Cybersecurity from a Boardroom and Executive Perspective
Dear Board Members and Management in Public and Private Enterprises
IT and OT security are among the biggest challenges we face today, both in the public and private sectors. As leaders, we have a responsibility to understand and manage these risks. With this text, I aim to provide insight into how we can address the most pressing challenges – and ensure that we do not fall into the most common traps. We must move away from the “tick in the box” syndrome and focus on concrete actions – on what and how. This is a leadership responsibility.
My Personal Experience
A few years ago, I almost panicked when I grasped the deeper level of how exposed we were as a company and the dimensions that must be addressed in practice to reduce IT security exposure. From a board and management perspective, IT security must cover three main areas:
- Preventing business disruptions
- Saving time and costs
- Improvements and compliance
I have a degree in business economics and have worked in the technology industry for about 25 years. Over time, I have stepped into top executive roles, gradually distancing myself from the details as the technology landscape evolves rapidly. My panic-stricken realization stemmed from our move into the market with services for managing critical infrastructure for customers. My fear was rooted in the possibility that we were not going deep or specific enough, which could lead to future obstacles due to external threats damaging or crippling our infrastructure – thereby hindering our deliveries and customers.
There is a lot of talk about security and compliance. However, much of it remains superficial because we do not truly understand the issues and often draw conclusions based on flimsy grounds. Many also suffer from the “tick in the box” syndrome, where the reality leaves a significant gap between intention and practice. The challenge of going deep enough is complex, but key factors such as knowledge, capacity, agendas, naivety, culture, and risk appetite are central to the equation.
In this context, I focus on knowledge and areas that are often under-communicated at the leadership level. There is a tendency to settle for headlines and buzzwords. To move beyond seminar and conference mode, we need to become concrete about these topics.
Ambition and the Ability to Be Concrete
There are many misunderstandings and conceptual confusions. The goal is not to navigate this jungle but to highlight areas that are often underestimated, where weaknesses are greatest – even in environments that focus on security and take the topic seriously. Discussions rarely lead to the right outcomes if they are framed in binary terms. Everyone understands there are nuances, but sometimes we need to simplify to spark discussions and possibly even friction.
Let’s raise the ambition for IT security. On a scale from 0 to 10, a score of 7 is not good enough. The perception that reaching a 9 is prohibitively expensive must be challenged –though it is largely true if a company believes it can handle the full spectrum alone without external assistance.
If we agree on the ambition level, there are some areas where weaknesses stand out more as we move beyond the basics and the obvious. In no particular order:
- 1. Asset Management
This includes all hardware and software connected to the infrastructure. Challenges include maintaining a comprehensive overview, managing versions/upgrades, usage, and configurations. If the assumption holds that a chain is only as strong as its weakest link, then lacking control over devices connected to the infrastructure poses a significant risk. Often, the greatest risks lie in the more peripheral areas.
- 2. Ongoing Threat Intelligence
Monitoring threats and deviations, and understanding the necessary actions based on collected information. Given the complexity of the modern threat landscape – where threats can originate from unknown adversaries – it is naive to think that this can be managed alone.
- 3. Operational Technology (OT)
The focus is typically on IT, but vulnerabilities may be more pronounced in areas not traditionally classified as IT. OT environments often consist of a jungle of devices that are part of the digital infrastructure, creating an under-communicated vulnerability. Authorities are trying to regulate this through frameworks like NIS2, but regulations alone do not solve practical challenges. These are ticking security time bombs connected to business infrastructure, often entering through so-called backdoors.
- 4. Dark Web Monitoring
There is significant activity in a grey market that exploits commercial opportunities far beyond the fundamental values we uphold in the Western world. This market is not geographically defined. Proactively monitoring these activities can significantly reduce risks.
- 5. Alarm Management
IT departments are bombarded with an overwhelming volume of alerts. Without active systematization, responses become random, and sophisticated threats can slip through. The time required to gain an overview can prove fatal.
- 6. Cloud Security
To balance costs, efficiency, and capabilities, most businesses utilize a combination of cloud services and internal structures. This hybrid model introduces additional security challenges and attack surfaces that are easy to underestimate.
- 7. Compliance
Risk reporting must be structured in a format that serves as an effective management tool, enabling efficient handling of regulatory requirements, documentation, analysis, and timely responses to incidents. The board holds responsibility but often lacks direct control.
It’s Possible to Make Significant Progress – Knowledge and Willingness
Has my initial panic subsided? Yes. No one can provide absolute guarantees, but by securing the extremes of the value chain, we manage risk for both us and our customers. We receive approximately 1.5 million events per second from our customers. The sources are diverse. The interplay between technology, people, and processes is critical to ensuring security and maintaining the integrity of critical infrastructure. A systematic and holistic approach is essential for success.
We live in a complex world where security threats are broadening in scope. As a society, no single entity can do everything, but everyone can contribute to improving the overall security landscape.
As an organization – whether in the public or private sector – our focus is on business development, executing strategies, and achieving our goals. We want to avoid missed opportunities, and IT security poses a significant threat to our ambitions. To counter this, we need a security strategy that is comprehensive and robust.
Do you have a few soldiers, a platoon, or an entire defense force? The real threats lie in the details. “Good enough” should be a conscious decision, and we must not underestimate the strength of elements historically considered minor. Understanding the details and knowing where to apply extra focus has been my priority in this discussion. It starts with ambition and ends with leadership.
Jarl Øverby
Group CEO, NetNordic GroupTable of Contents
Content subjects category
Content type
Related content
Contact Us
Feel free to call us directly on our telephone number +47 67 247 365, send us an email salg@netnordic.no, or fill in the form and we will get back to you as soon as possible! Thanks!
