Insights
When security is reduced to an IT issue
The modern cybersecurity landscape is at a critical turning point, where the gap between technical investment and actual resilience is becoming increasingly evident. Despite organizations rapidly implementing sophisticated technical solutions such as multi-factor authentication (MFA), cloud protection, and advanced SIEM systems (Security Information and Event Management), successful breaches continue to affect even the most resourceful actors. This discrepancy stems from a fundamental misunderstanding of what cybersecurity truly represents. When security is reduced to a purely IT issue, a dangerous illusion of safety is created—masking the real vulnerabilities: organizational decisions, priorities, and underlying culture. These decisions form a hidden attack surface, where weaknesses in leadership and ways of working open doors that no firewall can close.
Current incidents show that technology itself is rarely what fails; rather, it is the context in which technology exists—the human and organizational frameworks—that breaks down. By blindly relying on tools without examining and addressing the underlying decisions, organizations create an environment where technical defenses become static monuments in a dynamic and evolving threat landscape. The way we approach technical protection must change, shifting instead toward an integrated security culture where people and the organization are placed at the center of cyber defense.
Why security culture cannot be bought
As a specialist in information security or someone responsible for corporate training programs, you’ve probably heard it before: “We need to buy a training program to fix our security culture.” There is a widespread belief that culture is something that can be packaged, licensed, and rolled out like any other SaaS service. But in reality, if you try to buy a culture, you will at best get compliance – and at worst an organization that has learned to click the right buttons in an e-learning module without changing a single behavior in everyday physical or digital work.
Security culture is not a product; it is the result of an organization’s collective attitudes, norms, and behaviors. It is what happens when no one is watching, when time pressure is at its highest, and when the choice is between following a cumbersome policy or taking a shortcut to meet a business goal. Building this does not require another purchase order, but a clear shift in how we view humans as a critical part of security.
Dina beslut - en dold attackyta
The modern organization faces a threat landscape that can no longer be managed through technical barriers alone. Cybersecurity has traditionally been viewed as a technical challenge — a series of bugs to be fixed or firewalls to be configured. The reality, as seen by advisors and experts on the front line, is quite different. The most critical vulnerability in today’s digital ecosystem is not a flawed line of code, but the decisions made in the organization’s day-to-day operations. These decisions — often made at the intersection of business value, pace, and convenience — create a hidden attack surface that adversaries systematically exploit to bypass even the most sophisticated technical defenses.
When leadership teams and decision-makers prioritize short-term deliverables over systematic maintenance, or when employees take shortcuts in their workflows to save time, gaps are created that technology can never compensate for. Cybersecurity therefore starts in the boardroom and is shaped by the culture that permeates the organization. It is about understanding that every strategic choice, every resource allocation, and every cultural norm directly affects the organization’s resilience. At a time when regulations such as NIS2 and the Swedish Cybersecurity Act place responsibility squarely in the boardroom, the ability to manage this hidden attack surface becomes an existential issue for every modern leader.
Embarrassingly secret: when the culture of silence becomes security's greatest vulnerability
Within Swedish administrative law and information security, references to legislation are part of everyday life. But there is a marking that has begun circulating in the corridors of both public authorities and private companies — a worn, black stamp bearing text that cuts straight through the professional jargon:
CLASSIFIED – Without basis in Chapter 15, Section 2 of the Public Access to Information and Secrecy Act (2009:400) – OF FUNDAMENTAL IMPORTANCE TO THE MAINTENANCE OF THE ILLUSION – EMBARRASSINGLY SECRET. Disclosure of this document will be handled with considerable delay.
This stamp, created by the consultancy firm Securebyme, appears at first glance to be a sharp piece of satire on Swedish administrative bureaucracy and the eternal search for scapegoats. But behind the humorous façade lies a brutal truth about modern cybersecurity. It is a diagnostic marking for a deeply dysfunctional security culture.
The Public Access to Information and Secrecy Act (OSL), Chapter 15, Section 2, protects information relating to defence secrecy — information whose disclosure can be assumed to damage Sweden’s defence capability or otherwise pose a threat to Sweden’s security. But when the metaphorical stamp “Embarrassingly Secret” is applied to a decision, a vulnerability, or an incident, it is not about national security. It is about protecting the reputations of individuals or management, concealing technical debt, or maintaining a fragile illusion of perfect control. This culture of silence is not merely an administrative failure — it constitutes one of the most critical, hidden attack surfaces in today’s digital ecosystem.