About Metso
Metso is a frontrunner in sustainable technologies, end-to-end solutions and services for the aggregates, minerals processing and metals refining industries globally. The company improves their customers’ energy and water efficiency, increases customer productivity, and reduces environmental risks with their product and service expertise.
Headquartered in Espoo, Finland, Metso employs over 17,000 people in close to 50 countries and sales for 2023 were EUR 5.4 billion. The company is listed on Nasdaq Helsinki.
Background
The cybersecurity threat landscape has grown more severe, leading industrial customers to impose increasingly stringent cybersecurity requirements on their suppliers. Additionally, the new European cybersecurity legislation, driven by the NIS2 directive, now mandates that manufacturing companies ensure proper cybersecurity management.
Metso has been systematically enhancing its cybersecurity management over the years to effectively address cyber risks and build customer trust. To ensure that the company’s practices meet today’s requirements, Metso set up a dedicated project to assess and elevate their company-wide cybersecurity management.
Cyberismo consulting
In this project, the role of Cyberismo cybersecurity advisors was to support Metso leaders and experts in developing and improving the cybersecurity management system. This included
- Creating a carefully prioritised project plan that focused on the essentials,
- Designing together a new steering, project management and decision-making structure,
- Preparing and delivering tailored cybersecurity trainings, including e-learnings and instructor-led trainings for different audiences from asset and risk owners to top management,
- Creating easy-to-use toolboxes for risk identification and incident management preparations,
- Designing new issue tracker configurations for cyber risk management, and
- Offering cybersecurity expertise as Metso teams adopted new and improved cybersecurity practices.
Building large cybersecurity management systems
The complexity of managing cybersecurity increases as an organisation’s size and diversity grow, making an adaptable management system essential.
Here are the important success factors recognised from this project. They are relevant in general, when building effective cybersecurity management systems, particularly in large, international organisations:
1. Focus on people and continuous learning.
People are at the core of effective cybersecurity, making continuous learning essential for all — from the board of directors and top management to every employee and partner. Training and communications must be tailored to address the unique needs of each audience to maximize understanding and engagement.
2. Design a scalable organisation and follow-up structure
To support multiple teams across diverse business units and legal entities, a well-defined project structure is critical. A completely flat model is inadequate; instead, there must be a layered project management structure with a clear steering model.
We must change the level of abstraction as information flows between the layers of the organisation. For instance, while top management must oversee cybersecurity risks, team-level details should be consolidated and summarised for effective decision-making.
3. Appoint an internal project manager
We recommend nominating an internal project manager, who already knows the organisation and key people, whenever this is practical. An internal project manager will be available to ensure that the improved cybersecurity management practices continue after a more focused project phase. In this project, an excellent project manager, supported by excellent subproject managers, ensured that the project stayed on track.
4. Implement efficient decision-making practices
Effective decision-making is crucial in large-scale cybersecurity projects. In this project, we ensured that steering meetings are organised frequently enough, that each decision is assigned a unique identifier and URL, and that decision proposals are reviewed and approved in formal steering meetings. This approach ensures that decisions are easily referenced, and that progress is consistent, avoiding repeated discussions on the same issues.
5. Correct the course promptly
Sometimes the first approach turns out not to work. It is important to recognise these situations and correct the course early. A case in point in this project was the selection of the improved tools for managing cyber risks.
To speed up feedback loops, we piloted all new improvements early with a small number of participants, even when the improvements were not completely ready. This allowed us find and address the bottlenecks and problems earlier than if we had tried to roll out a complete and approved improvement globally.
Testimonial
I’m extremely pleased with the results of our company-wide cybersecurity improvement project in collaboration with Cyberismo. While ensuring compliance with cybersecurity regulations under the NIS2 directive was a key driver, our focus was on elevating our cybersecurity management practices overall.
Building a sustainable cybersecurity management system across a large, international organization with multiple business areas is challenging. Having consultants with extensive experience across industries provided invaluable support. Cyberismo emphasized continuous learning throughout the project, from executive presentations to team-level engagements, enabling us to embed a culture of improvement organization-wide.
Petri Vilander
CISO, Metso