Dagens industri: Swedish Firms Face Cybersecurity Risks Without CISOs

Many medium-sized Swedish companies are increasingly susceptible to cyber threats due to a lack of dedicated cybersecurity leadership, according to a report in Dagens Industri. Thomas Öberg, Principal Architect Cybersecurity at itm8, notes that a significant number of these companies lack a Chief Information Security Officer (CISO), resulting in ill-defined security responsibilities. Consequently, cybersecurity often falls to executives like the CIO, CFO, or CEO, who may lack specialized expertise. Öberg emphasizes that this absence of clear cybersecurity ownership presents a significant vulnerability that cybercriminals readily exploit. This issue is further compounded by growing external pressures, including new regulations such as NIS2 and heightened expectations from insurance providers and investors. While companies generally acknowledge their security responsibilities, many struggle to allocate the necessary time and develop the required competence for effective management. Öberg warns against complacency, stressing that any revenue-generating business, regardless of whether it handles critical societal data, is a potential target. Without a designated individual accountable for cybersecurity, it risks becoming a superficial task rather than an integrated business function. Öberg advises companies to prioritize fundamental security measures, commencing with awareness training, strategic prioritization, and tailored risk analysis. This includes a thorough understanding of company assets, identification of critical protection needs, and assessment of the potential impact of security breaches. This foundational approach enables companies to establish a baseline understanding of their security posture and effectively demonstrate security controls to their boards. By prioritizing these measures, companies can proactively mitigate risks and more readily meet evolving regulatory and market demands.