Henri Heinonen is the Chief Information Security Officer at Aktia Bank Plc - a Finnish asset manager, bank, and life insurer. Aktia provides private individuals, corporate customers, and institutions with customer-oriented banking and financing solutions, based on close consultancy, through different channels: digitally everywhere and face-to-face in offices in Finnish growth centers (capital area, Turku, Tampere, Oulu, and Vaasa).We talked with Henri about how CISOs should be also business-focused, his vision about where cybersecurity should develop within organizations, how compliance affects cybersecurity operations in financial institutes, sharing knowledge and ideas with the cybersecurity community, and finally, his advice to those that plan a career in cybersecurity.
Everyone has their own story and a different path to arriving at the CISO role. What’s yours?
When I was a kid, computers were really fascinating to me, so I spent quite some time on the computer. In high school, I needed to decide what I was going to do when I grew up. I was thinking about doing radio or theatre – at that time acting was my passion. I ended up studying my other interest, technology, at the university of applied sciences.Soon after graduation, I started working at Aktia, and shortly after, I began working closely with cybersecurity-related matters. Throughout the years I was leading several technical teams in Aktia. What the different teams had in common was that security was at the heart of what was being done. We did everything from networks and operating systems to web application firewalls and identity and access management.In 2018, I was promoted to the CISO role. At the same time, I applied for postgraduate studies because I wanted to develop myself to better understand the business and how the cybersecurity department could support its objectives.
Have your studies contributed to your work in a major way?
My studies really supported me in my new role and reflected on the skills I need as a CISO. The CISO role is two-fold and requires business acumen in order to work closely with upper management, and technical expertise in order to lead security team members and objectives. The way to discuss strategy with C-level executives differs significantly from the way we discuss technical details of reporting on risks with a developer. You need to be able to focus on details, areas, fields – leading cybersecurity is more than just being really good at tech.
In some earlier interviews, we talked with our guests that cybersecurity has changed a lot during the last 10 years. What’s your view on that? What’s the role of cybersecurity in the business in 2020?
Cybersecurity is a support function. It's important, especially in the finance sector, but it always needs to be business-focused. CISOs and the whole cybersecurity team need to understand the organization's goals and build the department in a way that it can support the business to achieve its goals.We don't want to be this old-fashion department from the 70s that says 'no' to everything. We support the business because only together can we grow and succeed.I've noticed that other CISOs bring up the same point when I am talking with them. We are talking more and more about the business side and how we can support it, especially how digitalization is taking over most industries.Today, cybersecurity is a concern for the board and C-level executives. Years ago, the cybersecurity department was in a dusty corner, but nowadays, it's more important than ever for businesses. Suddenly, CISOs have found themselves in top leadership roles.
Do you have a vision about cybersecurity? Where is it going? Is there anything specific that you believe in?
We need to talk more about people and cybersecurity together. Cybersecurity doesn´t work without the contribution of employees. My vision is to make cybersecurity a bigger part of our everyday lives. This should be the goal of every company. At Aktia, we want our employees to be the strongest link in information security – and that’s why we are actively training them.We want to share security responsibilities in the organization. But we cannot demand them to take responsibility until they have developed the needed awareness and skills. Employees need to understand that their decisions and actions have consequences – both positive and negative. By deciding to practice safe online habits, and acting accordingly, employees can play a large role in defending the organization. We want to build a culture where everyone knows how to behave the right way, and identify what they need to do to remain as secure possible. Of course, mistakes can happen, but our role is to ensure that an error doesn’t occur because of the lack of skills or knowledge. We want people to know that the CISO team is available if a security breach occurs.
It sounds like you are leading a 100% people-focused cybersecurity department.
People are the essence of an organization, and that applies to cybersecurity as well. I believe that employees want to do the right thing. At Aktia, we want to make sure that we have a cybersecurity culture that supports and encourages people to do the right thing without hesitation. That’s why we believe in continuous training. Of course, we invest in a full awareness program, and we use Hoxhunt as a key element of that. It’s memorable, and through practical exercises, people remember better what they are supposed to do when they receive a threat in their inbox. It’s also done continuously, which keeps employees on their toes.
Is there anything specific you focus on during phishing training?
We specifically practice phishing by using a coworker's name (email impersonation scams – the interviewer). Employees first thought it was weird, but we explained to them that this is the easiest trick in an attacker's playbook. We need to practice so that employees are familiar with the latest attack types. Only then, they can start to think critically about the emails they receive.Employees are willing to help, but we need to make sure that they are aware and prepared to react to threats with confidence.
Aktia is an asset manager, a bank, and a life insurer. Do regulations and compliance have a big impact on the cybersecurity operations?
Of course, finance is a strict field in terms of compliance. We also talk a lot about doing things to become compliant. Those are things that everyone in the field has to do in order to be compliant, but at Aktia, that is not our primary goal. Our main goal is that our customers and the business are safe and regulatory compliance comes hand in hand with it.Of course, compliance policies are created to protect the business and ensure that customers can trust the business they work with but it’s not enough to only aim for compliance.From the business point of view, reliability and trust are vital. We need to ensure that the business is running smoothly, and our digitalization plan can be successfully executed. We want to make sure that our customers are satisfied with our digital services and know that their assets and information are kept safe.
So, what’s your game plan for an incident?
We need to be prepared that a breach could happen at any time. It’s a fact that at some point, a breach will happen. How soon will we notice it? How fast will we be able to react to contain it? How will we mitigate the damage? How will we eradicate it completely? How will we communicate about the breach to our customers or other stakeholders? These are all questions we ask ourselves to ensure we are prepared. A breach can really harm a brand and ruin a lot of hard work.Your responsibility as a company doesn’t end when you let the customers and all other stakeholders know that a breach has just happened. You need to keep them informed as you are working to resolve it. What data has leaked? How can that harm them? What’s our plan to help the stakeholders when something goes wrong?While a breach is a really unfortunate thing, you can stand out by handling it professionally, showing that you care and that you know what you are doing by keeping stakeholders updated throughout the process. Especially when you are working for a company in the financial sector, the news can quickly end up in the media, so you need to be prepared.
What are your biggest pain points or challenges?
“There are many, but these are my top three right now.”Security awareness is a problem everywhere. How do we spread awareness to our people and create a human firewall? We want Aktia’s employees to understand cybersecurity better and know that sometimes technology can fail. If the email filter is down and employees start receiving phishing emails, they still can save the situation simply by identifying the threat and understanding the risk.We also need to plan for the long-term, as the future is always volatile. We are working on changing the employees’ outlook and the mindset around cybersecurity. Of course, a lot of it is about technology, but it should also be more human.The development of information security in Aktia is based on a 4 P model: People, Processes, Products, and Places. Now we have been focusing heavily on ‘people’ but the three other areas also need to be constantly improved and we need to find a perfect balance of how to do that iteratively.
What are you the proudest about?
In a very short time, we have built a fantastic team at Aktia. I feel like we have achieved a lot and we are taking security to the next level. We are building a culture and it’s awesome to see how the whole organization is involved in the development work. We have the full support of the leadership; we are actively supported, and there is a back and forth discussion about security.In the CISO role, there is a lot of variety in terms of responsibilities and tasks, and that keeps things interesting and motivating.
We have been asking this question from our other Hoxhunt CISO Series guests too, so we really want to hear your opinion. Who is responsible when the employee clicks on a dangerous link or downloads a malicious attachment?
You cannot blame your employees if they don’t get appropriate training. It is the responsibility of the company to help employees become more educated and skillful. You need to teach your employees in a practical way how to change their behavior in the long run. How will you do that? Policies are not enough. Who reads policies? We need innovation. We need to get our message to the people in a more creative and interesting way to encourage participation. Can we make training fun? I believe that changing the cybersecurity culture starts when people feel that it’s fun, cool, or even humorous.
Is there a community that you are a part of and share information with?
Our cybersecurity department wants to be an active part of the information security community in Finland. We want to share our experiences and knowledge, and we get excited about sharing our successes and learning from others. Through our own outreach program, we are also collaborating with companies from other critical infrastructure sectors.In the financial sector, we all want to strengthen our capabilities and cyber resilience. We have financial sector meetups where we share our experiences, viewpoints and ideas. We also follow other sectors and the international scene to stay informed and up-to-date.
Finally, we have a lot of readers that plan a career in cybersecurity. What advice would you give to them?
There are so many different areas of cybersecurity where you could focus your attention. There is much material online, and there are a lot of great books to use for self-study. I believe in continuous learning and development. Study, network, find the groups where information is shared, and follow the news. Choose where you want to focus on your cybersecurity path and purposefully pursue your goal. There are certainly plenty of interesting areas in cybersecurity.