Navigating ISO 27001 and cybersecurity management | Guest Gry Evita Sivertsen

[00:00:00] Chris Sienko: Today on Cyber Work, I spoke with Gry Evita Sivertsen, someone who describes herself as, quote, "an ambitious soul wrapped in a cloak of ISO 27001 experience." She's a consultant and COO and before that, she spent years as a Cybersecurity Manager. Gry shows how an early experience in the Philippines shaped her cyber security career, 

[00:00:20] Gry Evita: got the role because they were looking for Norwegian speakers, but it was located in the Philippines. It was a regular IT support for a lot of different companies. 

[00:00:29] Chris Sienko: why she learned not to be just a cyber manager for her team, but for the whole company, 

[00:00:34] Gry Evita: So instead of me sitting and stating now we need to do X, Y, Instead, have this open dialogue where you're showing why there is a risk in place, what the threat really is, and then discussing with them.

So what could we do to kind of avoid or reduce the likelihood of this happening?

[00:00:53] Chris Sienko: And of course, we talk the ins and outs of the ISO 27001 framework, and how you can get started on the path of becoming an ISO 27001 auditor, trainer, or implementer, whatever you want. 

[00:01:05] Gry Evita: If you have these skills and have used them, it can be good to offer that competence to other companies in need. 

[00:01:13] Chris Sienko: That's all on today's episode of Cyber Work. 

The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

You can use it to navigate your way to a good paying cyber security career. 

So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and download our free cyber security salary guide ebook.

Your cyber security journey starts here. 

Now let's get the show started 

 

[00:02:09] Chris Sienko: Welcome to this week's episode of the cyber work podcast. My guests are a cross section of cybersecurity industry thought leaders. And our goal is to help you learn about cybersecurity trends. The way those trends affect the work of InfoSec professionals and leave you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry. My guest today, Kari Evita Seybertson, describes herself as an ambitious soul wrapped in a cloak of ISO 2701 expertise. She brings many years of experience in information and cybersecurity as in house head of information security. A senior advisor for several companies and a leading role in Greek Terra.

Her toolbox of experience and competence is considerable. As she puts it, quote, Information security is not about creating a document to be put in a drawer. It's about solving a complex puzzle to connect the dots and find the missing pieces. To create real value. So outside work, Greta loves to spend time with her friends and family and is passionate about women in tech. And she takes part in volunteer work around this, including mentoring, creating events and more. Uh, so I've wanted to talk to Greta because I am very interested in Her career history as well as, uh, her work with the ISO 2701, uh, framework. And I'm looking forward to hearing more. So hello, and thank you for joining me today from Norway.

Are you welcome to cyber work? 

[00:03:27] Gry Evita: Thank you so much for having me here, Chris. Really happy to be here, 

[00:03:31] Chris Sienko: Ah, so glad to have you, um, uh, been long in the making and I'm, I'm glad we were able to make it work here. So, uh, to help our listeners get to know you a little better, could you tell us. About how you first got interested in computers and technology, information security and cybersecurity. I know, I don't know about Norway's educational practices.

So I'm wondering if this is something that was like required in school, or did you find this interest in machines and securing them

before that? 

[00:03:56] Gry Evita: Yeah. So, uh, information security and cybersecurity is not really required in school. So how I got into it first with, um, uh, it and computers was that, uh, after high school, I wanted to take a year off to kind of figure out where, what I wanted to do next, I saw this really cool work opportunity in the Philippines, Manila.

And I kind of wanted to travel abroad and live somewhere else. So the job was related to I. T., but I applied anyway, not really knowing much about it. Was lucky to get the role, and that was my first introduction to it. And that's also what motivated me to continue to do a degree in computer engineering.

So with computer engineering, it was a lot related to programming and a bit more other topics. But, uh, my bachelor thesis, uh, was about, uh, companies, networks, and hacking, and that's what really opened my eyes to the field of information and cybersecurity. 

[00:05:03] Chris Sienko: Really cool. Now, how did you find out about this opportunity in the

Philippines? 

[00:05:08] Gry Evita: Through my sister. So she had seen it and sent it to me. 

[00:05:13] Chris Sienko: Uh, yeah, that's really amazing. Cause that's, that's such a big, you know, to sort of lift yourself up at that age and transplant yourself. Did you, you had to go to the Philippines to do the

work, I assume. Right. 

[00:05:25] Gry Evita: Yes. I was living in the Philippines for one year. 

[00:05:28] Chris Sienko: Wow. Okay. So what, what would, what can you give me some of the aspects of what the job was like, what I'm assuming, like, like you said, you didn't really, you kind of took it as an opportunity, despite. Lack of it experience. Uh, like how much did you have to kind of learn in the moment? And what was

that like? 

[00:05:43] Gry Evita: Uh, so, um, uh, I got the role because they were looking for Norwegian speakers, but it was located in the Philippines. It was for a company named CGI, and it was a regular IT support for a lot of different companies. So the typical phone line, they call in, something isn't working. Often the solution being trying to restart the computer.

And if not, we had like this full library where we could search for like common incidents and kind of guide them through how they could resolve it. 

[00:06:16] Chris Sienko: Okay, that's good. So there, there was something of a flow chart there. You weren't having to solve every single problem

for the first time. 

[00:06:22] Gry Evita: No, luckily. 

[00:06:23] Chris Sienko: Okay. 

Yeah, no kidding. So, uh, awesome. So, um, in your LinkedIn bio, like you said, and as he said in the intro, you described yourself 27 one experience. Uh, and indeed you have a number of ISO 27, no one implementation trainer and auditor certifications in your toolbox. So we talk about this, uh, framework ISO 2701 on the podcast sort of regularly, especially in the way that certain practices. Or certifications are ISO 27 one compliant. But I'm wondering if you could tell us about ISO 27, a one information security standard, and specifically what interested you in it and how this immersive study in it can shape the direction of a cyber student cybersecurity students, a career roadmap.

[00:07:06] Gry Evita: Yes, definitely. So, um, I was first introduced to ISO 27, 001 when I was working in house in a SaaS company where the customers started to setting requirements for the company to get ISO 27, 001 certified. So connected with my interest in cyber and information security, I was so lucky to kind of take on This project, uh, and what I really liked when I started to learn more and more about the standard is first that it was a globally recognized as the best practices.

Uh, and also when you kind of get the full perspective of it and understand how it's much more about creating value and making those organizational changes to work more efficiently and securely rather than just. Uh, all these different types of technical controls that most people will associate with cyber and information security.

I really like the connections there all the way from strategy to understanding the biggest risks within a company and so on. And for students, I think it's one of the most valuable things to kind of get some sort of understanding or perspectives towards. Because of it being globally recognized and especially now in Europe and Norway, we see a lot of requirements towards the standard with the changes in regulatory requirements, the easy route or not easy, but the logical route is often done to pursue this. Certification. 

[00:08:45] Chris Sienko: Yeah. Now, uh, yeah. Can you, can you speak to that as, as, as something to learn, as opposed to, like you said, some of the more specialized ones like that now, how does, how does that vary? Is it. I guess, I guess I'm trying to understand, like, what's the sort of the first thing you learn as you start learning ISO 27, 001 and, and what, what are the first things you're looking for as you're trying to make like an organization? Compliant to the standard. And how does that maybe, um, differ from say, you know, some of the other big, you know, security frameworks.

[00:09:17] Gry Evita: Um, yeah. So with the ISO 27, 001, I think the first is kind of understand that the difference in the series because you have 27, 001. That explains how you build a management system for information security. So that is everything from strategy to the risk assessment, management meetings, following up, and so on, the plan do check back cycle.

And then 27002 is a list of 93 controls that are best practice or kind of the risk mitigating activities that you should take on. And 27, 005 being for how to do good information security risk assessments. And one of the main things that happens to newcomers starting to work with the ISO is that you invest so much time in 27, 002.

So all of these 93 controls thinking you have to implement all of them and fully comply. Uh, and then you'll kind of get frustrated because some of the things won't make sense to your company. It's not logical to like the main thing to focus on 27, 001. The short piece on how to actually build an effective management system that meets the need of your organization and your context.

And based on that, naturally, the controls will fall into place. 

[00:10:43] Chris Sienko: Yeah. I imagine it's like trying to learn a language and just reading like that language is dictionary from cover to cover. It's like, you're not, you're not going to use most of these words all the time. Uh, you just gotta have to use. The pieces that apply to you. And I suppose none, but the most complex company is going to need all 93, uh, controls at, at one time.

Right. So, um, so I want to ask, I guess about where ISO 27, 001 certification. And study comes within like the overall beginning study of different types of information security and cybersecurity, because you're essentially using this knowledge to help an organization analyze its existing information security framework and explain the places where it needs to be brought up to speed to be compliant. So is this something you start to learn only rudiments of information security? Or do you kind of learn it in parallel if you want to do that kind of work with, say, like, you know, basic routing and switching or, you know, security functions and things like

that. 

[00:11:44] Gry Evita: So both is definitely possible, but you're going to get much more value and to really understand you're going to need that practical experience. So one thing is to kind of understand the material in the book. It's kind of like school, like you go to school, you learn all these great things, you show that you can learn, you have this base knowledge, but then when you start working, like it's completely different.

There are so many other things. to take into consideration. So it definitely needs to be mixed with that practical experience. And also for ISO training, they offer a range of different ones. So you can even start with like foundation that is kind of understanding the basic terms to further go on to like lead implementer that you can lead a project, implementing it and so on. 

[00:12:38] Chris Sienko: Nice. Now. Yeah, I guess that was kind of my next question. And I promise I'll get to your work history in a moment. But I have 1 more. saw a question here. I know that you have certifications for several types of. So 27, 001 functions, uh, you're certified for auditing and training and implementing. Uh, so what type of work do people with these different distinctions of ISO knowledge and certification tend to do?

Like what kind of job or career doors can be opened if you demonstrate strong skills in each of these areas?

[00:13:07] Gry Evita: A lot. So, um, one is definitely consulting. If you have these skills and have used them, it can be good to offer that competence to other companies in need. If not, there's endless possibilities in how to so. If you're going more towards management, like chief information security officer or information security manager, risk management and so on, that these skills will be very good to have. 

[00:13:38] Chris Sienko: So, uh, thank you for that. Uh, I wanted to have you on the podcast today because our, you know, our listeners have said that they get a lot of value out of learning about the different cybersecurity job roles they could be working toward, uh, and to make sure that, you know, they actually want to do that path early on and make sure that that job role sounds like something that would, you know, match well with their interests and skill specialty.

So, uh, for just over a year now, you've Uh, we're a cybersecurity manager and previously you were senior manager with PwC Norway, a company that offers a range of security advisory services. And, uh, since we started speaking, um, you've transitioned to another job role since June, 2024, uh, you've been head of, uh, Greeter, a stevenger and COO of. security. So I wanted first ask you about your role as security manager and then your responsibilities it. You know, the definition of our organization gives for a security manager. You're a senior level I. T. Profession who plays a major role in creating corporate security strategies and supervising information security staff. Does that sort of map to your roles or responsibilities or can you talk about some of the common tasks, projects and responsibilities that you do as a

security manager? 

[00:14:49] Gry Evita: Yes, so when I was working as a security manager or head of information security in house, I had the overall responsibility within the company for anything related to information and cyber security. Thank you. What came into that for me was to get the ISO 27001 certification, help get the processes well documented and established to ensure that information security was incorporated and considered, doing the risk assessments to always know the highest risks mitigation strategies.

I was doing the board reporting on security on one of the really great things with working with information security is that you get the opportunity to work with all departments within a company because security or information security is not something that's Silo based or outside. It's about the information flow and securing the information in everything that the company is doing.

So it's about understanding how does HR work? How do they work in the finance team? How are we doing developments and so on? And then using them? The competence and controls that are best practice for information security to ensure that's adapted. 

[00:16:14] Chris Sienko: So, yeah, so when you say you're a security manager, you know, I suppose the first thing people might think is that you're simply managing the security team, but in certain ways, you're, you're kind of managing aspects of the whole company. So, can you talk about some of those interactions with HR and other departments and things like that? Like, what are some of the, managerial skills that you have to have? sort of make sure that they're on board with the things that the ISO or your own suggestions, you know, if they, if you have to make a big change to the way that they do their security, like, how do you get them on board like

that? 

[00:16:50] Gry Evita: So I'm very fond of good communication, and I think it's really important here when we're doing risk analysis and assessments and we identify these risks. So instead of me sitting and just kind of stating now we need to do X, Y, Instead, have this open dialogue where you're showing why there is a risk in place, what the threat really is, and then discussing with them.

So what could we do to kind of avoid or reduce the likelihood of this happening? And that way they feel way more involved. They want to come with their ideas. They will better understand their processes, how their day to day work So as soon as you involve them and get their input and kind of combine their understanding of their working roles, but your understanding of information security and best practices will get way more motivation towards actually getting those controls and measurements in place. 

[00:17:52] Chris Sienko: Okay. I want to, hopefully this is not a, uh, You know, this is this is an actual distinction here, but I what this made me think of is I've spoken to past guests regarding like risk management role risk analysis and a lot of things that they'll say. Are, you know, they're making suggestions regarding risk strategies the understanding that their company can just as well, uh, not take them. They can say, you really have to do this. You really have to do this. And they say, okay, fine, but we're not going to do that. And you say, well, my work is done here. Whereas I think with a security manager role like this, and especially when you're working with the dictates of something like, like ISO 27, 001, uh, I'm assuming that you don't really have that kind of, laxity to say, well, you should do this, but if I can't stop you, if you're not, so is, is this something like that where you really have to kind of have, you know, sort of be a little more insistent that you absolutely have to make these changes in order to come in into

compliance with this. 

[00:18:54] Gry Evita: No, definitely. And this is where like accepting criteria has come into place. Uh, so if like a risk assessment has been done, this risk is like really high. It's non acceptable. Uh, and somebody were to like deny doing anything towards it, of course it would be escalated and they would just. Have to have to do it.

Oh, 

[00:19:16] Chris Sienko: Okay. Yeah. So you're going to have to step in and flip the switch for them if they won't do it. Yeah. Um, okay. So that's, that's great. Uh, I think that that really does explain some aspects of security management there. Now, can you. Uh, compare that to your current role, roles and responsibilities as head of Grutero Stavanger and COO of Grutero Security.

[00:19:35] Gry Evita: definitely. So after working in house as you mentioned I changed to become a consultant. So first for PwC and now I'm at Grittera So Grittera is a consultancy house in Oslo in Norway Started off in 2020, uh, and then I was so lucky to get the opportunity to start a new department for this company in the city where I live, Stavanger.

Uh, what's really different now, also taking on the role as COO of Stavanger. Security is to have that full overall responsibility and with in total being quite a new company. It's just about using the creativity and kind of challenge maybe how things are done other places and look for the best ways to Make success and grow the company.

So a lot of new responsibilities, like first I had to find an office space. Uh, started out from, uh, working from home. Now I'm in an office space. So that's great. Also looking for people to join the team. And, uh, I'm also still working as a consultant. So I'm working with different companies with, uh, Uh, with their needs towards information security 

[00:20:57] Chris Sienko: Can you come contrast, uh, things you like or dislike about being a COO versus being a security manager? Because like you said, you're, you're definitely working one level up and you're, and I suppose there's probably a little less of the, um, you know, putting, a in tab, you know, B or whatever, like you're, you're not, you're not working to these, these kinds of specifications that the ISO provides you.

You're, you're kind of abstractly thinking in terms of. overall operations under your, your own sort of ideas. Was that a big change for

you? 

[00:21:29] Gry Evita: now. So, um, the first job I had when I was working in house was with a startup company. So I joined this company right before they had become a year and kind of, uh, went through them through the whole scale up to leading vendor journey. Uh, and then going to PWC where like it's more corporate, the processes are set and such coming back to a company like Ra, way more holes, that kind of start up vibe.

Um, and for me, I'm quite, uh, ambitious and I really like to create and make stuff and test out new ideas. Yeah, be creative and being able to do that in a completely free environment. I think it's a better fit for me as an individual. 

[00:22:21] Chris Sienko: Yeah. Now I've talked to some of our instructors, um, here at InfoSec regarding certifications around security manager roles, like the ISACA CISM certification and the requirements in a lot of the training is moving away from people management skills and, and more into problem solving of security skills.

Now, can you talk about how much of your work week. Especially as a security manager was spent managing and how much was spent thinking and planning security strategies, you know, for your clients.

[00:22:49] Gry Evita: Um, yeah. So it's been a bit mixed now since Grittera security is completely new here in Stavanger. So it's only me. PwC and my previous roles have had a manager responsibility. So one to one with people now it's more with the whole team, holding the team meetings and going through, um, but criteria is kind of a unique consultancy house, uh, as it's more like a community of independent consultants, meaning that there's not much of a workload or.

requirements towards a manager because we only hire people who can work independently and we trust them to kind of have control. The main thing is, of course, to deliver good value to our customers and do well on the projects. 

[00:23:40] Chris Sienko: Yeah. Um, okay. That's interesting. So you're, you're, I guess there's, there's less managing in that sense in that you're not really having to have the big talk with people or, or, you know, um, you know, discipline or anything like that. So that's, that's gotta be a little bit different in that

regard. 

[00:23:56] Gry Evita: No, definitely. Uh, two of our main values is openness and fairness, and that's really shown because the level you're at in the company, it's predefined with how many years of experience, practical experience where you have towards the topic you're working with. So there's no one kind of assessing or deciding what level you're on.

It's based on the years of experience and open and known to all people. 

[00:24:26] Chris Sienko: Nice. Uh, so, um, I want to go back a little bit. We talked about your, your mastery of, and the importance of the ISO 27, 001 standard and regulation. But I want to know if you have any advice. In terms of gaining the management experience required in your role, we've kind of talked about this, uh, peripherally in terms of needing to be persuasive and being collaborative.

Have you taken any course of study in management or have you mostly learned just by being a manager? And if so, do you have any advice for our listeners to sort of demonstrably improve those skills? Because I know a lot of, uh, tech people, that's not their first. Uh, preference if they want to really get into the guts of the machine, they don't necessarily go into it because they want to be talking to people all day, but like, what are, what are some ways that you, um, have found yourself, um, become even better as a manager?

So I've done a bit of training in house with different companies. I I think what's important for individuals to think about is if you really want to become a manager, because you can be really good within your field, but it doesn't mean that you want to be or would be a good manager. So to kind of distinguish the two, like even if you're Pursuing and getting more knowledge and becoming more competent.

[00:25:40] Gry Evita: It's not like the only route to go. But if you want to go that way, like I did, I think it's important. I would say empathic, openness, and really listening to your employees. I see the manager role as the person that the employees know that they can always come to. If there's anything, a person that will genuinely listen and only want what's best and most well for them.

So get their input, try to understand like their ambitions and goals and take that role as how can you be supportive towards them achieving that. 

[00:26:23] Chris Sienko: Yeah, I think that's, that's awesome. And, and it sounds like you have at least partially, uh, in inbuilt and understanding of that, but certainly any amount of, of training can always, uh, sharpen these things as well, but, uh, so, uh, to, to, to Talk to our, the largest piece of our show, uh, Gree, as you know, cyber work is about helping students and new cybersecurity professionals sharpen their skills needed to enter the cybersecurity industry. Uh, and as well as those looking to change careers to cybersecurity later in life, maybe from another type of management. So speaking to listeners who might want to do this type of work in information security management and more, um, you know, uh, short of getting, uh, an opportunity in the Philippines like that, what are some experiences or training or certifications or aspects of learning or projects that you would recommend people do to start to put them on the kind of path that you, you got on there

[00:27:14] Gry Evita: Um, well, as mentioned, I think it's good to try to get like a basic knowledge or understanding of ISO 27001. If not a really good tip I can give is a bit more details about my bachelor thesis. Because it really helps you think. Uh, so the way that bachelor was set up is that we were three groups and you were set to create a fictive company.

So you could decide any sort of company. Uh, and then you had to be that company thinking about how are you going to secure this company, uh, and also securing end points. So you had like two laptops and you were also configuring the network. So you got access to some network equipment. So that was then the first phase of this bachelor assignment.

The second phase, we were all set to try to hack the other companies that had been created to try to steal as much information as we could. And doing it this way really makes you think, because first you're kind of on the depend side, like what will I do? But then when you're more on the attack side, you'll Automatically think differently and it will help you better.

See, see both perspectives. Um, and to me, um, I was so surprised and shocked how easy it was to kind of find all this materials and learn with it because we only had three months. To kind of learn about and then try to hack these, uh, other companies, but like with Kali Linux, for instance, with a lot of prebuilt tools and online, I was so shocked what we were able to accomplish and such a short time frame.

So I think it's, um. Good to kind of maybe do an assignment like that and really sit down and think for yourself because one of the key things that I've seen and continue to see is that so much is kind of just thinking logically. And that's kind of the thing. If there are like within companies, there are these security controls that are kind of pushed or forced.

They just don't make sense. You don't understand why they're there. Uh, then the probably they shouldn't be there because that's not the way it should feel like it should be logical. It should make sense. And there should be a real risk or reason to why you're doing the things you're doing 

[00:29:41] Chris Sienko: now, when you're in the process of trying to attack or trying to defend where, you know, I imagine also gives you a more concrete sense of why some of the things that ISO 27, 001, uh, Proposes are there in those cases. Cause like you said, uh, if something doesn't make logical sense, then maybe it shouldn't be there.

But did that give you a better sense of like, why things that might have seemed illogical at first were there, uh, by actually sort of seeing how an attack

is 

done. 

[00:30:12] Gry Evita: Yes. Absolutely. Like in the, in my first role with a company being so new, we didn't have anything in place. So that was also like a huge learning experience because along the way we saw all these like tiny things that one should be doing. Then most likely, like if you start up in a company that's been along for a while, they'll have all these things in place.

But when you start out a place where nothing is in place, you'll. Understand why all these things are there, 

[00:30:45] Chris Sienko: Yeah, no, I, I suppose. So, uh, now I, I don't know, like it says, You know, since you're working more with sort of high level consultants now, maybe this is not something you deal with. Although I know you mentor with younger students and so forth. What are some of the biggest skills gaps among people that you've seen who are trying to get hired into these types of positions that you're trying to fill?

Are there particular skill areas or qualifications that you currently see lacking in some of the job candidates that you would like to become more universal, whether that's management stuff or certain problem solving or, or anything?

[00:31:15] Gry Evita: uh, for my company and consultants. Well, I think an important thing with being a consultant is that you're kind of able to show your skill set and also daring to kind of show it out to the market. So build a profile around you and your competence and really daring to to let people out there get to know you and what you can bring to the table.

I think that's very important. 

[00:31:49] Chris Sienko: Okay. Yeah. And I want to extend that also to, uh, maybe people who are just starting to enter the industry. Do you see certain. Deficiencies in people who are maybe just getting out of college or just trying to start their first job. Like, when you're trying to interview someone for an entry role, are you surprised if they that they haven't done certain hands on things, or they don't know a certain process or are the kids doing pretty good

these days? 

[00:32:17] Gry Evita: Um, from what I've seen, I've been really impressed with, um, with, um, uh, students. Uh, so we did some, uh, like, uh, workshops where I set up this, uh, cyber scenario, and I was so impressed with the results. Uh, so looking back, I did my education also at University of Stavanger, and looking at it now, Uh, the subjects have completely changed.

So information security and cyber security is an integrated part in this degree that I did myself and I'm not working with it. But when I was doing the education, it was not incorporated. So that's a newer here in Norway, and it's really helping with with the whole skill gap. 

[00:33:01] Chris Sienko: Oh, that's great. that's that's very encouraging to hear. I know when I came back to. My high school, I was amazed that the stuff that they had that I didn't. And it's always a good sign when, uh, uh, more educational opportunities are available for younger people than you had. That's always a good, strong sign of forward momentum.

So can you talk about your favorite parts of the work that you do now, Greg? What are, what are aspects of your work that make you excited to keep pushing and learning new things every

day? 

[00:33:26] Gry Evita: Getting to know all these different and exciting companies and I'm really fond of like creating and implementing so I've been doing a lot of projects helping organizations go for the ISO 27001 certification and I find a lot of joy in that. In that, 

[00:33:47] Chris Sienko: That's awesome. Now, um, how long does it take on average for a company that you're working with to become successful? ISO 27, 001 compliant. Is this a long term, like, do they need to do a year's worth of change or is it something you can of suggest over the course of a month or a week? Or, or how long, how long is this, this

process? 

[00:34:07] Gry Evita: no, this is probably the, the main question that is, uh, that is out there, uh, and the standard response, of course, that it depends. And the thing is like, I can, for instance, tell a company like exactly how long it would take me to document some security policies, do a risk assessment, and so on. But like with ISO 27001, What you need to understand is that the main thing is change.

So is your organization ready for this change, mature and have the time set off to really invest in doing it. Uh, but from experience, um, One company I was helping, it took three years, but it was very immature. We needed to get these like base processes in place and so on. And this other company I recently helped, it took us seven or eight months.

So I would say maybe average is about one year. 

[00:35:09] Chris Sienko: Okay. sounds Do you get much pushback? I assuming if they want to become compliant, that they're willing to do what you say. But do you ever get any kind of pushback of like, Oh, I don't want to have to do that or, or, or is it, is it just a matter of like, Just, it takes longer for some than others to sort of figure

things out. 

[00:35:28] Gry Evita: No, definitely expecting some pushback. I think it's natural for any type of working area or, uh, or roles. But here again, it's like so important with that, uh, open communication. And if there is pushback, there's probably a reason for it. And then it's good to kind of elaborate, elaborate and meet halfway.

So maybe there was something wrong with the way it was proposed to do, or maybe you can persuade and make the other party understand why you think they are mistaken. 

[00:35:59] Chris Sienko: Okay. Yeah, that's awesome. And again, that goes back to great managerial skills that you bring to the table here. So, so great. Can you tell us about your work with the tank TNK tech network for women in the U37 leadership network? What are some of the things that these organizations do to help women and leaders from cybersecurity

technology? 

[00:36:19] Gry Evita: Yes, so U37 Leadership Network, that was a network here for leaders under the age of 37 to kind of further build relations and discuss different topics among us that we would all meet. Uh, in our regular day to day working life, being very young and in leading positions at tank is something I'm so passionate about.

It's a volunteer organization where we create this two day technology camp for girls from the age of 13 to 19. And we go around, we get different sponsors to sponsor the event. And that way we can also make it as a completely free alternative to these girls. Uh, and we've had such a huge success. So we had a camp now this summer and we had over 300 girls gathered.

Uh, and the main aim and why we're pursuing like towards the younger girls is to help inspire them to the endless opportunities that will be there for them with working with technology. So we've been discussing with schools like your hair back. Some schools try to put in more like tech related topics, but the trend they see is that, like, there's almost only guys signing up.

Sometimes there's like a few girls, but because of that social dynamic, the girls often will feel like They're not included or not belonging. And because of that, they'll kind of change because, uh, when you're so young, that matters more than maybe what your real interests are. Uh, and also we hear so much like, uh, I don't want to just sit in front of a computer all day.

Like that's not going to be my, my work life to really make them understand that. That's not what it's like to work with technology to make them really understand what it's all about and looking towards the future, like more and more and more jobs are are coming relevant towards technology, like almost regardless of what you do.

Somehow you'll be working with technology. So we really want to inspire them and show them this. And we got a message from a mom after the camp this summer because her daughter was kind of one of these typical examples like no way she was going to work with technology. After attending the camp, she, she changed her application and completely like it's going to change her career future.

And so happy to see that it's having an effect and really an eye opener for these girls. 

[00:38:56] Chris Sienko: Oh, that's a great story. I love that. Now, can you Uh, tell us, like, what kind of things are our students learning in TANK over the summer? Like, what are, are there certain projects they're working towards? Are there certain key concepts that you're

emphasizing? 

[00:39:10] Gry Evita: Yeah, so, um, uh, with our sponsors, they'll also come in and set up these individual workshops. Uh, so here it can be loads of, uh, different things like, uh, uh, programming, or we had this like a medical company in where they had created this game towards, uh, RP, uh, uh, like heart saving. So you were kind of like doing that practically, but it was connected to a game.

Also in tank, uh, we bring in, uh, And because we focus a lot on, uh, uh, on daring to believe in yourself and having that self worth and it's, uh, often you can see more towards girls that were insecure and, uh, kind of like maybe holding ourselves back, not daring to take opportunities if we don't feel like we're a hundred percent, uh, a match, I was just watching, um, uh, I was watching this talk at a conference, uh, last week, uh, and, uh, there was this, uh, guy presenting who, who put it so well because he had seen so much with these, uh, open job positions, uh, it like for girls, if they're not meeting the criteria, 100%, they're not even going to apply, but for guys, like, as long as they meet like a couple of the points.

They'll still apply. And he was saying it's like you could put out a job applicant for like you're looking for a pregnant woman and you still would have guys applying. So yeah. 

[00:40:43] Chris Sienko: yeah. 

they're like, I could get 

pregnant over the weekend. Possibly I'll make

this work. 

[00:40:50] Gry Evita: So, uh, we want to reach them at a young age to really understand this. And we've also adapted a lot of the cyber security perspective for these young girls to understand all their use of social media, uh, important things to consider and, and think about, and knowing there are networks around to kind of support and help you if you were to encounter any danger or bad activities related to it.

Wow. 

[00:41:17] Chris Sienko: Awesome. Boy, that's a, that's a great program. I love hearing about, uh, how robust that sounds and how, how wide ranging. So congratulations on being part of that. So, uh, we're just about at the end of an end of our, our show here, but before I let you go, could you tell our listeners the best piece of career advice you ever received?

so much.

[00:41:36] Gry Evita: Now that's a big question. 

[00:41:39] Chris Sienko: Yeah, it could be from a mentor or a teacher or colleague or just something you kind of

picked up 

[00:41:44] Gry Evita: Yeah. I think the main thing is to not be so afraid to fail. And if you do fail, not like overwhelm yourself with criticism or self harm, but instead look of it as an opportunity to do better because if the first time we're doing anything and you're doing it like a hundred percent perfect every single time, that's kind of boring because then you have no further way to go or excel.

So don't be so afraid to fail. Take those opportunities. Like, especially if there's an opportunity that's thrown your way, you get this feeling, ah, I'm not so sure I can do this. That's the time you definitely should say yes. So that would be my, uh, my advice. Next time you get an opportunity that your first instinct is to say no, say yes to challenge yourself and get out of that comfort zone. 

[00:42:44] Chris Sienko: I love that. Uh, yeah, I mean, when I think of, uh, you know, points in my, my, my career life, I never think about the tasks that were super easy and I did it without any problem at all. Like, you can't even remember those 10 years later, but the ones that I did. kept you up all night or, you know, took a long time or seemed unwinnable.

Like those are the ones that really stick with you. So try and make as many of those as, as, as you can, everyone. Uh, so, uh, this has been a great talk. I could talk to you all day, uh, Gre, but, uh, as we wrap up today, feel free to tell our listeners about Greetera Stavanger and Greetera Security and some of the Services

that you offer. Yes. Uh, so we offer advisory services in everything ranging from leadership to technology. Um, so we're happy to support. We can also do remote support to different locations outside of Norway, if that would be of interest. And in Gratera Security, we have a lot of experts in GRC, so anything related to ISO 27001, NIST 2, DORA, these new regulations.

[00:43:49] Gry Evita: Thank you. We're here to help. 

[00:43:53] Chris Sienko: Love it. Uh, all right. So, uh, one last question here. If our listeners want to learn more about you, three Vita Syvertson about Gutera security. Uh, where should they look online? Should they look to your, your LinkedIn? Do you have a social media

presence? 

[00:44:07] Gry Evita: Yes, I'm very active on LinkedIn. I post regularly from real life examples and experience and the things I've learned along the way. So do feel free to follow. I also love it when I get these messages. from people who's kind of struggling with something. If I could elaborate or make a post on that, it helps me boost their creativity, thinking back.

And then I can also help someone out with something they find challenging. Uh, and for the criteria, it's criteria. no or criteria. com. Uh, so feel free to check out the website as well. There's a lot of details there on both our consultants, but also the types of services that we can offer. 

[00:44:50] Chris Sienko: Awesome. Yeah, I found, I found three on, on LinkedIn and I hope our listeners will find you on LinkedIn as well. So, uh, three, thank you so much for joining me today. I really enjoyed learning more about your career journey and your work today. So I appreciate your time.

[00:45:03] Gry Evita: Thank you so much, Chris. It's been a pleasure. 

[00:45:06] Chris Sienko: I'm so glad. So, uh, thank you to everyone who is watching, listening, and writing to, into cyber work with feedback. If you have any topics you'd like us to cover or guests, you'd like to see on the show, just drop them in the comments below and we'll do our best to get to them as quickly as we can. Uh, before we go, don't forget InfoSecInstitute.

com slash free, where you can get a whole bunch of free and exclusive stuff for cyber work listeners, including our new career immersives, where you can, uh, which can take you from career beginner to job ready in six months time, or By a combination of live instruction, hands on practice and personalized career coaching that can fit any schedule. And of course, InfoSecInstitute. com slash free is still the best place to go for your free cybersecurity talent development ebook. You'll find our in depth training plans and strategies for the 12 most common security roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder. ICS professional and more one more time. That's info sec institute. com slash free. And yes, the link is in the description below as well. One last time. Thank you so much to three Evita Syvertson and thank you all for watching and listening. This is Chris Sanko signing off until next time. Keep learning, keep developing, and don't forget to have a little fun while you're doing it. Bye for now.