angry

"I said: if you guys are that good, I'm sure I can learn a lot from you, I'd like to watch. But they didn't want to. They deleted log files and did everything they could to keep their work hidden. I ended up literally looking over their shoulder because that was the only way they couldn't get rid of me. Of course, they work with exactly the same open-source tools as everyone else, but they don't want you to know that. They create the illusion that cybersecurity is some kind of black magic: only they can do it and that's why you have to hire them again and again. The arrogance! It made me very angry. Because when the bank gets hacked, it's not about the bank, it's about all the customers whose data is out in the open."

Weird experience

I can do better than that, thought Rieback, and she quit ING to start Radically Open Security. "I wanted to make my company different, a not-for-profit business. I went to an incubator, but I thought it was a weird experience. On day one, you are shown a PowerPoint with an exponential curve that your profit growth has to meet. And they say your goal is to sell your business. This doesn't suit me, I thought."

Crazy or genius

On the last day of the programme, she had to pitch to venture capitalists. "When I told them I was going to donate 90 per cent of my profits to charity, one of the investors said: either you are crazy or you are a genius. Another said: you are not starting a company, you are starting a movement." Everyone declared me crazy, but by the second year we were profitable and I could pay myself a director's salary until I was back to the level of what I was earning at ING."

Post Growth Entrepreneurship

Besides running her business, she now advises start-ups, and lectures at the UvA on the sustainable economic model she cannot stop talking about: Post Growth Entrepreneurship. "Draining profits from my business to buy a Porsche is not only unnecessary, it is also not good for the business. You then have less money for research & development, paying your employees properly and lowering prices for your buyers. Costs are passed on to society and the environment."

Meanwhile, Rieback and her company are 10 years on, received many innovation awards, and have furthermore donated over 1 million euros to NLnet. And her parents, seeing her success, are pleased after all with the choices she has made.

Text: Josje Spinhoven
Photos: Vera Duivenvoorden