21 September 2020


'Strategic leadership in cyber security, case Finland' by Martti Lehto and Jarno Limnéll in (2020) Information Security Journal: A Global Perspective comments 

 Cyber security has become one of the biggest priorities for businesses and governments. Streamlining and strengthening strategic leadership are key aspects in making sure the cyber security vision is achieved. The strategic leadership of cyber security implies identifying and setting goals based on the protection of the digital operating environment. Furthermore, it implies coordinating actions and preparedness as well as managing extensive disruptions. The aim of this article is to define what is strategic leadership of cyber security and how it is implemented as part of the comprehensive security model in Finland. In terms of effective strategic leadership of cyber security, it is vital to identify structures that can respond to the operative requirements set by the environment. As a basis for national security development and preparedness, it is necessary to have a clear strategy level leadership model for crises management in disturbances in normal and in emergency conditions. In order to ensure cyber security and achieve the set strategic goals, society must be able to engage different parties and reconcile resources and courses of action as efficiently as possible. Cyber capability must be developed in the entire society, which calls for strategic coordination, management and executive capability.

The authors argue 

 Cyber security is an elemental part of society’s comprehensive security, and the cyber security operating model is in keeping with the principles and practices specified in Finland´s Security Strategy for Society (2017b). Cybersecurity has become a focal point for conflicting domestic and international interests, and increasingly for the projection of state power (Limnéll, 2016). The challenges of cyber security management are particularly prominent at the level of strategic leadership. 

Cybersecurity is a foundational element underpinning the achievement of socio-economic objectives of modern economies. Digitalization and information societies are ever evolving, and new cyber threats continue to be devised. In this progress, cyber security must form an integral and indivisible part of the nation’s security process. Countries need to be aware of their current capability level in cyber security and at the same time identify areas where cybersecurity needs to be enhanced. It can be said that cyber security is a constant “arms race” between countries, but also between the security community and the hostile hackers. Cybersecurity is a complex challenge that encompasses multiple different governance, policy, operational, technical and legal aspects (ITU, 2018; Lehto & Limnéll, 2016). 

Cyber-attacks, malware, denial of service attacks and different forms of influencing through information are becoming ever more prolific. The reliable operation of telecommunications, information systems and communications are an essential precondition for modern society’s undisrupted functioning, security and citizens’ livelihoods. This is also about maintaining citizens’ trust in a well-functioning society. The development of business continuity management accounts for a large proportion of the security of supply work carried out in the information society sector. Due to this development, improved preparedness for maintaining the functioning of society’s vital information technology systems and structures in the face of cyber threats and incidents is also needed in normal conditions. In particular, it should be noted that Finnish society’s and companies’ dependence on the cyber environment will grow further in the years to come (Lehto et al., 2018). 

The transformational power of ICTs and the Internet as catalysts for economic growth and social development are at a critical point where citizens’ and national trust and confidence in the use of ICTs are being eroded by cyber-insecurity. To fully realize the potential of technology, states must align their national economic visions with their national security priorities. Setting out the vision, objectives and priorities enables governments to look at cybersecurity holistically across their national digital ecosystem, instead of at a particular sector, objective, or in response to a specific risk – it allows them to be strategic (ITU, 2018). 

The national strategic leadership of cyber security consists of two entities: managing cyber security preparedness and managing serious and extensive incidents in normal and emergency conditions. The Security Strategy for Society 2017 discusses a general functional model for leadership and incident management, which describes the relationships between the government’s top management on the one hand, and local and regional level management on the other (Figure 1). Today the Prime Minister’s Office has an important role in coordinating the authorities’ activities and supporting the Government’s decision-making (Security committee, 2017a). 

This article is based on a research we made for the Prime Minister’s Office in 2017–2018 (Lehto et al., 2018). In terms of Cyber Security Strategy implementation and the commitment of different branches of administration, the situation in Finland was different from what it was as the first Cyber Security Strategy was prepared in 2013. The branches of administration had widely recognized the significance of cyber security in their everyday work. While their views of cyber security differed around the time the 2013 strategy was drafted, the world has changed rapidly since its publication. 

This research project prepared proposals for measures related to the management of society’s and public administration’s cyber security, measuring the state of cyber security and preparedness, and managing extensive disruptions in the cyber environment. 

Key research questions examined were the following:

  • What is strategic leadership of cyber security and how is it implemented in the responsibility model for comprehensive security? 

  • How can a general incident management model be implemented during extensive cyber security disruptions? 

  • How should the strategic leadership of cyber security be organized? 

  • How is the management of cyber security in central government structured?