Christoffer Karsberg is a new member of the 4C Strategies team and has a background as NIS directive coordinator at the Swedish Civil Contingencies Agency (MSB). We have met Christoffer and talked about how NIS will affect organisations and how they need to work to fulfil the new legal requirements.
“With my background in information security regulation, I will be helping organisations to comply with the requirements in NIS Directive and other regulatory frameworks. But not just that, I want to help them see past the requirements and exceed them. 4C has previously worked on cyber security, but we are now strengthening our offerings.”
“As critically important public services are gradually digitalised and becoming increasingly dependent on networks and information systems, they are also becoming more vulnerable. We strengthen the capacity of service suppliers to deal with unknown phenomena linked to information and cyber security.”
“Most recently I was with MSB, where I was the coordinator for MSB’s implementation and application of the NIS directive. MSB is the coordinating authority as regards NIS, issues general regulations, receives incident reports and provides incident management support via CERT-SE. In addition to coordination, I started and headed a coordinating forum for Sweden’s seven sector-specific regulatory authorities so that they could coordinate with each other, and I participated in the EU’s Cooperation Group for the implementation of the NIS directive.
This is a EU system, so all Member States implement it in their own way in their home countries, which means that there will unfortunately be some differences. And it’s quite hard work for players who conduct cross-border activities. Here we can provide important support with all our experience.”
“NIS is an EU system and all countries implement it in different ways. So we can provide important support.”
“I think I have a sense of pride about how we have converted the directive into a system that stimulates systematic information security management among society’s critical players, and that promotes continuous improvement in the field of information security. We have done some good groundwork in order to establish this approach and this will pay off once the system is running at full speed.”
“I am of course new here, but I can imagine I’ll be carrying out a lot of training and education initiatives, teaching about the logic and aim of NIS. Organisations are employing people now who need an introduction to how it will all work. In most companies, it will be Chief Information Security Officers (CISO). And they are becoming increasingly important, they represent the bridge between different parts of the company. But it may also be HR staff that have a need, because it’s people, capacity building and security cultures we are talking about here.
“Organisations are employing people now who need an introduction to how it will all work.”
“I knew about 4C Strategies before through previous employers; both MSB that has worked a lot with the company, and also through ENISA – the EU’s cyber security agency, where I worked for more than three years and for whom 4C Strategies have done assignments. Also for PTS, where I worked for 10 years, with whom 4C have done large-scale sector exercises and have a key role. So I sent in an impromptu application. I was at a stage when I wanted to go back into the business sector and get my hands dirty, so to speak, and 4C Strategies was the best place for that.
Now, when the NIS directive has been introduced and it is a question of going from the drawing board to the front line, it feels great to be implementing something that I myself have been involved in developing. And to be able do so with such a skilled company as this one, which already works in the continuity and risk management business, means that I can get up to speed very quickly in my new work environment.”
“Now when the NIS directive has been introduced, it is a question of going from the drawing-board to the front line.”
“What’s so exciting with 4C Strategies is that we are such an authority on business continuity issues, preparing organisations to be able to cope with events and to adopt a risk-based approach. And this is what NIS is all about, imposing requirements on information security that strengthen the continuity of critical public services for players in areas such as finance, energy, transport, water, healthcare and digital infrastructure. Not forgetting that the requirements also apply to providers of cloud services, search engines and web-based marketplaces. But the law is new and therefore not everyone that maybe should is aware of it yet.
If you compare it to GDPR, that law is often seen as a bit cumbersome, something you do because you have to. But NIS is full of things you should do in any case, even without it being a law of its own. Fulfilling the NIS directive quite simply makes companies and organisations more resilient.”
“NIS is a law, but even without a legal requirement, fulfilling it would have done organisations good.”
“They may need instruments and arguments to create the bridge to continuity in their core services, they may need tools for this and this is where 4C Strategies Exonaut software comes in. They may need help gathering the requirements from lots of different regulations together into a whole, so that they don’t sit and work in silos. And of course, exercises are also needed.”
“I have a wonderful family; a wife and three daughters with different interests. My big hobby is choir singing, on an amateur level but still semi-professional. Today I’m singing tenor in Stockholm singers. That’s how I met my wife Sofia, actually.
And I also want to mention another important member of our family, our cat Einar, who we found as a kitten in a trash can in Athens when I was working at ENISA. We’ve had him chipped, he’s got all the required injections and he has an EU passport, so he’s a well-established EU citizen! When we found Einar and lifted him out of the trash can, he ran after us and sat down on Sofia’s foot, so we couldn’t just leave him there, we had no option, and so he became a member of the family and of course came with us when we moved back to Sweden.”
If you want to know more about Einar and how your organisation can implement the NIS directive in the best way, contact Christoffer Karsberg at christoffer.karsberg@4cstrategies.com or by phone on +46 76 134 18 10.
