Henrik Parkkinen is a globally recognized security leader from Sweden with +20 years of experience in the security and IT field. He is known for his broad and deep understanding of today’s digital ecosystem, emerging technologies, security universe, and threat landscape. Henrik’s expertise is collected from both a defensive and offensive security perspective through technical hands-on assignments to management and leadership roles. For the last 14 years, he has primarily worked in various security management and leadership roles helping organizations strengthen their security posture and cyber resilience.
Recently, in an exclusive interview with Digital First Magazine, Henrik shared his professional trajectory, insights on the most demanding challenges ISOs are facing today, the best piece of advice he has ever received, the secret mantra behind his success, future plans, words of wisdom, and much more. The following excerpts are taken from the interview.
Hi Henrik. How did you get your start in cybersecurity/tech?
From a very early age, I had a high interest in technology. This was thanks to my father, as technology was one of his biggest passions, which he introduced to me when I was a little boy. I had the luxury of having the latest gaming consoles (Sega 16-bit, Super Nintendo, PlayStation 1-2, Xbox 360) and several different computers (Commodore 64, Amiga, PC).
After completing my gymnasium education, I started with an IT-infrastructure and security education. Close to after I completed this education my professional career started, now we are back in 2002. I got an assignment at one of the largest IT companies in the Nordics. My first assignment was focused on Identity & Access Management and IT infrastructure & security. And here we are today, +20 years into my career. Today I work as an Information Security Officer at WirelessCar, a global leader in connected vehicle services.
What’s one question related to cybersecurity that you are frequently asked in your current role?
Throughout my career, when I have been working in cybersecurity management and leadership positions with strategic assignments, the most common question that I have been asked is similar to this one:
“What cybersecurity technologies and products shall we invest in to increase our security posture?”
Still today many organizations fall into the trap of looking at cybersecurity as something that is a thing which is mainly solved with the help of adding or investing in more technology. I totally understand that this is how many organizations choose to approach the challenges, but this approach can also be masquerading some of the symptoms and real challenges.
And this approach also feeds directly into one of the core challenges with cybersecurity and how many organizations choose to approach it.
Adding more technology can in the worst case have the opposite effect.
If an organization for example does not have enough resources to operate all those technologies adequately it will not increase the organization’s security posture. It could also lead to a false sense of security. An organization’s security posture and cyber resilience is a composition of adequate balance between Humans, Processes, and Technologies.
I am by no means saying that technology is not necessarily, it is an element that is an absolute must for every organization. We and our organizations exist in an ecosystem that must be supported by technological security controls. But I think that the Human element is what needs the most attention and investment. This is where more time and effort should be placed. This is also where I personally think the majority of the positive effects will come from that increase an organization’s security posture and cyber resilience.
I think that we need to see that Humans are and can be the strongest defensive capability if we make sure to invest the resources necessary. Now I am not only speaking about security awareness, such as Phishing tests and social engineering. In general, cybersecurity is something that needs more attention from a business and organizational point of view where the linkage and understanding of negative consequences that come with cybersecurity risks and threats.
Everyone reads about those bad things in the news, what happens to those who are hit by for example a ransomware attack. But I also feel that we do less tailored communication around what a potential actualization may look like in an organization and how the negative effects could play out for the employees, customers, and partners from an business point of view.
Cybersecurity risks are, as I see it, not an actual thing on its own. It is rather a category of a risk type. The only risk that exists is business risk. And it’s from a business and organizational point of view the negative effects and impact will be materialized. Such as for example brand and reputation damage or even worse.
And this is why I think that it’s so important to conduct awareness and training in several different forms and ways. It needs to be made situational and put into a context where each one of us can relate to it. Executive leaders need cybersecurity explained in their context from a business point of view. A technology leader, software developer, accountant, etcetera needs cybersecurity awareness and knowledge applicable that makes sense for them. The strength comes from contextual understanding and how each one of us can contribute to making our organization more secure.
In your opinion, what are the most demanding challenges that ISOs are currently facing in their roles?
It is for sure the accelerated technological transformation and digitalization. As digitalization becomes more and more powerful and the penetration rate gets higher and higher, the demands on digital ecosystems and organizations get more tested. Digitalization provides our organizations with loads of opportunities but these also come along with new risks and threats. Such as for example increased amount of regulatory requirements and new forms of attack vectors that come with emerging technologies.
We have seen this a couple of times throughout the history. The latest example is of course AI but this is not the last one. Another emerging threat that is coming is quantum computing and I think it is time to start to create more awareness around the subject. The knowledge related to the quantum threat needs to reach a broader audience. And the same goes for AI and the adventure we are in towards superintelligence.
A couple of years back we had several similar examples, where “the cloud” is one of them. The cloud was categorized as one of those emerging threats that put up new types of security demands and risks on more or less each and every organization. I think there was less preparation and contemplation made, from a cybersecurity point of view, around potential risks and threats related to the cloud.
Let’s get back to the subject of regulatory and compliance requirements, as these are highly correlated with emerging technologies. Regulatory and compliance requirements addressed through different standards and frameworks are usually a couple steps behind in relation to emerging technologies. When new technologies enter the market, those requirements are kind of addressed and need to be applied afterward. And I think this is an area where improvements could be made. We as a cybersecurity industry and community have historical knowledge and wisdom that we should learn from more. Why not use it to our advantage and learn from the past and what is coming in the future to better prepare our organization to take on the current and future challenges?
And this is what also fascinates me, that many organizations and the industry, kind of tend to make the same mistakes over and over. We spend too little time contemplating and planning for the future which in fact is presented to us in a quite clear way. We as cybersecurity people have never been equipped with stronger capabilities than we have available today for preparing ourselves and our organizations against the future…but we fall short on this subject in my opinion. And personally, I don’t think that this form of preparedness needs to be made that advanced. We can learn very much from having conversations within our own organizations and not limit ourselves to looking at a future risk scenario from only the lenses of cybersecurity. Why not have a conversation with other teams, such as for example the research and development team? Or learn from similar industries that are facing the same types of challenges? There is very much that can be done with small efforts that will improve an organization’s future readiness from an overall business and cybersecurity point of view.
The most demanding challenge is also what I find the most exciting with the Information Security Officer role. Being at the intersection between understanding the business implications of technology, emerging risks & threats, and how to support an organization’s overall vision, mission, and objectives from a cybersecurity point of view.
What does working in cybersecurity mean on a practical level, and what kinds of skills/personality traits are an asset in the field?
I am a strong believer that everyone, independent of whether you work in a technical role or not in cybersecurity, needs to have a foundational understanding and knowledge of the subject. This goes to some extent hand in hand with having a form of technical understanding. You do not need to be able to push the buttons or run the commands in a prompt. But you do need to know how things work and fit together. I see this as the foundation for even having certain forms of conversations. If you do not understand or can speak with a technical stakeholder, such as for example a subject matter expert or security architect, you will have a harder time making yourself understood or understand your stakeholders.
And it goes the other way around as well. You cannot only rely on technical skills or being an expert in your domain of expertise. If you cannot make yourself understood, visually and verbally, to your audience you are in a tough spot when it comes to cybersecurity. And this is especially true if you want to take on a management or leadership role.
First of all, if you want to take on a cybersecurity management or leadership role, you need to have strong leadership skills and be able to demonstrate self-leadership and to lead individuals and teams. An accomplished cybersecurity leader also needs to have strong business management skills. This equates to for example communication & stakeholder management, strategic planning, and requirements management. The primary reason is that cybersecurity in an organization is a supporting function. It does not serve a self-existence. The purpose of Cybersecurity is to support the organization to become successful.
To be able to do so, one of the most important skills you need to have is the capability to speak the language of cybersecurity with non-technical stakeholders. You must be capable to lead and communicate with business leaders and influence those who need to be influenced. This is where some true cybersecurity magic will start to happen from an organizational and business point of view.
Communication skills will never go out of fashion, and they are more or less needed in any cybersecurity role. The reason for this is because cybersecurity is a team sport. It is not a one-man show where you or someone else can go out and do the things on your own. You need to have a strong team in your corner. And to form that team and a common vision, goal, mission, understanding etcetera you need to be able to communicate so that the team and individuals around you understand you and the direction you together are taking on.
In your academic or work career, were there any mentors who have helped you grow along the way? What’s the best piece of advice you have ever received?
I have a hard time pointing out one person who I can say has been my mentor. Throughout my career, I have always surrounded myself with people that I can learn from and who I have found to share my core values in life. Mentoring for me is a two-way street where trust is one of the core elements that enable growth. Without trust that goes both ways, it becomes hard to achieve true growth. Sure, you can always pick up a thing or two from the person mentoring you, but this is for me rather knowledge sharing compared to mentoring.
As I think “trust” is the core element for enabling growth, my advice to those seeking a mentor is to choose a mentor who you can trust. You do not need to pick the one that is the most technically accomplished or someone who knows it all. Pick a person that you trust and who holds qualities that you can learn from. Just because a person is the best in the class or in the world at a certain subject does not mean they are as good as a mentor.
I have a hard time picking up on one piece of advice among all the many great ones I have received from my mentors. I will instead share one personal advice to those reading this article.
Never give up.
Never give up on yourself.
Never give up on your dreams.
Never give up on the people that you love.
Never give up.
If you really want something, go after it. Your plans may change and priorities may shift along the road but never give up on believing in yourself. Develop your own inner capabilities and mental strength to be comfortable taking on any challenge you may face. These capabilities will make you unstoppable. And it is up to you and only you who can make yourself unstoppable. Develop an unstoppable mindset. You decide what this mindset looks like for you. It’s your mindset, you own it and no one else.
You were recently recognized as one of the Top 50 CISOs & Cybersecurity Leaders. Our readers would love to know the secret mantra behind your success.
It was for sure a very flattering recognition that I received and to be listed among such a strong list of individuals. And thank you for recognizing this achievement!
My secret mantra for success is simple: Be yourself, share your knowledge, help others, and be kind. Sounds like a cliché but this is the way I do it. I have never chased or gone after certain recognitions or goals; these forms of achievements have been a result of what I do.
My focus has been and is to create engaging and high-quality content that is free and accessible to everyone. The content that I create has no paywalls, no subscriptions, and no obligations.
And I strongly believe that if you are kind and operate by having a positive attitude and mindset it will for sure help you to become “successful” in whatever you do. Sounds like a hippy thing but usually good things happen to those with good intentions. And it never hurts to be kind or cost anything extra. This is also how people will remember you. How you made them feel and not how many cybersecurity Pokémons or achievements you accomplished. At the end of the day, it is up to each one of us how we want to become remembered and recognized.
What’s a major aha! moment you had related to cybersecurity, either personally or professionally?
My game-changer moment from a professional point of view, with a high carry-over to my personal life, was when I started investing time and resources in improving my leadership skills. I have done my fair share of leadership coaching, through different programs and coaching sessions. Had several mentors. Read loads of books. Countless conversations. Hours of time spent on the subject in the sports world. Coached individuals and teams to improve their leadership skills.
Leadership skills and knowledge are to a very high extent universal. They will add value to any form of situation or organization in your personal and professional life as they are more or less used daily. I truly hope that we will see more and more leadership training tailored towards the cybersecurity industry. In one way I do not think that the skills related to cybersecurity around leadership are unique but the subject as such definitely needs more attention. Strong leadership is, according to my belief, one of those things that is highly underrated but that will improve an organization’s cybersecurity posture and resilience drastically. Just think about it, change strong leadership to weak leadership when it comes to cybersecurity and observe what happens. This is not something that I recommend anyone to do…but it is an interesting thought experiment.
Where would you like to be in the next 5 years?
I see myself continuing the trajectory that I’m currently on. I truly love to work in a strategic position where I can apply my knowledge to add value to my team, colleagues, and company. I enjoy providing my knowledge to those around me and being a part of their growth journey. This is also what I think a big part of leadership comes down to. To make others grow alongside you. To be the person who supports others to find their own long-term plan and how to realize their goals.
At the same time, with the work that I do in the cybersecurity field and community, my hope is that the work I continue doing will lead to an expanded reach in the cybersecurity community and industry to a broader audience of individuals and organizations who can learn from the knowledge I share and hold.
As an effect of the work I do, through the content and knowledge I share, my hope is that I inspire others to do the same. That others out there find motivation and inspiration to share their knowledge and wisdom. To help others grow.
I am forever grateful for all the doors and opportunities that I have been provided with since I started to share my knowledge through the content I create. Like for example this opportunity to do this interview in this magazine.
Which technology are you investing in now to prepare for the future?
The technology I personally invest in to prepare for the future is “myself”. I am one of those people who are on that constant journey to gain knowledge and wisdom. And if there is a technology that I am highly dependent on, it is the one that sits between my ears. My brain.
And to have a brain that functions in a way I need; it comes down to making sure I do all those foundational things. Wellness, eating (somewhat healthy), exercise, spending loads of time with my family & loved ones, and doing stuff that I think is fun and makes me laugh. Technology is cool, but I think “human superpowers” are way much cooler. You become the result of your own investments in yourself.
What advice would you offer others looking to build their career in cybersecurity?
Cybersecurity is a very broad field and there are many career paths to take on. And for all those who are new to the field, don’t be afraid to try things out. A good starting point, maybe a bit subjective as this was the way I went, is to get some hands-on experience in a couple of technical areas. Try it out and explore if this is the path you want to take. If it turns out that you want to do something else, there is always a possibility of pivoting into another role when you are in the field.
And I also think that being curious and trying things out will expand your perspectives on cybersecurity. Multiple perspectives are one of those things that in my opinion make up a highly accomplished cybersecurity professional. As I said, the field is very broad and it will never hurt you, your career, or the customer/organization you support if you have a broad set of perspectives in your backpack.
And the more things you try out, the closer you will come to finding your own area that you thrive in. And do not forget to have fun along the road. Your career is a marathon, not a sprint. Make sure to approach it as a marathon. It will make it more fun and sustainable.