Newly appointed CISO at P27 Nordic Payments: ’For me, security is trust’
Jimmi Ernberg, P27’s new Chief Information Security Officer [CISO], discusses priorities in his new role, why security is of paramount importance for P27’s success, and why he continues to sleep well at night in spite of a world filled with security risks.
Jimmi Ernberg had never heard of P27 until he received a call from a recruitment firm about a CISO position there, but he was quickly convinced. “The mission, and the services that will be provided to society – the importance of it – that got me intrigued,” says Ernberg. “By the end I thought this is something that I want to do. I want to be part of this journey.”
Ernberg did his due diligence, speaking to CEO Paula da Silva to ensure the company’s security priorities were up to par. “I asked a lot of questions to understand where security fell on the list of priorities at the company, says Ernberg. “Paula said something to the effect of: the first priority is that the platform should function, and the second priority is that it should be secure. And I understood that for P27 security is not just a layer, which you kind of look at the end, that you really don’t want to add but you have to. Security is part of the core functionality of our services.”
P27 is growing rapidly and leadership is eager to continue bringing in new talent to the organization, so convincing Ernberg was a win for both sides. Ernberg now leads the strategic direction and management of security at the company in the CISO role, which he took two months ago.
Security is trust
“For me security is trust,” Ernberg explains. “The general public, even though they may not interact with P27’s brand directly – for example in Sweden they’ll use Swish – they need to be able to trust the system that makes it work. Our major stakeholders, the participant banks who are part of our infrastructure, they need to be able to trust us and feel that, yes, they know what they’re doing in terms of security. They know how to build something that is secure and robust in the world of today, which is a scary world.”
“I still sleep well at night,” says Ernberg, explaining that he told his management team exactly that the last time they met. “But am I continuously checking news, checking back channels for information, looking at the latest from the authorities. We need to stay on top of this to understand what’s going on out there. We have this on our radar and we’re continuously analyzing the situation to see how it could impact us.”
Structured, risk-based information security
According to Ernberg there’s nothing too exciting about P27’s security work, and that’s how it should be. “It’s structured, risk-based security,” he explains. “Of course if we’re talking about technical aspects, there’s a lot that goes into staying at the forefront of that. But at its essence we’re simply analyzing the risks, understanding those, and then taking good decisions based on that understanding. It’s not more complicated than that.”
There are challenges beyond just getting the technology and risk assessment right, though, according to Ernberg. One pressing challenge of late is the lack of competent people for security jobs. “The area of security right now is an extremely high demand, low supply field, which is a problem for every company in Sweden and in the Nordics right now,” he says. “Everyone is screaming for experience and competence in the field, for people who can hit the ground running, basically, because most companies are in the middle of execution. And there’s just not enough people who can do that right now.”
“That’s a huge problem for companies, but also I would say society at large,” he continues. “We need to make sure that there’s a good influx of people who are willing to learn this field, and I believe that’s going to be one of our biggest challenges going forward.”
Convenience versus security
How about the fundamental challenge of balancing convenience and speed with security, which have traditionally been seen as two ends of a spectrum that require tradeoffs to work together? Ernberg says that doesn’t have to be the case. “Many think of a continuum where you have the most flexible platform on one side and then you have the most secure on the other side and then you have to pick, where do I want to place myself,” he says. “But I don’t see it like that. It’s completely possible to be extremely flexible, fast and secure. It doesn’t have to be one or the other. As a business owner, your aim is of course to provide the best services, the most flexible services. That doesn’t mean that you can’t be secure. You just have to find a way to make it secure.”
Ernberg explains that having the right mindset about security and its importance from the outset is really the key – and this goes back to why he wanted to join the P27 team and help it achieve its mission, because he could see that the organization had its priorities straight. “We are obliged to do certain things when it comes to security,” he says. “But I don’t like to approach it like that. From experience, if you’re forced to do something you’re really not doing it wholeheartedly. So I still want to do the ‘sell’, meaning that if I’m talking to a business owner who owns a critical part of our organization for example, I want them to understand why security is important for them. I want them to understand what impact their decisions can have. And I want them to act wholeheartedly in trying to make their ways of working secure. That’s my security philosophy.”