e-Crime & Cybersecurity Congress Nordics - Helsinki

Re-defining the CISOs’ mandate: why resilience changes everything

28th January 2026  • Scandic Grand Central Hotel, Helsinki, Finland

In resilient organisations, does security comes second? If so, what changes for technology, people and process?

 

Can you pass the ransomware test?

The “ransomware test” is deceptively simple: if attackers encrypted your systems tonight, would your organisation still be standing tomorrow? For almost every enterprise, the answer is negative. This truth is uncomfortable, but it is the only starting point for a serious conversation about cybersecurity.

Too often, organisations approach cyber risk as a collection of tools, frameworks, and buzzwords — EDR, IDAM, zero trust, Cloud security — without reference to what truly matters: the business itself.

The centre of gravity for security must shift. Instead of trying to secure everything, CISOs must lead efforts to identify and protect the minimum viable business (MVB) — the processes, systems, and assets without which the organisation ceases to function.

This shift in mindset also requires a technical transformation. Security must be embedded within broader operational risk strategies, resilience must be prioritised alongside prevention, and in some cases the “perimeter” must be rebuilt — not around the whole enterprise, but around its most critical core.

But neither resilience nor security can be effective without visibility into what really matters. Yet few organisations have mapped their MVB — the minimum set of processes, assets, and systems required to keep the enterprise alive.

Firms need service and dependency discovery. Only then can CISOs apply breach and attack simulation (BAS) tools to model attacker pathways into MVB components and figure out the architectures and tooling they need.
Only then can they look at OT/IT threats to dependencies on physical infrastructure (power, HVAC), regulatory processes and external feeds.

But it’s not the CISO’s job to do all this. They should be able to ask, “Which processes, if destroyed, make us non-viable?” If no one can answer, the security strategy is already blind.

This also means firms must shift from generic security to core protection – and accept that core protection will impact the business. Sacrifices have to made to secure Tier 1 assets and processes and a refusal to do so simply means that companies are explicitly risk-accept the possibility of a truly material security incident.

This shift from security to resilience isn’t just technical — it’s cultural. Who can answer:

• Who has mapped the MVB in your organisation, and how recently?
• How much of your security budget protects Tier 1 assets/processes versus “everything else”?
• How many full recovery drills have included the executive committee?
• Can critical processes operate manually, even for a short time, if IT fails?
• Are you prepared to trade efficiency and flexibility for fortress-style protection?

The resilient enterprise may still want strong security, but it doesn’t depend on it for survival. That is the difference between security as a collection of tools and security as a business enabler.

For CISOs, the challenge is stark: embrace this new paradigm or continue pretending that securing everything is possible. The first path leads to resilience and credibility. The second leads to inevitable failure.

 

The e-Crime & Cybersecurity Congress Nordics will look at how the collision of cybersecurity, business, economics and politics affects cybersecurity professionals on the ground.
Join our real-life case studies and in-depth technical sessions from the most sophisticated teams in the market.

  • What do regulators really want?

    • It’s always easier to get budget for things that are compulsory, and cybersecurity / resilience regulation is introducing more and more mandatory requirements.
    • But how do those requirements translate into people, process and technology?
    • And does resourcing only for the regulatory minimum leave organisations vulnerable?
  • Pen testing for OT / SCADA

    • Testing is key to identifying and fixing vulnerabilities before they're exploited. 
    • Regulations like NERC CIP require utilities to assess and mitigate risk. 
    • Testing checks OT security controls are functioning properly and shows regulators an organization's commitment to security.Can you help?
  • Transitioning OT to the Cloud?

    • OT traditionally was localized in particular sites and air-gapped from IT systems.
    • But connectivity with broader corporate networks and the need to manage technology more centrally (especially during COVID) has seen companies looking at managed services in the Cloud for OT.
    • Is this a way forward?
  • Achieving visibility across ecosystems

    • From exposed initial access points such as warehouse management systems to complex machine control software, simply understanding your device and application landscape, its connection and data flows and dependencies is a huge challenge.
    • Can you help with asset tracking and endpoint visibility?
    • And what about anomaly detection after that?
  • Dealing with regulations

    • CISOs now must build a single coherent security program that simultaneously satisfies divergent regulatory demands.
    • They must interpret vague legal standards into technical architectures, and they risk non-compliance if auditors, regulators, or courts interpret those differently later.
    • They face unrealistic expectations around incident reporting and they face personal liability. Can RegTech help?
  • Adversary simulation and behavioural analysis

    • Automated adversary simulation identifies telemetry blind spots.
    • They provide prioritized remediation guidance and control effectiveness metrics. They track progress trends and validate security ROIs as well as providing board and audit reporting.
    • How well do they work in practice?
  • The power of automation

    • There’s too much manual intervention in security. SOAR pulls data from SIEMs, EDRs, firewalls, cloud APIs, ticketing systems, threat intelligence feeds, and even email servers.
    • It also coordinates actions across tools via APIs and prebuilt integrations and intelligent playbooks.
    • Well, that’s the theory. How does it work in the real world?
  • Improving continuous attack surface discovery

    • You need to know what attackers can see and what they can actually attack – and you need it on a continuous basis, not in some static inventory.
    • Ideally you also need assets ranked by risk priority and put into the current threat and vulnerability context.
    • Is this feasible and is it cost effective?
  • Security Posture Management

    • Traditional vulnerability scanners don’t handle cloud native architectures well.
    • Today’s cloud environments spin up thousands of ephemeral assets without a traditional OS, without an IP address for long.
    • So how do you adapt to that dynamic, API-driven reality? How can traditional tools connect the dots – not just generate tickets?
  • Defending against the latest ransomware variants

    • Ransomware is effective precisely because it can exploit whatever weaknesses exist in your security architecture and processes
    • The threat and the actors are constantly evolving, and that evolution is forcing the hand of the government and causing havoc in the insurance market
    • What can CISOs do to better defend against ransomware?
  • Making the most of AI and ML

    • If the practical realities of business make conventional zero trust ideas impractical for most organisations, then what else?
    • Some say that AI and behavioural analysis are better suited to a world where perfect data and visibility are unavailable.
    • But are they right? And don’t these solutions only pick up problems after they have occurred?
  • Developing the next generation of security leaders

    • If cybersecurity is to change to meet the evolution of our digital world, then so must those who implement it.
    • CISOs cannot cling to an IT paradigm and companies must move away from hiring on false pretences (on budget and commitment) and firing at the first breach.
    • What does a next-gen CISO look like and are you one of them?
  • Cybersecurity as a service: the pros and cons

    • MSSP, MDR, CSaaS – all of these offer varying degrees of outsourced cybersecurity services
    • So when does it make sense to outsource?
    • And what outsourcing arrangements make sense for which firms?
  • Cybersecurity for SaaS/IaaS/PaaS

    • Most companies’ core reliance is now upon a small number of monolithic application suites and Cloud services
    • In addition, they are likely to be developing their own software in the Cloud
    • These and other changes fundamentally alter the IT landscape in which cybersecurity operates
    • So do CISOs need a new model for cybersecurity and are legacy solutions still valid?
  • Why zero trust, isolation and segmentation are key

    • There has been a shift in recent attacks away from the theft of data – now threat actors are concerned with interrupting all operation activity.
    • It is now critical that business functions are separated, and that internet access to OT networks is limited.
    • Can security teams keep up with sophisticated foes? 
  • Making the best use of threat intelligence

    • In a pre-emptive security model, timing is everything — success depends on detecting and neutralizing threats before they become active incidents.
    • To do this, security operations can't just rely on internal telemetry (e.g., endpoint or network logs).
    • They need external, real-time context about emerging threats — where do they get it?
  • Building a next gen security architecture

    • How do you efficiently manage multiple vendors, tightly integrate security controls and bridge the gap between network and security teams?
    • One answer is to reengineer your security architecture
    • So, what do efficiency-oriented security architects think is the best paradigm?
  • OT and the regulations

    • DORA, NIS2 and other regulations put more responsibility for resilience on firms deemed important or critical.
    • Many have focused on IT networks but the regulations include all resilience and so OT environments matter. 
    • What does this new emphasis from regulators mean practically for OT security?

Who attends

Job titles

CISO
Security Lead, GRC
Chief Information Security Officer
Security Specialist
Cyber Security Analyst
Adviser
Service Owner
Chief Information Security Officer (CISO)
CIO
CISO
Senior Threat Intelligence Specialist
Cyber Security Architect
IT Governance Specialist
Cyber Security Specialist
BISO
IT Project Manager
Security Engineer
Senior Business Risk Manager
Business Information Security Officer
IT Director
Cyber and Information Security Awareness and Communication Expert
DevSecOps Architect & Security
Information Security Manager
Head of Security Assurance
Solution Architect
DevSecOps Lead, CISO
Head of Security Assurance
Regional Information Security Officer (RISO)
Business Information Security Officer
Head of IT security
Head of Cyber Security
Head of Cybersecurity Programs
Security Officer
Head of Security Assurance
Red team security specialist
Information Security Manager
Cyber Risk Manager
CIO
IT Manager
IAM Solution Architect
Business Information Security Officer
Project Lead, Cybersecurity Awareness
Head of Financial Crime and Cybersecurity
Senior IT Specialist (Security)
Specialist
Cyber Security Specialist
Enterprise Architect
IT specialist
Information Security Officer
IT Security Specialist
Security Assurance Manager
Senior Security Officer
Information Security Officer
Head of Operational Risk & Security Control
Head of ICT Security
Head of Security
Cloud Architect
Information Security Specialist
Information Security Officer
Associate Director, Chief Information Security Officer
Senior IT Security Specialist
Head of IT Security
CIO
General Secretary
Information Security Architect
Domain Manager, Product and Operations
Data Security Specialist
Director, Cyber Security
Solution Developer
IT Cyber Security Specialist
Cyber Security & Privacy Manager
Information Security Manager
Information Security Manager
Senior OSINT Specialist
Head of Unit
Director Cyber Security & Common Infra Services
Head Of Security Operations & Quality
COO/CIO
Senior Security Expert
Cloud Computing, Cyber Security and Test Automation
Senior Information Security Officer
Director, Customer Cyber Solution Design
Global CISO
Manager, Information Security
Group CISO
Director, InfoSec & Engineering
Director, InfoSec & Engineering
Head of Information Security
Information Security Analyst
Chief Business Continuity and Security Manager
Security advisor
Information Security Manager
Chief Information Security Officer

Companies

Okmetic Oy
Wolt
Nobia
Ericsson
Elisa Corporation
Bank of Finland (Suomen Pankki - Finlands Bank)
Nokia Technologies
Ahlstrom
NATO
Euroclear
Nordea
Fiskars Group
OP Financial Group
University of Helsinki
Posti Group Oyj
Delivery Hero
Midaxo
Nordea
Nordea
Sweco AB
Nordea
Terveystalo
Terveystalo
Volvo Group
Ericsson
Midaxo
Delivery Hero
Handelsbanken
Nordea
Lunar
Fortum
Hitachi Energy
Nordea
Ericsson
Volvo Group
European Chemicals Agency
Fiskars Group
Lidl Suomi
Sandvik AB
Fortum
Nordea
Aalto University
Finanssiala ry - Finance Finland (FFI)
Nordic Investment Bank
Ministry of Justice - Finland
OP Financial Group
Uponor Corporation
Neste
University of the Arts Helsinki
St1 Nordic Oy
Monese
Nordea
RELEX Solutions
Nordic Investment Bank
Neste
Sweco AB
Nokia
Metropolia University of Applied Sciences
Vaisala
Nordic Investment Bank
Nordea
If P&C Insurance
TA-Yhtiöt
Digi- ja väestötietovirasto (Finnish Digital and Population Information Agency)
Finnvera Oyj
ASSA ABLOY Group
Tampere University
Uponor Corporation
If Insurance / If Skadeförsäkring
Neste
Nokia Technologies
Suomen Punainen Risti, Veripalvelu (Finnish Red Cross, Blood Service)
Remedy Entertainment Plc
Nordea
Ministry of Foreign Affairs - Finland
Nokia Technologies
Posti Group Oyj
Port of Hanko Ltd
Telia Company
Nokia Technologies
SOK
Elisa Corporation
Transcom
SOK
Mandatum Life
Terveystalo
Terveystalo
Helsingin kaupunki – Helsingfors stad – City of Helsinki
Live Nation International
Nordic Investment Bank
Posti Group Oyj
SD Worx Finland
Enfuce

Industries

Hardware
Food/Beverage/Tobacco
Retail
Hardware
Telecommunications
Banking
Electronic/Electrical Equipment
Manufacturer
Association
Banking
Banking
Manufacturer
Banking
Education
Transportation/Shipping
Food/Beverage/Tobacco
Software
Banking
Banking
Industrial Engineering
Banking
Healthcare Services
Healthcare Services
Automobiles/Parts
Hardware
Software
Food/Beverage/Tobacco
Banking
Banking
Banking
Electricity
Electricity
Banking
Hardware
Automobiles/Parts
Commercial Chemicals
Manufacturer
Retail
Construction
Electricity
Banking
Education
Banking
Banking
Central Government
Banking
Construction
Oil/Gas
Education
Oil/Gas
Banking
Banking
Software
Banking
Oil/Gas
Industrial Engineering
Electronic/Electrical Equipment
Education
Electronic/Electrical Equipment
Banking
Banking
Insurance
Real Estate
Central Government
Banking
Electronic/Electrical Equipment
Education
Construction
Insurance
Oil/Gas
Electronic/Electrical Equipment
Healthcare Services
Software
Banking
Central Government
Electronic/Electrical Equipment
Transportation/Shipping
Transportation/Shipping
Telecommunications
Electronic/Electrical Equipment
Retail
Telecommunications
Software/Hardware
Retail
Insurance
Healthcare Services
Healthcare Services
Regional Government
Travel/Leisure/Hospitality
Banking
Transportation/Shipping
Software
Banking


Venue

Grand Central Helsinki

Scandic Grand Central Helsinki
Vilhonkatu 13
00100
HELSINKI

+358 300 308401