At Sicra, Oddbjørn is responsible for the company’s internal information security, secure handling of customer data and advisory services related to security, compliance and modern security governance. He leads Sicra’s professional environment for security management and is team lead for the company’s security managers and CISO advisors. He also contributes to business critical customer deliveries at the intersection of business, technology and security.

What does the role of CISO at Sicra involve?

The role is largely about ensuring that we have secure and robust processes, both internally and in our customer deliveries. This includes everything from internal information security and security culture to regulatory compliance and secure data handling.

At the same time, it is about making security understandable and practical. Good information security should support the business and create business value, not make everyday work unnecessarily complicated.

In addition, I work closely with Sicra’s security managers and CISO advisors to further develop services, expertise, methodologies and how we help our customers with security governance in practice.

What is the biggest security challenge organizations face today?

Many organizations experience that requirements related to security, documentation and compliance are becoming increasingly complex. At the same time, they must manage rapid technological change, cloud transformation, AI and increasingly advanced threats.

The challenge is often not a lack of technology, but a lack of holistic thinking and maturity. Many organizations have individual solutions, but lack alignment between security, operations, leadership and business goals.

You work extensively with NIS2 and regulatory requirements. What does this mean for Norwegian organizations?

NIS2 will impact far more organizations than previous regulations. It is not only about IT security, but about organizations’ ability to protect critical societal services and manage risk in a structured way.

For many, this means stricter requirements for governance, risk management, supplier control, incident management and documentation. But the most important thing is not the compliance aspect itself, the most important thing is building resilient organizations that can actually withstand incidents.

How should organizations think about information security?

The best organizations succeed in making security a natural part of business governance. Security cannot exist in isolation within the IT department. It must be anchored in leadership and integrated into how the organization works with technology, people and processes.

At the same time, solutions must be practical and understandable. If security becomes too complicated, people often find shortcuts, and much of the effect disappears.

What are you particularly focused on professionally?

I am very focused on the connection between technology, security and business. Good security is not only about technical controls, but about understanding risk, maturity and how technology is actually used within the organization, and how investments in security and technology align with the group’s strategic goals.

I am also focused on how organizations can modernize IT operations and security without losing control or creating unnecessary complexity.

As leader of Sicra’s security governance environment, I am focused on developing advisors who understand technology, regulatory requirements and business governance. It is at the intersection of these areas that the best security decisions are made.

You have experience with major transformation and outsourcing projects. What do you learn from that?

You learn how important people, communication and culture are in technology projects. Technology alone rarely solves the challenges. To succeed with change, you need to bring the organization with you, build trust and create understanding for why the changes are necessary.

As Group CIO at StrongPoint, I led a group wide IT improvement program across 8 countries and 24 offices, from consolidating three regional operations partners into one global partner to achieving a group wide ISO 27001 certification that created direct business value through new international customers. At Schibsted, I served as deputy project manager for the IT outsourcing program to IBM across more than 35 companies and 3,600 employees. A common factor across all of these initiatives is that leadership anchoring, clear governance models and business justification matter more than the technology choice itself.

What characterizes a strong security environment?

A strong security environment combines high competence with collaboration and pragmatism. The best environments succeed in balancing security, business needs and user experience without making things unnecessarily complicated.

It is also about a culture of knowledge sharing and continuous learning. The threat landscape changes constantly, so you need to stay curious and willing to evolve.

What do you want customers to experience when working with Sicra?

I want customers to experience Sicra as a trusted and highly competent partner that understands both technology and business. We will help organizations navigate an increasingly complex security landscape in a way that is practical, realistic and value creating.

What motivates you in your work?

What motivates me most is creating improvements that truly matter for organizations and people. I enjoy building structures, processes and solutions that make organizations safer and more resilient over time.

Is there something people may not know about you?

I am very passionate about hunting, fishing and outdoor life, and I spend a lot of time in nature. My interest in hunting and fishing has also led to a strong interest in cooking and growing my own ingredients.

I actually also hosted a podcast about gardening and cultivation together with a friend. We talked about everything from tomatoes and berry bushes to roses and vegetable gardens, which is perhaps a slightly broader set of interests than people expect from a CISO.