Magnus Solberg: Does Your Organization Have a Robust Security Culture?

Hybrid work models and digital device dependency have greatly increased an organization’s susceptibility to cyber attacks. As these attacks become more intense and complex, cyber resilience and awareness are critical. We speak with Magnus Solberg, VP & Head of Security Governance at Storebrand, on his experience building the company’s security culture, the link between cybersecurity and risk management, and more. 

   

How are cybersecurity and risk management connected in today’s organizations? 

Cybersecurity and risk management are at this point deeply intertwined. In almost every industry, cyber risk is in the top three categories of both operational and business risks. This is because nearly all critical assets are now digital. Of course, this leads to an enormous number of risks that an organization didn’t have 20 years ago.  

Unfortunately, the sheer speed of this development has caused difficulties for a lot of organizations. This goes down to simple things like definitions of risk, and of static policies and processes. Many governance structures are not rigged for disruptive change, such as “new categories of threats and risks.” I think that anchoring the understanding and competence necessary to include cyber in broader risk management is also a challenge. Beyond tech companies, it’s a fact that the board of directors and to a certain extent, C-suites, do not include technologists, which slows down the adoption of modern risk management. Cybersecurity and risk management are very connected but there is still a long way to go to make them as connected as they should be. 

 

What makes for a robust risk culture beyond the traditional 3LoD? 

As I see it, organizations often put too much emphasis on having a formal three-part structure of control and reassurance, and far too little emphasis on building an actual culture that identifies and steers risk as part of its DNA. Of course, building a strong culture of security and implicitly, a risk culture – means including all employees, from the CEO to the bottom-rung shift worker, from the service partner to the short-term consultant. Including all the human risks and employees are key to making an actual risk-based culture.  

You need to really engage the human factor by having a bottom-up approach that enables your employees to think and act in a risk-based approach as a reflex. This can be done by teaching them about threats and potential consequences by training them to perform not only ad hoc, subconscious risk assessments, but also give them the tools to perform more structured and documented assessments – mental tools as well as strong policies and guidelines, and the proper software tools. In my opinion, building a robust security culture is both dependent on and a fundamental ingredient of building a robust risk culture.

 

What are the most effective digital tools and technologies in risk management? 

Can I answer PowerPoint and Excel? Or even the good old whiteboard? [laughs] Of course, I’m only partly joking because I think the biggest revolution in the last couple of years has been the way home officing has exploded the way we utilize collaboration platforms. At the same time, these platforms were forced to provide more robust solutions for things like proper access control, document or file revision history, classification, and of course, API connectivity to other tools. This means that we can get a lot of what we need in terms of managing risks.  

Workshops, creating assessments, performing audits, and even tracking remediation can be done via these platforms. We can use everything from OneNote to the tired but time-tested spreadsheets without losing control because it’s all protected, indexed, and searchable. That being said, I still see the need for a proper enterprise risk management tool that tracks risks, makes people accountable and responsible and of course, pleases our auditors. Exactly which technological solution or which software that should be, I don’t really have any strong opinions about but there are a lot of good ERM tools out there. 

 

Do you think employees are the weakest link when it comes to an organization’s level of cybersecurity? 

It’s irrefutable but it’s the wrong way of looking at it. People are not a simple chain in a link, people are at the nexus of it all. The only reason why we have cybersecurity issues is that there are people out there who are after either stealing, changing, or making information unavailable. No company was ever created simply to be secure: We exist to create services or products for people, and there are people out there who want to benefit illegally from that. Some experts like to say that people are the weakest link, but so is technology. People are the ones configuring that technology or using that technology wrong. Some even have the hubris of buying their way into security, which is equally a weak link. I think putting the blame on people for poor security is misunderstanding the issue completely. You can’t have security without people. But then again because of people, we need security. 

 

What were the biggest challenges during the implementation of Storebrand’s security culture program and how did you overcome them?   

We’ve been at it for six years and we started very much from scratch. When we started, there was nothing in terms of security awareness training, much less a security culture program. There were several challenges that had to do with mid-management buy-in. Although we did have support from the top management, we were also not given an adequate budget or allowed to make the training portion of the program mandatory. The latter made it especially hard to motivate our mid-level managers to introduce this training to their employees. Mid-level management is all about delivering results and eating up their time and resources does not land you on their friend list.  

So, it did take a lot of time and dedication to make them understand that a secure employee is a low-risk employee. As soon as we reached that turning point, it was immensely satisfying, because mid-level managers are key to enhancing the security message to all their employees. But they’re also an important target group, constituting human risks in themselves. As time went on, we could point to concrete results including the avoidance of huge risks due to more risk-aware workers. We finally received an unbroken chain of buy-in all the way from the top and down via the mid-level managers. That ended up landing us a nice budget and made training mandatory. 

 

How did you develop the program’s framework to ensure it was dynamic enough to handle the evolving threat landscape?  

The framework we developed is in its essence, dynamic, and scalable because it’s all about answering five fundamental questions: Why are we going to do this? Who are we? What do we need to address? How should we go about doing that, and When should we do it?  

In order to answer these questions, we revise and update a number of working documents. For example, we have a program strategy, a target group analysis, and learning objectives based on the current threat and risk landscape. We then test out a lot of different learning platforms and other engagement activities. This is done continuously to allow for emerging risks to be included almost instantly. However, we also do it more formally once every two years, where we do a full audit and revision of the whole program. We’re actually in the middle of doing a full revamp and plan to launch a new version of the program next summer.  

 

How do you measure the program’s success? 

We use a lot of different metrics to measure success and have KPIs linked to distribution, which measures how many employees we reach and how many complete various parts of the training. We have KPIs linked to knowledge where we can see if an employee received and internalized the message. Finally, there are KPIs related to behavior — this allows us to see if training has actually changed risky behavioral patterns.  

Additionally, we perform a group-wide security culture audit every two years performed by our internal audit, who, among other things, performs a comprehensive self-assessment that is sent to all employees. With this independent report, we get a clear picture of how we fare with security culture and whether the success of the program addresses our current needs.  

Our most recent group-wide security culture audit was completed in January this year, the third one we’ve had in six years. That means we can now begin to accumulate historical data that shows encouraging results. Yes, our employees are more competent, more motivated, and a lot more risk-aware than they were before the program started.  

Finally, another measure of success is a bit more qualitative. It has to do with how the program itself has been received. We do gain a lot of positive attention from both regular employees as well as the high reps. And even externally: My team and I do presentations at various conferences, and for other companies as well, just to share how we have “cracked the human code.” 

 

Can you share some current highlights of the program?    

Yeah, absolutely. As I mentioned earlier, we are in the middle of our biannual revamp. I think one of the best things about maturing the program is its correspondence with the maturing of the organization. We now have various security tools on the technology side that help us create more individually tailored training programs. For example, every employee is invested with a security score, which is automatically set defined by their actions — whether they fall for phishing assessments if they are reporting incidents, and so on. This also paves the way for rudimentary gamification, which will be quite fun to see how we can implement.  

Secondly, I’ll have to highlight our security month. This is something we’ve been doing for six years, and it’s been one of the most important boosts to communicate risk and security, and by extension, the security culture program itself. Every October, we skip the focus on corporate security and put the focus on each person instead. “Why is security important for you and your loved ones?” We pull in external speakers every week to address some common people security problems, such as social media, digital tracking and manipulation, and fake news. We also have weekly security quizzes that are a bit tongue in cheek as well as having great prizes. We do hackathons, we do cool stunts such as “hack yourself”’ competitions, and we do physical stands with security cupcakes. It’s a lot of work, but very fun. 

One of our goals is to make our employees more secure at home, which means they are going to be more secure at work. But also, it has to do with simply marketing our security efforts by getting out there and meeting people. It makes security, if not fun, then at least interesting, because for a lot of people security is boring, or they think it has nothing to do with them.  

On a personal note, I felt we were getting somewhere a couple of years ago when I was invited to do a three-hour workshop on building our security culture program at the security conference in the EU parliament in Strasbourg. Knowing that we built something that works and helping other organizations do the same makes me very happy and fulfilled. 

 

*The answers have been edited for length and clarity.