Governing Body Spotlight

Governing Body Member of the Nordic CISO Community

Peter Granlund

Group CISO

If P&C Insurance

Peter is currently the CISO of If P&C Insurance, a position he has held since February 2019. He has been working with information security since the late 90s and has held various security and management positions within the Telecoms and Financial services sector.

Learn more about the Nordic CISO community here.

Give us a brief overview of the path that led to your current role.

My career in information security follows the typical, non-standard path. I studied computer engineering in the late 80s during which the Internet as well as security was pretty much non-existent. For the next few years, I worked as an office machine service engineer, and in 1996 when Windows NT4 and Linux were hot topics, I started computer and network engineering studies. From that point on I felt that this is the future for me.

I worked with signal security in the defence sector for a few years before I landed my first job in IT, working for what was later to become If P&C insurance, which I joined in early 2000. During my first years, I had various assignments as a technician, project manager and IT security manager. Gradually, I became more intrigued by the dynamics of IT and information security, and I realized that technology alone does not make an organisation secure from IT or cyber security issues, but rather a combination of people, processes and technology coupled with culture and risk management.

What are your guiding leadership principles?

I firmly believe that business stakeholders need to be held accountable for the business's digital risks and that it is not something that can be delegated to IT, security or risk professionals. Digital systems and information are essential for most business processes and functions to operate, and digital risks can therefore not be decoupled from a leader's accountability for the outcome of a business process, function or unit.

As a business leader, one needs to ensure that digital risks are identified and assessed, that the right decision is made on what to do with the risk, and that actions to be taken (stop, accept, mitigate, transfer) are prioritised, budgeted for, executed, and regularly followed up on.

As an IT, security or risk leader, you are not only responsible for operating and managing systems, but you also need to support business stakeholders in understanding potential risks so they can make informed decisions. 

With disruption being a key theme of the past few years, where do you see your role as a CISO going in the next 1-2 years?

I think the emerging "second line" CISO as an advisory role to boards and top management will accelerate over the coming years. The story behind this is the convergence of several factors, such as the pandemic fueling the digitalization of organisations, the quick adoption of Agile operating models having less centralised control of security, the increase in geopolitical- and cybercrime-driven cyberattacks, and the emergence of several EU regulations on digital resilience and cyber security focusing on security governance, risk and compliance.

What advice would you give to someone just starting out in the role as a CISO?

Ensure that the role has a mandate matching the accountabilities and responsibilities. No matter how the organisation expresses the CISOs role and responsibilities, from an organisational governance and legal point of view, the CISO is not to be Batman but Robin. If a CISO is positioned as Batman, but has the mandate and resources of Robin, it is set up for failure and burnout.

Tell us three fun facts about yourself.

  1. I started alpine skiing in kindergarten, but have never been skiing in the Alps.
  2. I have practised the Japanese martial arts of Iaido (the way of the samurai sword) and Jodo (the way of the stick), as well as taught beginners.
  3. I've fiddled with home automation in recent years, making my family somewhat frustrated when I introduce new, cool technology that makes them unable to turn on or off the lights in different parts of our home.

What is the value of joining an Evanta community?

I really like the open sharing of information between peers, and that Evanta sets up the community to gather input on topics of my interest and challenges. Also, I think the mix between summits and town hall sessions is well-balanced, and not interfering with my daytime work or schedules.

Evanta Governing Body members share their insights and leadership perspectives to shape the agendas and topics that address the top priorities impacting business leaders today.

by CISOs, for CISOs

Join the conversation with peers in your local CISO community.