What is the key to successful information security work in a global group? Many organizations are struggling to get a unified approach to managing risk while meeting increased demands.
Someone who knows what this means is Magnus Carling, who works as Chief Information Security Officer (CISO) at Stena AB. Not only is he an experienced CISO, but he also has 29 years of experience within Stena AB. It is an experience that comes in handy in the group, where you face everything from regulatory complexity to cross-border threats.
Self-Governing - Except in Information Security
As one of three groups in what is known as the Stena sphere, it is not just a big business in terms of turnover - SEK 50 billion. Stena AB operates in a number of areas. These include ferry services, oil drilling, shipping and real estate, as well as other holdings such as garden centers.
This large and complex group is largely based on a principle of self-governance. The owner very much wants the businesses to run themselves. This means that the businesses manage their own work as much as possible. This is the case, for example, with purchasing or with HR work, where there are 20 departments in total.
But there is one important exception, according to Magnus:
- When it comes to security, we are aware that we are never better than the weakest link. For the bad guys, it's enough to find a way in. It's like a house where you put locks and alarms on the basement window and all the doors. But if the upstairs window is open, there is a way in.
There are many ways into a complex business. So it doesn't work to let everyone take care of security themselves, according to Magnus. That's why Stena has decided to work centrally on the issue.
Magnus Carling, Chief Information Security Officer at Stena AB
Stratsys Simplifies and Relieves
In a large group like Stena AB, a key question is how to support all areas of information security. Here, Stratsys GRC solution are absolutely crucial to success, says Magnus.
The philosophy is to use the tools that are available instead of buying new ones. The solution is to use a tool that supports more than one area, which is what Stena gets with Stratsys.
- Thanks to Stratsys, we have internal control, we work with balanced scorecards and have started working with Stratsys product for information security. We have also looked at the functionality linked to evaluating third-party suppliers that is now available in Stratsys.
Stratsys simplifies a lot. It is extremely valuable in a complex environment.
The choice of Stratsys within GRC means a considerable simplification and relief. Organizations only need to respond to the requirements once, even if a requirement happens to exist in several frameworks. This means a considerable simplification in such a complex environment as Stena AB.
...much of the work is done automatically, which also makes it easier to achieve compliance within the organization.
Thanks to Stratsys, employees no longer have to manually enter data or rely on Excel documents. Instead, much of the work is done automatically, which also makes it easier to achieve compliance within the organization.
Information Security Management System
At the center of the work is Stena AB's information security management system, which is based on ISO/IEC 27000. The work includes working from a multi-step model.
- The first step is risk analysis, where we map needs and vulnerabilities. We spend a lot of time on this, not least because we are a moving target where a lot happens. That's why we always try to get involved as early as possible in the projects.
Based on the risk analysis, Magnus and his colleagues design policies, procedures and cyber capabilities. This is another challenge, given the size and breadth of the group. They need to review their business areas to assess what is really critical - and how they can be best protected.
The next step in the management system is about managing the projects. It's about managing incidents, but also the issue of follow-up, both general controls and a number of analyses. Through the analyses they find out the outcome. Was there a policy that everyone really understood and understood? Did the companies do what they should in terms of procedures?
Last but not least, it's about rolling out updates and improvements and analyzing their capabilities. The model works like a wheel, where you then go back to trying to understand the activities and move forward from there.
For a group as huge as Stena AB, it is important to be proactive at all times. Criminal actors have a lot of time and money, are very innovative and good at finding new approaches. It is a constant tug of war.
Risk Work at Several Levels
To manage security work, Stena AB has a steering group at group level, where overall decisions are made. Above all, however, Magnus and his colleagues work directly with the various companies.
Risk work linked to companies is managed by information security committees. The activities are then handled by teams that coordinate the work, which include employees from the various companies.
- We don't always work so formally. Sometimes we work with informal groups and sometimes just with stakeholders. Most of the work happens at the team level, where we work more hands-on with IT security staff.
Compliance - a Priority Issue
What challenges are there at Stena AB linked to the work with information security? The threats come from several different directions, internally but also externally.
Today there are more disruptions than ever. Magnus points out that there are around 100 states in the world with the offensive ability to attack each other. This can involve both disrupting and making money. In the latter case, it may also involve criminals who engage in ransomware, for example.
Compliance is an area that Magnus identifies as a priority issue:
- There is a lot to consider in the regulatory area, from GDPR to NIS2 and the AI Act, and the EU goes a long way in terms of fines and compliance requirements. Basically, though, requirements are a good thing, given how difficult it is to secure such a complex environment. In this way, the EU is giving us a boost, for which we are grateful.
Requirements for Suppliers with Stratsys
The supplier issue is one of the biggest challenges today. It is not only about the number of suppliers, but also about the difficulty in protecting themselves.
All suppliers handle our information in one way or another. This is an issue that we are currently looking at in the context of our work with Stratsys.
Success is about setting requirements for suppliers and auditing them effectively, because all suppliers handle Stena's information in one way or another. This is an issue that is currently being looked at within the framework of the Stratsys work," says Magnus.
Although the work on information security never ends, one thing is clear. At Stena AB, they have come a long way.
If you want to know more about how Stratsys can help you with your information security work, contact us and we will be happy to tell you more. You can also read more about Stratsys product for Information Security and Privacy here.
Magnus advice for Succeeding in Information Security:
- Focus on risk. Be consistent in what you focus on in your work.
- High integrity. Deliver truths even if they are uncomfortable to hear.
- Security aligned with business goals. Don’t just say no. Instead, ask yourself how long it takes to say yes.
- Allow local adaptations. Even with high demands, exceptions can be allowed if there are good reasons.
- Management anchoring. Support is extremely important to gain impact in the organization.
- Security culture. Awareness is good, but a cybersecurity culture is crucial. Create a learning culture that makes employees want to report.
- GRC tools. Last but not least, it is important to ensure that you have a good tool to manage the work.
.png?width=2500&height=1353&name=ljus%20gradient%20(1).png)
