Ahead of the Nordic Cyber Security Summit, we met with Ingegerd Wirehed, CISO at Lund University, for a quick discussion on the state of cyber security in the Nordic region today.
Read on below for the full interview!
Please introduce yourself and tell us a little about your background….
After 25+ years’ experience in business, IT and information security leadership positions in global Mobile phone industry/digital, Retail home, Pharmaceutical and local retail banking, I am now a CISO at Lund University om Sweden (since three years). I am tasked to establish and roll out information security, gov., risk and compliance in our organization (ISMS).Previously delivered Information Security Management system program (ISMS), cyber-, risk and Awareness programs, as well as IT services and operations. This meant running with transformation assignments in complex, agile, global and multicultural organization’s and teams. I especially enjoy people leadership with coaching and mentoring.
What do you think are the biggest cyber security risks affecting the Nordic businesses today?
I believe the main risks are:
- Risk #1, the confusion and low maturity in the cybersecurity industry
- Risk #2, when unsuccessful in taking a systematic and a holistic approach to both operational IT-risks as well as strategic business risks, with top management involved
- Risk #3, insufficient or inadequate cybersecurity risk knowledge and competence on board
- Risk #4, lack of business continuity plans and recovery plans when you are hit by a cyber-attack
What do the next 5 years hold for your industry?
The public sector in Sweden is, as other sectors, affected by the political arena and situation in the world. Changes in our surroundings happen fast, and in cyber security risk five years is a long time to forcast.
Higher education must:
- Make sure we can protect student’s and others sensitive personal information
- Better define and apply appropriate risk management of research data and research results, based on its defined value
- Improve how information security and cyber integrates with the perspective and expectations on “Open data” (research data) in Europe and globally
- Better understanding of how cost and investments in cybersecurity is required to keep a strong reputation and be a trusted sector long term
Can you give me a taster of the main point you are going to make onstage?
If cybersecurity is not on your top management’s agenda continuously with fruitful and informed conversations and decision making, that is where you should start. Make sure they are presented with a fact-based status of your security controls.
What is your top advice for other cyber security professionals?
My advice would be to first focus on security risks and cyber resilience: Rather than relying on a compliance checklist, prioritize strategies to establish cyber resilience. Provide three capabilities:
- Prevent: To defend against the most prevalent cyber threats facing higher education institutions, use proactive information security controls, such as network security and endpoint protection
- Mitigate: To minimize the impact of a breach, implement reactive security controls, such as intrusion detection systems and incident response procedures, to detect and respond to attacks that bypass the preventative controls
- Sustain: To ensure the cyber and information security program has adequate funding and leadership supports it, establish an effective information security governance framework, security policies and procedures, reporting metrics, and staffing plans (ISMS)
Secondly, when communicating security improvement goals avoid pointing at compliance requirements.
Relying only on these to justify the security program might backfire. Instead, start with…
- Agreeing on definitions and arena; IT-security, CISOs scope role and mandate, Information security, cybersecurity. Communicate with and educate top management and the board so they use the same words for the same things
- Performing inventory of status of protection, security controls, competences, service provider’s security and take control of and learn from incidents
What are you most interested in exploring and learning about this year, cyber security wise?
How we handle the urgent lack of skilled and competent resources in the industry ?
Catch Ingegerd at Nordic Cyber Summit on 4th – 5th October as she participates in the panel discussion: ‘How Can Nordic Organisations Close the Cyber Security Gap in the Most Pragmatic and Cost-efficient Way?’! Join us for her session and enjoy live Q&As throughout the summit by registering for FREE online with code: CYBER-VIP at nordic.cyberseries.io/register/.
