We recently had the opportunity to speak with Jani Räty. Jani is a Director of Information Security and Quality, and working for a Finland-based company operating in the payroll / HR field. His expertise areas include security governance, risk management and compliance, enterprise information management (EIM), disaster recovery planning (DRP), business continuity planning (BCP), business impact analysis (BIA), and also threat assessment /monitoring. In this interview, Jani shared with us how information security has evolved since he started his career, and answered our questions on diverse areas. You may read the full interview below.

1. Could we have you introduce yourself and tell us a little bit about your background as an information security expert?

Originally, I started my career as a scientist, focusing on modification of gene therapy viral vectors. On the side, I also had role in keeping the lab computers compliant and validation of GxP-ICT network.

After many years in science and life sciences industry, I gradually wanted to do something else and via series of navigational career steps in various countries, found information security to be the thing I want to do. I also obtained CISM and CISSP certifications and ISO 27001 lead auditor qualification to deepen my understanding of the trade. It’s really good to know the limits of your own knowledge.

Security, quality, and compliance have always been part of my career, but now they are in the core what I do daily.

2. You are holding the position of Director of Information Security, and working closely with CIO, CEO and business stakeholders in Nordic locations. Could you please share with us what are the challenges that surprise/excite you in that role?

Does security exist if there are no people, technology and processes, which need it? Me and my colleagues, no matter what their title is, work daily to keep our customer data secure, maintain privacy and guide personnel in best practices. Every day can be equally surprising and exciting, with new 0-day vulnerabilities and improved tools being developed.

Having my current role gives me an opportunity to get a glimpse where the company is heading and work with other to steer the ship to the most secure route.

3. How has information security evolved since you started your career?

Given that I ambitiously count the start of my career when using cheat codes in Commodore 64 and calling my friends on a landline phone, yes. As an example, a thing called Internet has enabled public cloud, digitalization, and global hacking groups. You can even do most days on your mobile phone without actually calling anyone! Also, as a sci-fi fan, reports of hacking into someone’s pacemaker feels that we are truly caching up on Cyberpunk 2020’s dystopic landscape.

But information security should not be just about the dangers. Meanwhile, we have also been able to build digital services in healthcare and other areas, which daily make it possible to improve life quality, keep the society running and communicate globally in a (mostly) secure manner. This also means that security belongs to everyone, not just those with obscure certifications. We need security people with diverse backgrounds and expertise from non-ICT world to keep things secure.

4. How can security leaders better help organisations develop a culture of security?

Leaders are not leaders due to their title, but because they show example and way to people who follow. For effective security culture, you need to have leaders showing example, not cutting corners, and having their moral compass calibrated. If you give them the resources they need and support they should have, with enough time the culture will develop. Just like with baking, which I also like.

5. What has been the most important lesson you have learned in 2020 through your work in information security?

“Chance favors the prepared mind” – Louis Pasteur.

Sometimes the hindsight also works in a positive way. Years of Business Impact Assessments, migration from desktops to laptops and changes in ICT systems were just the thing needed to countermeasure Covid-19. One can’t prepare for everything; but most some plans give you tools also for unplanned events.

6. One of the areas you are specialised in is Disaster Recovery Planning (DRP). Please, tell us what should a disaster recovery plan include?

What do you do when you wake up with bedroom full of smoke and flames reaching the door?

Start with the big things (people, knowledge, technology, and processes) to save the valuable things and go to smaller details (communication, logging, roll-back) as needed. Keep everything simple, no-one has time to read 300 pages of technical manuals when they need to do miracles at 2:00 am.

7. What are the 2 biggest benefits of a disaster recovery plan?

Saving the day and keeping your job.

8. What do you predict to be interesting trends in information security in the next 5 years?

Having IoT devices held ransom or as botnet for consumers.

Value of personal data being recognized and protected as it should.

APT groups / nations starting out cyberwarfare with collateral damage to global services.

9. What are your 2 go-to-sources of information or support when you are stuck?

I am not going to name any professional sources, but rather encourage everyone to do something else than being stuck. Thai-boxing, Taekwon-Do, reading or walking in nature will give your mind the boost needed to solve the problems. Never underestimate a cup of coffee and deep conversation with your colleague because you might already know the solution.

10. If you could give your 23-year-old self just one piece of career advice, what would it be?

It’s the year 2000 and Y2K did not bring down the world. I am doing my B.Sc and working in Pharmaceutical department on the side. Some of my friends are doing an exchange year abroad. I am hesitant, perhaps it is better to graduate sooner and land a job? Go for it now, I would say. It is not the date in your PhD cert, it’s the new experiences and opportunities that will make you look back. You might build yourself to be the person who you do not even know, you need to be.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.