CXO / IT Leadership

At Dutch Rail, CIO-CISO Partnership Is Paramount for Cybersecurity

CISO Dimitri van Zantvliet on New Cybersecurity Target Operating Model
At Dutch Rail, CIO-CISO Partnership Is Paramount for Cybersecurity
Dimitri van Zantvliet, CISO of Dutch Railways

Dutch Railways, also known as Nederlandse Spoorwegen or NS, is a prominent state-owned passenger railway operator in the Netherlands that serves over a million passengers each day through its vast network of tracks. It is one of the world’s finest railway systems, with an enviable record for customer experience - 77% customers gave it a 7 or higher rating in 2022. In recent years, NS has evolved into a digitally-matured company, offering a range of online services, such as ticket sales, mobile ticketing and real-time travel information. The company has also invested in smart ticketing technologies, contactless payment and automated train control systems. To further enhance its operational efficiency, NS employs predictive maintenance technology based on sensors and analytics to minimize downtime and maintenance costs.

See Also: Endpoint Security Essentials for the C-Suite: An Executive's Digital Dilemma

During this exclusive interview with Information Security Media Group, Dimitri van Zantvliet, CISO of Dutch Railways, discussed several emerging cybersecurity challenges that NS faces and the proactive measures the company has taken to address them.

Edited excerpts below:

Railways is part of critical infrastructure. How do you manage the IT and OT integration and the challenges emerging from it?

Ensuring the secure and efficient operation of railway infrastructure requires effective management of the integration between IT and OT systems. At NS, we recognize the critical role that both systems play in our operations and take a holistic approach to their integration. However, we face a range of challenges, including the complexity and diversity of our infrastructure, efficient communication within the IT, IoT and OT systems, as well as ensuring the safety of outdated systems and the security of real-time data. To address these challenges, we have implemented various measures to ensure the secure integration of our IT and OT systems.

Network SegmentationAccess ControlEncryption Continuous Monitoring
We have implemented network segmentation to separate our IT and OT systems, ensuring that any compromise of one system does not affect the other. We are building in next-gen firewalls with anomaly detection capabilities on our trains as we speak. We use strict access control measures to limit access to our systems and data, ensuring that only authorized personnel can access sensitive information.We use encryption to secure data in transit between our IT and OT systems, ensuring that any sensitive information is protected from interception or compromise. We continuously monitor our systems and networks for any signs of compromise or abnormal activity, allowing us to detect and respond to threats quickly.

With the growing footprint of cloud and APIs, how critical is it to apply the principles of zero trust network architecture? Where is Dutch Rail in its zero trust journey?

Zero trust is a critical element of our overarching cybersecurity strategy. We have made significant headway in implementing some of its key tenets. So far, we have implemented multi-factor authentication, robust identity and access management and cloud access security brokerage solutions. In line with our zero trust journey, we have also implemented logical microsegmentation and continuous monitoring to proactively thwart malicious attacks. Going forward, we intend to enhance our zero trust capabilities further by introducing more granular access controls, leveraging security orchestration, automation and response, and adopting a risk-based approach to security.

The partnership between a CIO and CISO is a crucial aspect in today's enterprises. To fulfil the digital transformation goals of Dutch Railways, how do you collaborate with the CIO?

At NS, the relationship between the CIO and CISO is based on trust, collaboration and a shared vision of creating a secure, future-proof digital ecosystem. Both the CIO and CISO are integral members of the executive committee and participate in several steering committees. We share a direct reporting line to the CFO, making their partnership all the more critical.

Recently, the CISO's role was elevated to a separate directorate, underscoring the importance of cybersecurity in NS's digital transformation journey. As part of this journey, the company is drafting and implementing a new cybersecurity target operating model to keep pace with evolving transformation objectives and stay ahead of potential security threats.

But integrating security into every aspect of digital transformation initiatives is no easy feat. It requires close collaboration between the cybersecurity and business IT teams, ensuring that security and privacy considerations are part of the planning process. There's also the challenge of balancing the need for security with innovation and agility. As NS adopts new technologies, it's essential to do so in a way that doesn't compromise the security of their systems and data. To achieve their digital transformation goals, NS works closely to ensure that technology initiatives are implemented with security in mind from the outset.

Finally, what is your vision as CISO of Dutch Rail, especially when it has been elevated to a separate directorate?


As CISO, my vision is to prepare NS to withstand any of the evolving cybersecurity threats and risks. My charter is to put a robust and effective cybersecurity program in place that is well-integrated into all aspects of business operations. In order to achieve it, there are several key areas that we’re focusing on:

  • Maintain a risk-based approach to cybersecurity: Continuously assessing risks, identifying potential threats and vulnerabilities, and implementing appropriate controls to mitigate these risks;
  • Integration of cybersecurity into all aspects of operations;
  • Standardization and centralization of cybersecurity services;
  • Cyber-safe culture program;
  • Be the best cyber employer in the field.

Zantvliet has an experience of more than 30 years as CIO, CTO and CISO. As a CISO at NS, his responsibilities include cybersecurity matters on governance, mobility chains, IT, IoT and OT strategy, and European Railway cyber projects.

About the Author

Smruti Gandhi

Smruti Gandhi

Executive Editor, ISMG

Gandhi has more than a decade of experience in community engagement and incubating industry events. She is extremely proactive in building engagements with communities including CEO, CFOs and CIOs. Prior to joining ISMG, she worked with Dun & Bradstreet and Great Place to Work.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.