As CISO, Christine Bejerasco is not only responsible for the digital security of WithSecure and its approximately 1,100 employees, but also for the reputation of the Finnish security company. How does she choose her priorities?

Christine Bejerasco, CISO of WithSecure, has no problem: unlike some colleagues from other companies, Bejerasco does not have to explain the importance of security to the Finnish security company. On the other hand, half of the employees in the company call themselves security experts, and not without reason. How do you choose the right priorities with the resources available, in an organization where everyone has an opinion?

ITdaily: “What does the IT environment you are responsible for look like?”

Bejerasco: “WithSecure has around 1,100 employees and is organized quite modernly. We have a lot of SaaS and are mostly in the cloud. The organization naturally consists of many cybersecurity experts. Most employees have a basic understanding of how attackers can behave and are naturally suspicious of emails.”

“In our industry, we also work with corporate customers who themselves have high and complex requirements. They impose many requirements on us as suppliers and check these through audits. For example, they require us to fill out questionnaires with hundreds of questions, even though we have the right ISO certificates. When such companies become customers, we regularly coordinate with them and evaluate continuously. That’s good, but intensive.”

What are the main priorities at the moment?

Bejerasco: “I always aim for concrete security goals. That’s why I’m a big fan of integrating security into all processes. That’s what I preach, but I also try to put it into practice. For example, I work with finance, HR and R&D to see how we can adapt their processes so that security becomes a part of them.”

I am a big fan of integrating security into all processes.

Christine Bejerasco, CISO WithSecure

“We don’t have a large team, so we have to plan carefully. We also create additional work for these departments. I do believe that this approach is the only way to integrate security sustainably. People don’t have to think about security, it should be part of their job. For example, you can adapt processes for payments so that two pairs of eyes are required every time to approve something. This automatically builds in more security.”

Does the company understand the IT challenges sufficiently? Is everyone always on the same page?

Bejerasco: “The concept varies by department and function. There are many security experts working at WithSecure. Some have decades of experience. This sometimes makes my job easier, but on the other hand, there is no one way to ensure security and there are a hundred opinions and visions on a problem. My job is to choose one, tackle it and tackle the next priority. Not everyone will always agree with the chosen solution.”

“Other departments sometimes have it even more difficult. For example, if the HR department puts up a QR code for an event, everyone suddenly finds it suspicious (laughs).”

“The CISO is part of the C-suite at WithSecure, and I think that’s important. That way, both the CISO and security are valued. We report monthly on the state of cybersecurity. Security is not an afterthought and I recommend this structure to all companies if they can afford it.”

Does the CISO organization have sufficient staff and resources to complete all requested work?

Bejerasco: “We never have enough resources (laughs). I have to set priorities ruthlessly. Of course, I always want to do more, that will never change. Of course, I have the advantage that WithSecure provides many security tools and resources. For example, we sell managed detection And Incident responseso I no longer have to set up my own solutions for this.”

“It’s a luxury position, although there are limitations. If there are wait times for a particular service, I find it difficult to refer clients. Additionally, when we use our own experts for something, those are hours they could otherwise bill for, but not now.”

What impact will upcoming regulations such as NIS2 have on policy?

Bejerasco: “We already meet several strict certifications such as ISO 27001. NIS2 is not such a big leap, but we lack security.” The regulations remain a little questionable. We should agree by October, but it remains unclear what exactly that means. So we have to report incidents, but when? When we discovered them? Or when we investigated them?”

How does WithSecure deal with the AI ​​hype?

Bejerasco: “First of all, one of my main concerns is AI’s access to data and the way that data is made available to others who shouldn’t see it. Classification of data in an organization is fundamental. For example, if financial data is not correctly marked as confidential, the AI ​​won’t care. The data goes into training and can be used in a response. That opens the door to crime. I would advise CISOs to look into data classification and access control.”

“Of course we need to use AI because it’s not going away. I think we should work on it from the beginning to steer the technology in the right direction.”