Achieving and maintaining a security score 95/100 with Aftra

About Innnes

Innnes is not only the largest food wholesaler in Iceland, they also strive to stand out in the market. Part of that journey to market leadership has been through building a strong culture of cybersecurity. Tinna Harðardóttir, Chief Technology Officer (CTO) and Berglind Grímsdóttir, Chief Information Security Officer (CISO) emphasize in our interview that security is not only a competitive differentiator, but that there is a social responsibility to the community to be as secure as they can be for their customers – and to share that story.  

A new location, a new security journey 

“Not too long ago, Innnes was a typical Icelandic company with a warehouse” - Tinna Harðardóttir, CTO.

Innnes’s CTO, Tinna Harðardóttir has been with the company for over 20 years, but she says when they moved to from Fossaleynir to their new location (Korngarðar) at the Reykjavik harbor in 2021 there was a shift in mindset across the company. At that time, a lot of things were evolving, including the technological development at the company. She says they were behind in matters of cybersecurity and that it was time to step up.

In the beginning, however, it was difficult to convince other stakeholders of the importance of security and why they needed to invest in it. Luckily, she says, they are “not afraid to have the difficult conversations” in their organization and it didn’t take long before they had buy-in from leadership to improve and invest in security. 

A “harsh awakening”

Their security journey truly began when they started to work with Syndis, an Icelandic cybersecurity consulting firm, and Aftra’s partners. Tinna tells us that “the real “aha” moment” came after they got a pentest done from Syndis. The test revealed they didn’t have a good understanding or overview of how their infrastructure looked from the “outside”. They had no genuine oversight over their digital footprint and attack surface, which they very much needed.

Tinna says that the "pentest was a harsh awakening, we had no idea of the situation”. But it also set them off on a larger journey and all further steps naturally fell into place. The results made the management team truly understand how vast their attack surface is and that they couldn’t manage everything themselves. 

Choose people you enjoy working with 

Tinna Harðardóttir, CTO and Berglind Grímsdóttir, CISO are primarily responsible for cybersecurity at Innnes. They emphasize, however, the importance of working in strong partnerships to achieve their security goals. 

“The goal is to always be moving and not put all your eggs in one basket. The tech world is moving so fast and we always need to be on guard.” -Berglind Grímsdóttir, CISO

Innnes first started working with Syndis’s SOC (security operations team) and later added on their security management services. Since starting to work with Syndis, they’ve already put in the work to become NIS2 compliant for when NIS2 is implemented in Iceland and are working towards their ISO270001 certification. Their trust, success, and satisfaction with Syndis’s services eventually led to them implement the Aftra Attack Surface Management platform, due to the close partnership between the companies. 

“Choose people you enjoy working with. You can get more work done with that approach. Sometimes it’s more important than other factors.” -Tinna Harðardóttir, CTO.

Tinna emphasizes that when choosing a security partner, it’s critical to find companies and people you enjoy working with. Of course they should also be trustworthy and be able to deliver top-notch services, but sometimes just being able to work well together is underestimated.

Filling the missing piece of the puzzle 

Adding Aftra to their stack of security tools and services was the “missing piece of the puzzle” for Innnes. “I’m not sure we’d be where we are today without it. It all works together.”, says Tinna. Berglind adds that Aftra provides them that extra layer of security by continuously monitoring for threats and vulnerabilities and displaying it in a visual manner. When vulnerabilities are found in the Aftra platform, their Chief System Administrator can then go in and take a look. Getting the vulnerabilities resolved is now pretty quick.

“It’s easy to overthink cybersecurity, but if you get over it, you can fix things quickly. It’s like building a wall. Once the foundation is built, it’s easy to add in the extra bricks.”-Berglind Grímsdóttir, CISO

She adds that they’re, "more at peace since implementing Aftra, because we always know where we stand in terms of security. We feel like we can manage our security and our assets better, now that we have an overview of everything in one place. The Security Score is very tangible for the whole team – from the CEO down to each employee – and you get competitive about it.” - Berglind Grimsdóttir, CISO at Innnes

Getting the CEO involved in security

Aftra has also helped them to get the CEO truly involved with cybersecurity and he’s become a bit of a security champion within the team. Since implementing Aftra they’ve brought their Security Score up to a 95 out of 100. The CEO was so proud of the achievement that he showed that number to the entire Innnes team in a staff meeting.

(The Aftra Security Score tells you how resilient your organization is against a cyber attack. In a nutshell, the higher the number, the less likely it is for a hacker to penetrate your defenses.)

Tinna and Berglind can also use the data from the Aftra dashboard to easily report on cybersecurity to the leadership team and they often check it many times a week just to see how they’re doing.

“I go into the Aftra dashboard many times a week just to see if we’re maintaining the progress we’ve accomplished since implementing the platform.” - Tinna Harðardóttir, CTO at Innnes

Everyone in the company has a role to play in security

But creating a culture of security and becoming secure goes beyond the leadership team. Each and every person in the company needs to know how their actions play a part. With the Aftra Security Campaigns, individual employees can see that their footprints are everywhere.

When they introduced the campaigns internally and showed people their digital footprint, there was a big wake-up call. They now understand the importance of being careful online and not to use their work accounts for non-work related activities online.

Many employees and senior managers, for example, have a large digital footprint. They are therefore usually on the Aftra Security Campaigns due to their long history with the company, which dates back to when using one's employee accounts for personal usage was normal practice.

You can’t be 100% confident, but you can be 100% prepared

Both Tinna and Berglind emphasize that everyone has a role to play in security and that it’s extremely important to play a “no blame” game. Getting everyone involved also means that they feel comfortable reporting incidents, such as accidentally clicking a malicious link. 

But it’s not enough to get the team members involved, you need “buy-in” from the top and to find your security champion or champions within the leadership team and they feel very lucky to have a CEO that understands the importance of investing in security.

Security resilience is also not going to happen overnight. You’ll never be 100% confident or 100% secure, but you can be 100% prepared. 

“It’s like walking Everest, you have your milestones.” -Tinna Harðardóttir, CTO.

As a final sentiment, Tinna expresses the importance of sharing the story of their cybersecurity journey and her interest in what others are doing. 

“We have a social responsibility to share our story. It’s greater than us and we should all be working together and be more vocal about security.” -Tinna Harðardóttir, CTO.