homepage
Open menu
Go one level top
  • Train and Certify
    • Overview
    • Get Started in Cyber
    • Courses
    • GIAC Certifications
    • Training Roadmap
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • Scholarship Academies
    • NICE Framework
    • Specials
  • Manage Your Team
    • Overview
    • Group Purchasing
    • Why Work with SANS
    • Build Your Team
    • Hire Cyber Talent
    • Team Development
    • Private Training
    • Security Awareness Training
    • Leadership Training
    • Industries
  • Resources
    • Overview
    • Internet Storm Center
    • White Papers
    • Webcasts
    • Tools
    • Newsletters
    • Blog
    • Podcasts
    • Posters & Cheat Sheets
    • Summit Presentations
    • Security Policy Project
  • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Cyber Security Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    • About SANS
    • Our Founder
    • Instructors
    • Mission
    • Diversity
    • Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Managing Human Risk Should be a Regular Element on Any Cybersecurity Team
Mari-Svestad-370X370.png
Mari Svestad

Managing Human Risk Should be a Regular Element on Any Cybersecurity Team

Security awareness is an uphill battle and takes time to achieve, but it's very rewarding to see it go in the right direction within your company.

September 23, 2021

Security awareness is an uphill battle and takes time to achieve, but it's very rewarding to see it go in the right direction within your company. More businesses are realizing awareness is a crucial element to managing human risk. Mari Svestad is responsible for cybersecurity awareness within Wilhelmsen Ships Services in Norway. “We’ve gotten security on the map in a fairly short time, which is not an easy task for a company this size.”

Svestad has a background in organizational psychology and leadership. When she first saw the job opening for a Cybersecurity Awareness and Culture Specialist on LinkedIn, her initial reaction was that this was way out of her knowledge scope. “But the Director Security & Governance, Risk and Compliance with Wilhelmsen Ships Services, who put the job on LinkedIn, was very specific about the fact that you didn’t need that much cyber knowledge or extensive IT knowledge. Since that was emphasized, I applied and a few rounds later was employed.” She now understands why deep technical knowledge isn’t needed in this job. “The majority of my work is focused on the human side of things.”

Nudging to establish basic level of understanding

Founded in Norway in 1861, Wilhelmsen is a comprehensive global maritime group, providing essential products and services to the merchant fleet, along with supplying crew and technical management to the largest and most complex vessels ever to sail. The company has around 21,000 employees and over 2200 locations in 70 countries worldwide. Svestad is responsible for increasing the security awareness in the company, a very dynamic and varied job. “The main goal is to get the whole company on board with cybersecurity and one of the most important ways we can do that is through the concept of nudging, which can be really helpful when implementing and managing change.”

She explains nudging means giving little cybersecurity information drops of wisdom everywhere whilst cooperating across divisions, outside of IT, which ultimately will result in an organizational environment far more susceptible to future cybersecurity initiatives. The major challenge in getting people on board is getting individuals who don’t have a general interest for cybersecurity – “which is most people, I’d argue”, Svestad smiles – to understand it is imperative that all employees have a certain level of knowledge on cyber. “You can’t work in a company and not have a basic understanding of cyber. You need to have some foundation. Even if you are with a company that doesn’t classify itself as an IT company. Just look at Maersk. They didn’t view themselves as an IT company, but that one attack made it very clear how dependent they were.” So creating and overall foundational understanding of cybersecurity and getting it through to every employee is a major challenge. For every company.

Identifying and prioritizing human risk

Svestad followed the MGT433: Managing Human Risk course by SANS. “That was a very relevant course for my role, both in terms of just learning elements that can help understand and manage the human factor. But there was also a lot on identifying and prioritizing human risk and how to get the entire company on board with that priority, which was especially helpful for my role in general, and with regards to an extensive cyber risk assessment project that we are currently working on.”

Her background in change management comes in handy and for cybersecurity knowledge, she depends on her team. “My job is tightly linked to risk, as it's in many ways more about assessing where the vulnerabilities lie, which varies for different divisions, and then assessing how to best be able to communicate with the different divisions and different people.”

The SANS course brought Svestad a lot. It gave insight into the way she works and plans things in order to get a higher level of efficiency. “It showed me which areas to spend my time and where not to spend my time.” It also motivated her in an unexpected way as well. “Most of the participants in the course were American. It became very clear to me quite early in the course that this role that I have is more of a commonplace role in America, more so than in Norway or other parts of Europe. When I was employed, there weren’t too many companies in Norway that have this role included in their security team. But when you speak to experts and people outside of Norway that have gotten further than we have, it becomes very clear this position is an essential part of cybersecurity in a company.” She has seen an increase in Norwegian companies creating this role in their team, but it is still a fairly new concept, which makes it all the more important.

Champions Program

One of the key take-aways from the course was setting up a Champions Program. “We are currently building that program and kicking it off in October.” The Champions Program comprises of preparing employees as local cybersecurity gurus. “We get different employees globally with different roles, ranks and geographical areas, so it gives us a representative picture of Wilhelmsen, and we’ll provide them with basic training and fun learnings so they can become a ‘local guru’, wherever they are. So every division and geographical area has a colleague they can go to with regards to cyber.”

One of the lessons Svestad learned in her job is that, because of the novelty of this topic, cybersecurity teams should expect an uphill battle, at least in some areas. “There is not much room for restlessness, it takes time and patience. That is key”, Svestad says. Another takeaway is that it is helpful to use existing stories when trying to get people on board. “When people read about or see what happened to other companies, who maybe haven’t taken cybersecurity too seriously and then experienced an attack, it often makes a lightbulb go off in their minds, because it feels closer to home.” And in terms of awareness initiatives, especially on the learning side: “Keep it fun and short, cybersecurity is still pretty niche, so the learnings shouldn’t be too complex.”

Diversity makes cybersecurity resonate

The fact that Svestad is a female in this line of work is, in a sense, an advantage. “Being a female in cybersecurity, kind of breaks the typical stereotype”, she says. “Even though it is 2021 and we’ve gotten far with diversity, it is very clear that it’s still mostly males in cybersecurity. Being a female could make it, at least for some people, more approachable and relatable. Diversity is very important, especially in cybersecurity. If the workforce is male dominant, it’s not necessarily going to resonate with as broad an audience as it would if it were better mixed. And it’s crucial for cybersecurity to resonate with a lot of people.”

She encourages women to take their chance in the industry, “because it’s a lot of fun and there is so much to learn. Moreover, cybersecurity is not just relevant for companies, but also important for individuals as well, as we live in such a technical world. And because there is still some novelty to this area, it’s very rewarding when you see it go in the right direction.” As she can share from her own experience with Wilhelmsen. “Wilhelmsen has gotten cybersecurity on the map internally in a fairly short amount of time. That is not an easy task for a company this size.”

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Recommended Training

  • MGT415: A Practical Introduction to Cyber Security Risk Management
  • SEC301: Introduction to Cyber Security
  • LEG523: Law of Data Security and Investigations

Tags:
  • Security Awareness

Related Content

Blog
Security Awareness
February 25, 2022
Russian Invasion of Ukraine - What to Communicate to Your Workforce
Focusing on cybersecurity fundamentals is key to protecting both yourself and your workforce at home and at work during these unprecedented times.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
Security Awareness
January 27, 2022
Engaging Your Workforce in 2022
As we head into a new year, here are some tips on how to effectively engage, train, and secure a remote workforce.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
Security Awareness
December 15, 2021
How to Use Phishing Benchmarks Effectively to Assess Your Program
This initial blog will be a part of a mini-series addressing benchmarks and considerations when utilizing benchmarks to assess your phishing program.
Cheryl_Conley.jpg
Cheryl Conley
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cyber Security Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2022 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn