6 Takeaways from Infosec at Billund Airport

With 4 million annual passengers and 800 employees, Billund Airport is Denmark’s second largest. Most of the staff do not sit behind a computer, but they still rely heavily on information technology and must help protect the airport from cyber threats.

“We’ve been accustomed to physical security for many years, but information security requires a completely different approach, especially when protecting critical systems. Information security is no longer just IT. We’ve organised ourselves cross-functionally, involving both management and several departments,” says Karsten Mochau Laursen.

{{factbox-dark}}

Here are my takeaways from the webinar:

Commercial requirements as a driver 

Several factors drive a razor sharp focus on information security at Billund Airport, including commercial requirements from partners and stakeholders.

Karsten Mochau Laursen says:

“It started when we began receiving commercial demands for information security. Some of our larger partners began including these requirements in their contracts. But if you look back, GDPR also introduced requirements for information security, and even further back, it was IT security.”

Takeaway 1: External factors like the NIS2 directive, media coverage of incidents, and requirements from outside stakeholders help raise awareness about information security. Leveraging all of those to keep infosec in focus is my first takeaway.

Takeaway 2: Information security isn’t just about NIS2 or ISO 27001. It’s wise to broaden the scope to cover GDPR, NIS2, ISO, and contractual obligations. They are different requirements but often met through the same tasks.

At Wired Relations, we call this: “Multiple regulations and frameworks - one sustainable solution”  

Karsten Mochau Laursen explains it as follows::

“If we aim to meet all of these requirements, ISO 27001 will help us. That’s why I want to scope this beyond NIS2. Yes, NIS2 targets critical services, but shouldn’t we aim to protect the whole business?”

Speak the language of business

Karsten Mochau Laursen is hard at work to shift the perception of information security from “something that happens in IT” to a strategic, cross-functional project.

“We need to learn to speak the language of the business. We need to tell them that information security is like insurance. The better insured you are, the quicker you can return to normal operations if something happens.

And that’s the story we need to communicate to management: we’re not doing this to be a nuisance with all the recommendations. We’re doing it to ensure robust operations and to help the business achieve its vision and mission.”

Takeaway 3: It sounds simple, but it’s not. Information security must be translated into strategy. Those of us working in this field are often met with frameworks and regulations: NIS2, ISO, and the like. So, it’s tempting to say, “because NIS2 requires it,” when challenged. But does that approach work?

Book a Pen test

Karsten Mochau Laursen has a very straight forward tip for communicating with management: Book a pen test.

“I’ve learned that it’s hard to get management’s attention. What’s the best piece of advice? If you have a recent pen test that shows where the weaknesses are, you have a strong talking point.”

Party crash meetings…

There is strong competition for the limited time of top management. Karsten Mochau Laursen advises looking at your organisation and trying to integrate information security where top management already meets.

“There will be forums where these people already meet. We can be an add-on to those meetings. Spend 15 minutes during the meeting sharing the latest risk assessments and get approval for policies or incidents that need to be reported. This is where you need to understand your organisation’s structure and see where you can fit in instead of inventing something new,” he says.

Takeaway 4: Everyone wants management’s attention, and most have valid reasons—including information security. But we need to avoid creating new bureaucracy. I love the advice to look at your organisation and identify existing forums to work within.

You’re Not Starting from Zero

Here’s a quote from Karsten Mochau Laursen:

“It’s about finding out where the organisation stands; rarely do you start from scratch. There’s always something happening that you need to build on. Maybe the documentation needs updating.”

Takeaway 5: Fortunately, there aren’t organisations with no security measures at all. If you feel you’re starting from scratch, the good news is, you’re probably not. Start by identifying what’s already working in the organisation, where you already use MFA, conduct awareness training, or backup systems..

Moving Beyond Excel for Clarity

As something of a one-man army, I need tools for support,” says Karsten Mochau Laursen.

It’s essential to have an overview to focus on strategic decisions instead of searching for documents.

“I’ve been looking for a platform, a way to handle this without living in an Excel sheet.”

Learn more about our GRC solution tailored to information security here.

Cultural Change is the Hardest Part

Overall, it’s essential to focus resources on tasks that genuinely advance information security at a strategic level. Karsten Mochau Laursen has no doubt about the biggest challenge.

“Cultural change. It’s the most time-consuming part of this work. It’s relatively easy to acquire a backup solution. But implementing policies, measuring effectiveness, and documenting it—that’s hard.”

Takeaway 6: I have yet to meet an infosec professional who says, “I have too much money and too many people at hand.” It’s all about prioritising resources effectively. Therefore, it’s crucial to think workflows through and support the work with suitable tools.

If you’d like to see a tool that can support your work, book a demo.

We regularly host webinars and publish podcasts and e-books on information security, so it’s a good idea to subscribe to our newsletter, which is released once a month.

‍