My goal is to engage and train people to become security resources, rather than weaknesses. While competent employees are important, I also believe security depends on implementing technological products and policies which altogether reduce friction between humans and machines. For as long as technology cannot provide us with perfect protection, we cannot ignore this complex yet immensely interesting challenge.
As co-founder of the company Secure Practice, I have hands-on experience with security awareness, culture and training, behavior, change, compliance, risk and tech — all connected. I have tried “it all” in terms of what you could possibly do in a company to raise awareness and increase employees’ security competence. This includes creating e-learning content, producing 40 second video skits, designing posters, stickers and t-shirts, performing live hacking, hosting lunch ‘n’ learns, stealing employees’ passwords via phishing emails, planting infected USB lures, promoting secure coding practices, and simply walking from office to office talking with people about security in a casual tone. I have lead development of a successful programme and strong brand for secure practices among employees over several years, and surveyed progress at regular intervals for reporting to the executive board of directors.
Based on these experiences, I have co-developed a theoretical framework for working with people, policy and products (our three P’s) in security and IT, serving as a basis for our company. This framework is based on positive user experiences and functionality as primary drivers for compliance. It has been refined through engaging with several IT related change processes. A major one was leading the pilot and implemention of Office 365 for a 2000+ employee company, where we established multi-factor authentication and got rid of the mandatory periodic password change policy in the same go. As a certified ISO27001 Lead Implementer (PECB), I can offer a holistic approach to building a secure enterprise without relying on any of the three P’s alone.
Previously, I have worked as a research scientist at the Norwegian research foundation SINTEF for six years. My position involved applied scientific research in the wider area of information security and risk management. I have published a few scientific papers, held a range of presentations, written a few blog posts (in Norwegian), and also appeared in a couple of media stories (including this one in English). Although I have experience from several areas of cyber and information security, a main theme in my research has always been the human factors. Ever since my MSc studies in informatics, with Human Computer Interaction (HCI) as my main direction, this crossover has been strengthened by working on projects related to user experience and design thinking — making technology — and security — work for people.
Many years ago, I founded mWEB, a digital agency building web solutions for people in small and midsize businesses, sports clubs, churches and voluntary organizations. This company has served dozens of customers well, and now it also acts as scaffolding for new security related tech ventures.
In my spare time, I work on my wife’s farm Opeggen gård, where we grow organic potatoes and vegetables. We also sell some produce from our cashmere goats, pigs, sheep, quail, ducks and chicken, while our four horses love giving rides for kids (including our own). The farm is only a 25 minutes drive away from Trondheim city, and you are more than welcome to come visit us!