INTERVIEW WITH GROUP CISO OF STOREBRAND - NORDICS

At InfoTeam International we pride ourselves on producing informative, client-led events that add real value to those attending. Having successfully launched last year, we caught up with one of our delegates to find out more about them and understand what they believe the InfoTeam conferences bring to the industry.

Bjørn R. Watne has almost two decades of professional experience working within the Information Security industry and is currently employed as CISO for the Storebrand Group – delivering services within banking and insurance for the Scandinavian market. He attended our CISO event in Norway in February and we’re delighted he was willing to give us his thoughts after attending.


Bjørn, first of all can we ask you what value you believe you and other executives can gain from attending this sort of event?

Firstly, I believe that the best way for all of us to become better at what we do is to share our experiences with each other. It's well versed in the Financial Services Industry that "we don't compete on security", and that the industry as a whole benefits from us collectively becoming more digital secure and trustworthy as one.

The sharing of experience and learning from each other is definitely the big value here. People in our role can be quite ‘alone’ in big corporations, and CISOs get a lot of value out of speaking with other CISO's and other C-Suite Executives at events like these. At least I know I do!

The second thing is that, for many people, information security is seen as somewhat of a black hole. It will continue to be so unless we tell others about the challenges we face, how we overcome them and the benefits everyone get from doing so.

I believe that by contributing to and speaking at events like the ones hosted by InfoTeam in Oslo helps to remove the veil covering our industry, and make it more apparent to the public in general all the good stuff that's happening behind the curtains.


Moving onto the InfoTeam event in Oslo specifically and the well-received panel discussion, what were your thoughts on the conversation, surrounding the evolution of the CISO role?

It's a very interesting topic, and one that will be ever-present, I think. Go 10 years back and every head of security was a person with a background from either law enforcement or military service, and it was all about locked doors and red tape.

If you look at Charles Darwin and his theory of evolution and the "survival of the fittest", we can draw a direct parallel to that of the role of the CISO. If we fail to modernise our security strategy along with the business strategy, then in the longer run we will become extinct. The panel was there to discuss some of the issues we currently facing, and in 3-5 years from now we could have the same topics still, yet be discussing totally different issues.


And how about the rest of the event, what were the key debates and points of interest for you?

I really enjoyed the question we discussed in the panel when we were talking about whether we were really changing our digital strategy, or whether we were just changing the tools and approach, whilst sticking to the same strategy. The fact that we managed to move the discussion from previous approach of ’protect and defend’ to the future ’detect and respond’ was really interesting and something I think everybody got a kick out of, judging from the increased participation from the room that followed this topic.


Overall, what would you say was the most important thing learned at CISO Norway?

Events like these are great to measure whether one is on the right track and focusing on the right things. During the event I got lots of confirmation that what I'm doing are the right things.

Also, like I previously mentioned, the fact that looking ahead at a more detect and respond approach to threats would probably improve my work even further, made that a really interesting topic to investigate in depth.

What makes an InfoTeam event different to other CISO conferences and events?

What's good with the InfoTeam events are that you get a smaller group of people gathered, meaning that there is more time to discuss challenges and ideas between you and your peers, and fewer one- to-many presentations being presented from the stage.

You're also good at bringing together the right mix of profiles and competence, and I like the layout of the program that is a panel debate, case study led – with vendor insight. It always leaves room for interesting discussions.


Based on what you experienced, who do you believe should attend these select, regional events?

Any CIO, a CISO or a CDO – essentially anyone who fits the profile of whom the event is targeted. But, to get the most out of gatherings like this it's always important to bring the right mix of people with the right experience and competence, so that everyone present has the opportunity to learn something from each other.

I would attend another event, and it was a bonus that it was more or less “after hours”. It makes it easier to combine with the busy daytime schedule that is the regular life of most CISO's!


Onto more general subject matters, can we ask you what you are responsible as a CISO and what you believe makes you successful?

I'm responsible for protecting the integrity, confidentiality and availability of information and information systems owned or managed by the Storebrand Group. This is done to the appropriate levels in accordance with the risk appetite agreed upon by the CEO and the Board of Directors.

There are two things I think are important in order to be successful in what a CISO does. The first is perhaps what is most important and our baseline, and that is being dependable. You must always deliver – on time – and within or above expectation as the role is so critical to the company’s risk management.

Once that is established it's all about taking the lead or differentiating yourself from the rest. Go the extra mile, pull the extra weight. If you can you will be noticed and, as long as the baseline has been delivered too, you will then advance. This I believe is true for whatever it is you may be doing in life.

If there was a secret weapon one could employ in addition to this, I'd say mind your colleagues. People work with people, and if you thrive to be a nice and likeable person – people will like you in return. And I think everyone agrees that they prefer working with or for someone they like rather than the opposite. Never underestimate the human touch.


You’ve alluded to the fact it’s a heavily time-demanding role, how do you manage that time and deal with the pressure that comes your way being a CISO?

Would it be fair to say stay single and don't have children?! No, I didn't think so!

Jokes aside I think it's important to not make a bigger deal out of things than what they are. People in general have a way of overreacting to most situations when the best solution is to stay calm.

Apart from having a fact-based and reasonable approach to things I tend to try and learn from the past and focus on the long-term. There is a children's song in Norway that goes something like "You'll have a new day tomorrow, white and clean. And you'll be given crayons of any colour so you can paint it however you like, and correct any mistakes you might have made the day before."  Underlying this pretty picture is the fact that one should focus on what's ahead rather than what went wrong. Mistakes will always be made – that's not the issue – the issue is whether we learn from them and continuously improve.


And finally, do you have any advice for future CISO's?

Learn the business language! As a CISO you're becoming an increasingly important strategic asset to the company, and your job is always to support the business more than it is doing security for the sake of security. A successful CISO will be the one that allows him or herself to take risk, as there will always be risks involved in making a profit. No risk – no reward. The technical background and technical know-how is important both to know on what base you make your decisions, but also to have sufficient credibility with your more technical employees so never the importance of that baseline – but if you really want to succeed in your mission from strategic, via tactical to operational level – you need to build on that technical platform with some business savviness.


To find out more about future InfoTeam events please click through to the events page of our website.

Alternatively, whilst travel is restricted for the vast majority of us, you can find out more about Alternatively, whilst travel is restricted for the vast majority of us, you can find out more about our exciting new development and launch – Smart Webinars – at this link.

Our thanks once again to Bjørn for his time. You can find him on LinkedIn here: https://www.linkedin.com/in/bjornwatne Prior to joining the financial sector, Watne held numerous positions within telecoms as well as working as a consultant with different industries.

 

Bjørn attained his BSc in Computer Science from Agder University in Norway, and an MBA from ESCP in Paris, France. His professional certifications include CISSP and ISSMP from (ISC)2, and CISA, CISM, CRISC and CGEIT from ISACA, where he currently sits as Immediate Past President, and Director of International Relations for the Norway chapter.