Main areas of expertise are related to establishing secure end-to-end communication environment for the customer use case, but typically this requires also establishing the full security culture – including defining, implementing, training and auditing the corresponding entities.
In practice, that requires attention to the following areas which are highlighted in the security certification process:
1. Risk Assessment and Management
Identifies potential risks to an organization’s assets, systems, and data. Involves assessing threat likelihood, vulnerability severity and potential impacts to create mitigation strategies.
2. Cybersecurity Strategy
Development of a comprehensive plan to protect digital assets. This includes creating policies for access control, incident response and network security, tailored to the organization’s needs.
3. Incident Response and Recovery
Planning and preparing for security breaches. This includes defining steps for detection, containment, eradication and recovery to minimize impact on operations.
4. Vulnerability Assessment and Penetration Testing
Evaluating systems for potential vulnerabilities through regular scanning and testing. Penetration testing simulates attacks to identify exploitable weaknesses before they can be targeted.
5. Compliance and Regulatory Guidance
Assists organizations in meeting legal and regulatory requirements (e.g., GDPR, HIPAA, PCI-DSS) through guidance on data protection, security practices and reporting standards.
6. Identity and Access Management (IAM)
Focuses on ensuring only authorized individuals have access to critical resources. Involves implementing policies for user authentication, authorization and monitoring of access activities.
7. Cloud Security
Provides strategies and tools to secure cloud environments, including data encryption, identity management, and secure configuration, tailored to the specific cloud provider and deployment model.
8. Security Awareness Training
Educating employees on security best practices, common threats (e.g., phishing), and organizational policies to reduce human-related vulnerabilities.
9. Application Security
Involves securing software applications throughout the development lifecycle. Includes code review, secure coding practices, and software testing to prevent vulnerabilities.
10. Physical Security
Protects physical assets, facilities, and personnel. This may include access control systems, surveillance, and facility security assessments.
11. Business Continuity and Disaster Recovery (BC/DR)
Ensures critical functions continue during and after a disruption. Covers backup planning, data recovery and systems redundancy to minimize downtime.
12. Data Protection and Privacy
Focuses on securing sensitive data, especially personally identifiable information (PII). Involves encryption, data masking and data handling policies.
13. Third-Party and Supply Chain Risk Management
Evaluates the security practices of partners, vendors and suppliers. Assesses potential risks associated with integrating external entities into the organization’s network.
Each of these areas supports customer organization’s security posture, helping prevent breaches, protect assets, and ensure compliance with industry standards. I have experience of extending to several decades from each of these topic areas.
Jari Mononen
CISO, Co-Founder
Chairman of the Board
NorthBase Oy
jari.mononen (at) northbase.fi
