2026-06-04 –, Track 1
Cybersecurity has an uncomfortable relationship with the truth. We know what needs to be done. We've known for decades. And yet we keep clicking "Remind Me Later," ordering the triple bacon burger with a diet coke on the side, and waiting for the world to change.
In this talk I cut through the comfortable narratives we tell ourselves and force us to confront what's actually holding us back. Drawing on the history of threats — from the 1989 AIDS Trojan to AI-powered ransomware and voice cloning — I argue that there are no genuinely new threats, only new dimensions of old ones. The real problem isn't the threat landscape. It's us.
Security is inconvenient. Its benefits are invisible. Users click "Remind Me Later" not because they're reckless, but because we've failed to make security work for people. Meanwhile, the window for action on post-quantum cryptography is narrowing, AI is making impersonation fraud scalable in ways never seen before, and geopolitical tensions are reshaping the attack surface whether organisations are ready or not.
I'm not offering a silver bullet — because there isn't one. Instead, I'll ask the harder question: what inconvenient truth are you still avoiding?
Opening — Why people prefer comfortable lies over uncomfortable truths, and what that means for security culture
Truth 1: Security itself is an inconvenience — The human behaviour gap; why awareness campaigns alone don't move the needle
Truth 2: The benefits of security are invisible — The problem of preventative value; how to make the invisible visible to leadership
Truth 3: There are no new threats, only new dimensions — Ransomware from 1989 to today; how GenAI adds scale and capability rather than entirely new attack categories
Truth 4: Some dimensions genuinely change the game — Voice cloning and digital twins threatening biometric authentication; real-time deepfake fraud; the KnowBe4/North Korea infiltration case
Truth 5: Refusing to act creates compounding risk — The Snowflake 2024 breach as a case study in avoidable failure; MFA and credential hygiene basics we keep skipping
Truth 6: The quantum clock is ticking — Why the post-quantum cryptography transition can't wait; the narrowing window for crypto agility
Truth 7: We don't control our entire environment — IoT, supply chain, geopolitics, and the limits of what any single organisation can secure
Closing — Turning the question back to the room: what inconvenient truth are you missing?
Nicole van der Meulen is an experienced professional and thought leader in the area of cybercrime and cyber security. Currently she serves as Cyber Security Innovation Lead at SURF. Previously she was the Head of Policy & Development at Europol’s European Cybercrime Centre (EC3), where she was responsible, amongst others, for the Internet Organised Crime Threat Assessment (IOCTA). Prior to Europol, she held various positions in the Dutch public sector, academia and for nonprofit organisations all focused on enhancing the fight against cybercrime and improving cyber security. She obtained her PhD in 2010 from Tilburg University on a comparative study focusing on digital identity fraud in the United States and the Netherlands.