Security awareness is an uphill battle and takes time to achieve, but it's very rewarding to see it go in the right direction within your company. More businesses are realizing awareness is a crucial element to managing human risk. Mari Svestad is responsible for cybersecurity awareness within Wilhelmsen Ships Services in Norway. “We’ve gotten security on the map in a fairly short time, which is not an easy task for a company this size.”
Svestad has a background in organizational psychology and leadership. When she first saw the job opening for a Cybersecurity Awareness and Culture Specialist on LinkedIn, her initial reaction was that this was way out of her knowledge scope. “But the Director Security & Governance, Risk and Compliance with Wilhelmsen Ships Services, who put the job on LinkedIn, was very specific about the fact that you didn’t need that much cyber knowledge or extensive IT knowledge. Since that was emphasized, I applied and a few rounds later was employed.” She now understands why deep technical knowledge isn’t needed in this job. “The majority of my work is focused on the human side of things.”
Nudging to establish basic level of understanding
Founded in Norway in 1861, Wilhelmsen is a comprehensive global maritime group, providing essential products and services to the merchant fleet, along with supplying crew and technical management to the largest and most complex vessels ever to sail. The company has around 21,000 employees and over 2200 locations in 70 countries worldwide. Svestad is responsible for increasing the security awareness in the company, a very dynamic and varied job. “The main goal is to get the whole company on board with cybersecurity and one of the most important ways we can do that is through the concept of nudging, which can be really helpful when implementing and managing change.”
She explains nudging means giving little cybersecurity information drops of wisdom everywhere whilst cooperating across divisions, outside of IT, which ultimately will result in an organizational environment far more susceptible to future cybersecurity initiatives. The major challenge in getting people on board is getting individuals who don’t have a general interest for cybersecurity – “which is most people, I’d argue”, Svestad smiles – to understand it is imperative that all employees have a certain level of knowledge on cyber. “You can’t work in a company and not have a basic understanding of cyber. You need to have some foundation. Even if you are with a company that doesn’t classify itself as an IT company. Just look at Maersk. They didn’t view themselves as an IT company, but that one attack made it very clear how dependent they were.” So creating and overall foundational understanding of cybersecurity and getting it through to every employee is a major challenge. For every company.
Identifying and prioritizing human risk
Svestad followed the MGT433: Managing Human Risk course by SANS. “That was a very relevant course for my role, both in terms of just learning elements that can help understand and manage the human factor. But there was also a lot on identifying and prioritizing human risk and how to get the entire company on board with that priority, which was especially helpful for my role in general, and with regards to an extensive cyber risk assessment project that we are currently working on.”
Her background in change management comes in handy and for cybersecurity knowledge, she depends on her team. “My job is tightly linked to risk, as it's in many ways more about assessing where the vulnerabilities lie, which varies for different divisions, and then assessing how to best be able to communicate with the different divisions and different people.”
The SANS course brought Svestad a lot. It gave insight into the way she works and plans things in order to get a higher level of efficiency. “It showed me which areas to spend my time and where not to spend my time.” It also motivated her in an unexpected way as well. “Most of the participants in the course were American. It became very clear to me quite early in the course that this role that I have is more of a commonplace role in America, more so than in Norway or other parts of Europe. When I was employed, there weren’t too many companies in Norway that have this role included in their security team. But when you speak to experts and people outside of Norway that have gotten further than we have, it becomes very clear this position is an essential part of cybersecurity in a company.” She has seen an increase in Norwegian companies creating this role in their team, but it is still a fairly new concept, which makes it all the more important.
One of the key take-aways from the course was setting up a Champions Program. “We are currently building that program and kicking it off in October.” The Champions Program comprises of preparing employees as local cybersecurity gurus. “We get different employees globally with different roles, ranks and geographical areas, so it gives us a representative picture of Wilhelmsen, and we’ll provide them with basic training and fun learnings so they can become a ‘local guru’, wherever they are. So every division and geographical area has a colleague they can go to with regards to cyber.”
One of the lessons Svestad learned in her job is that, because of the novelty of this topic, cybersecurity teams should expect an uphill battle, at least in some areas. “There is not much room for restlessness, it takes time and patience. That is key”, Svestad says. Another takeaway is that it is helpful to use existing stories when trying to get people on board. “When people read about or see what happened to other companies, who maybe haven’t taken cybersecurity too seriously and then experienced an attack, it often makes a lightbulb go off in their minds, because it feels closer to home.” And in terms of awareness initiatives, especially on the learning side: “Keep it fun and short, cybersecurity is still pretty niche, so the learnings shouldn’t be too complex.”
Diversity makes cybersecurity resonate
The fact that Svestad is a female in this line of work is, in a sense, an advantage. “Being a female in cybersecurity, kind of breaks the typical stereotype”, she says. “Even though it is 2021 and we’ve gotten far with diversity, it is very clear that it’s still mostly males in cybersecurity. Being a female could make it, at least for some people, more approachable and relatable. Diversity is very important, especially in cybersecurity. If the workforce is male dominant, it’s not necessarily going to resonate with as broad an audience as it would if it were better mixed. And it’s crucial for cybersecurity to resonate with a lot of people.”
She encourages women to take their chance in the industry, “because it’s a lot of fun and there is so much to learn. Moreover, cybersecurity is not just relevant for companies, but also important for individuals as well, as we live in such a technical world. And because there is still some novelty to this area, it’s very rewarding when you see it go in the right direction.” As she can share from her own experience with Wilhelmsen. “Wilhelmsen has gotten cybersecurity on the map internally in a fairly short amount of time. That is not an easy task for a company this size.”