When looking at how Sweden deals with digital security issues and challenges, two question stands out: when are we going to embrace the fact that a secure digitization is not a project, but a process? And when are we going to approach this challenge holistically, not only on a governmental level?
Looking at the latest statement from the Swedish Security Service, listing 7 threats to national cyber security makes me realize that it lacks establishment where it needs to be fermented – in the society as a whole. And where is the leadership in these matters?
An extract from the Security Service report below highlights what in my eyes is an ancient approach to security and digitization in our digital society.
“1. Protection-worthy activities are becoming increasingly vulnerable. The security protection of the authorities has not increased at the same pace as technological developments have given State actors and ideologically motivated actors increased abilities. Swedish Security Service believes that security protection must be improved.”
As a nation we tend overlook the need to conduct a secure digitization. The section outlines the risk of digital separation and the risk to alienate a huge audience in society as it turns to state organisations and ideological motivated – not to the society as a whole. Digitization and security development are out of pace. It is so because the lack of understanding that a secure digitization on a root level is about behavioural change, risk management and foremost raising awareness. A secure digitization is not the responsibility of the state organisations and the ideological motivated. It is everyone´s responsibility.
To be fair, the Swedish Security Service and a numerous of law enforcement, armed forces and intelligence services in Sweden is starting to cooperate. Not only with each other but even reaching out to the public and this is good and imperative. You need to get “everyone on board” with a secure digitization. The problem, however, is the lack of a realistic vision and leadership from the one supposed to lead us a nation – the Swedish Digitalisation Council.
The government has stated that Sweden is to be number one in digitization. We have the aim to rule the digital waves if you will and serve as a role model to others. There is no point to have this focus, a secure digitization is of more interest than being the best but without security. Furthermore, nowhere in this proclamation by the council is there a definition as to what cost? And there is more, nowhere is there a clear definition as to whom is responsible for what.
In our neighbouring country Norway, it is a different setting all together – actors, state or private, report readiness to embrace their responsibility in order to be a part of the cyber security defence. They also have a more holistic view how security awareness is conducted, and more importantly, how it is spread. In Norway 2/3 of all employees is a part of or have taken part of digital security awareness processes – simply a modern and mature approach to security. In Sweden that number is ¼ at best.
My conclusion of this is clear. Security is not something you have it is something you do. And to do security you need designated leaders create a mature security culture where security by maturity rather than security by obscurity.
- We need to acknowledge that digital security awareness needs to reach out and involve all. And we need to start now
- We need to educate the board members, public and private, in digital security awareness. High Value targets seems to believe they are bullet proof. They are not
- We need to understand that dealing with awareness is a process without end-date. A lesson or a project has an end-date. Security awareness is a process in order to have a systematic and mature approach to digital security.
The internet of things is more likely to be internet of threats if we all, globally, not starts to recognise that this is a challenge for the digital society, not a governmental responsibility. But in order to get on board with this mindset, the ministers need to start act like leaders and designate the point of origin – where do we start, who is responsible and to what cost.
Robert Willborg, Junglemap