Michiel van Veen


KPMG in the Netherlands

Michiel is a director at KPMG IT Advisory Netherlands. He leads the Cyber Assessments team consisting of 15 cyber security specialists who perform technical IT advisory engagements, IT auditing and management of IT infrastructure, IT processes and IT organisations. Michiel leads engagements for large and complex cyber assessments such as security testing and security audits, executed worldwide for a wide range of (inter)national clients.

Michiel has extensive experience of more than 15 years in Information Protection and Business Resilience for companies in various industries, guiding C-suite executives to gain the right insights into realistic risks that really matter in order to implement effective and targeted measures. With his knowledge and experience, Michiel leads the ‘Cyber in the Audit’ initiative, with the aim of properly addressing cyber security risks in financial statement audits.


  • Strategic cyber transformations, roadmaps and programmes 'from bit to board'.
  • Cyber Maturity Assessments, to determine the current and target maturity of the organisation's governance, processes and technical measures.
  • Cyber Capability Assessments, to test governance, processes and technical measures in a holistic manner, linking technical issues to root causes at board level.
  • Cyber in the Audit, to address cyber security risks in the context of audits of financial statements.
  • IT audits, providing assurance on control frameworks such as NIST, ISF, COBIT, ISO27001, ISAE3402, etc.
  • Complex evaluations of application landscapes on protection, detection and response measures.
  • Deep technical specialist cyber assessments, such as:
  • Red-teaming & black-, grey- and white-box internal and external penetration testing to detect weaknesses and vulnerabilities in IT infrastructures (e.g. databases, servers and networks) and (web) applications.
  • Technical analyses of mobile and web applications, including reviews of source code (web, .NET, C++, Java) and architectures for application security.
  • Analyses of security configurations (network, operating systems, databases, applications).

Training & certifications

  • GPEN (GIAC Penetration Tester) since 2016
  • CRISC (Certified in Risk and Information Systems Control) since 2015
  • RE (Register EDP-auditor) since 2010
  • Certified PRINCE2 Practitioner since 2010
  • PRINCE2 Foundation since 2010
  • CISSP (Certified Information Systems Security Professional) since 2009
  • CISA (Certified Information Systems Auditor) since 2009
  • EMITA (Executive Master of IT Auditing, Erasmus University Rotterdam) since 2008
  • MSc (Master of Business Information Technology, University Twente) since 2006
  • Ing (Ingenieur) Computer Science, Saxion Enschede since 2002