Buying security is an illusion, it has to be built

Author: Björn Orri Guðmundsson, CEO Aftra

I see the same pattern over and over. Companies pour money into quick fixes and they believe that’s enough to make them secure. But the truth is, you aren’t actually buying security, you’re buying the illusion that you’re secure. Tools can help, but true resilience comes from building it, intentionally and consistently. And it starts at the top.

We all know cyberattacks are accelerating and regulatory demands are increasing. We read about it everywhere. Despite this, many executive teams still treat cybersecurity like an afterthought. It’s not woven into strategic conversations the way it should be. Cybersecurity should be as natural a topic in boardrooms as financial performance or market share. Instead, it often shows up as an item to check off a list or something to be "handled" by buying a service full of false promises.

I believe that mindset is dangerous. You can’t outsource your responsibility for security. If your company isn’t equipped to interpret threat data, take meaningful action, and build an internal security culture, then you have no real security strategy. And false confidence is worse than no defense at all.

It might be a funny thing to hear from the CEO of a cybersecurity technology provider, but no technology will fully protect you.

Cybersecurity starts at the top

Too often, management teams delegate security entirely to the IT department, and oftentimes it falls onto one individual. But cybersecurity is not an IT issue. It's a business continuity issue, a reputational issue, and it’s a leadership issue.

No board would go six months without reviewing the company’s financial health. Yet cybersecurity—a risk that could halt operations overnight—often doesn’t show up on the agenda. The good thing is that we do have the frameworks and tools to manage this. What’s missing is prioritization and understanding.

The problem isn't that security is too complex, although that’s what many people believe. It’s that executives don’t have the tools or vocabulary to talk about it, let alone take action. I founded Aftra to solve that problem: to help decision-makers understand, own, and act on their digital risk.

Hackers don’t care who you are

Let’s be clear: hackers don’t target you because of who you are, but because of what you expose. They don’t care whether you're a global bank or a local university. To them, your company is just an IP address in the library of the internet to scan for vulnerabilities.

Our product at Aftra was born out of this reality. We map a company’s digital footprint and identify weak points that attackers could exploit. It’s proactive, it’s strategic, and—most importantly—it puts actionable insights into the hands of leadership. We’re not trying to turn CEOs into security engineers. We’re giving them visibility and ownership.

Too many companies think they’re flying under the radar. But automated attacks don’t discriminate. They're opportunistic. It’s not a matter of if someone tries to get in—it's when. And when that time comes, you need more than a subscription to antivirus software.

There’s no shame in being attacked

There’s an outdated stigma around breaches. I’ve talked to companies that were embarrassed to come forward after being hit. But the reality is, no one is immune. If you operate in the digital world, you’re exposed.

Most attacks are random. Hackers are inherently opportunistic, especially now that attacks are automated. It’s just about finding the right opening, gaining a foothold, and preparing for further attacks. That said, companies with a larger online presence have more digital footprints that hackers can exploit, making them more appealing targets.

Hackers sniff out all kinds of weaknesses in companies. They look for open VPN ports, which indicate a connection to a company’s internal network, for example. This isn’t a vulnerability in itself, but it could be a component. If I know about that digital port, and I also know of a password leak—or even another vulnerability—I can combine those elements to create an opening.

There’s a famous quote from the former CISCO CEO, John Chambers: 

“There are two types of companies—those that have been hacked, and those that don’t know it yet.”

That’s not fear-mongering. That’s the world we live in. What matters is how you respond, and how prepared you are to recover.

Everything we do on the internet leaves a trace. We have domains, email addresses, IP addresses. We sign up for all kinds of platforms, whether personal or work-related. These are not official records, but the majority of this information is accessible to those with the motivation and enough technical knowledge to find them. 

And there are plenty of motivated individuals out there. Cyber attacks have been growing exponentially in recent years, with around 30,000 attempted cyberattacks and system abuses reported in 2024. Here in Iceland, several companies have been targeted by hackers using methods such as phishing and ransomware and it’s the same across the globe. 

Attackers come in many forms. There are curious individuals, organized crime groups demanding ransom, or state-sponsored actors looking for data. Their motivations may vary, but they all exploit the same thing: weaknesses in your digital footprint. 

The good news is that the discussion about cyberattacks has become more active, which encourages companies to come forward and be less ashamed to share their experience with being hacked. 

Society needs companies to share their stories, so we can collectively do better. 

The goal is not perfection, but resilience

We’ll never eliminate risk entirely. We live in a tech-driven society with endless vulnerabilities—they just haven’t all been discovered yet. That’s the reality. We’ll always be in this cat-and-mouse game. Cybersecurity is a moving target. Attackers only need to find one weakness. Defenders have to cover every angle, every time. But that doesn’t mean we’re helpless. We can minimize our exposure and become more aware.

The goal is to make yourself a hard target. To shrink your digital footprint. To identify and fix issues before they’re exploited. Unfortunately, the vast majority of cybersecurity solutions today are reactive. We need to think more proactively with measures for prevention, visibility, and resilience.

At Aftra, we’ve spent the past year building a tool to help companies understand their exposure and strengthen their security posture over time. We’re now working with around 80 clients, about 10% outside Iceland, and growing in the Nordic region. This is a global problem—and we’ve built our company from day one to solve it on a global scale.

What executives and boards need to hear

Cybersecurity isn’t a side topic anymore. It’s not a nice-to-have. It’s a business-critical function, and it deserves a seat at the top table. Just like ESG (environmental, social, and governance) metrics or employee engagement became boardroom priorities over the past decade, cybersecurity needs to earn that same space.

My advice is to: Start small. Set goals. Track progress. And learn the vocabulary. Bring it into your board discussions. You don’t have to be an expert—but you do have to care.

Because you can’t buy security. You have to build it—systematically, proactively, and with the full support of leadership.

Start taking action today

Learn more about how Aftra can help.

Learn more