Home » Information security is part of critical infrastructure – “Resilience is built on options”

Information security is part of critical infrastructure – “Resilience is built on options”

29.5.2026 - Company Stories

Nainen ikkunan edessä erilaisten pienten näyttöjen vieressä.

Digital systems are increasingly tying societies and businesses to the same technologies and suppliers. In the event of a disruption, the question of ability to act arises: can you act on your own terms or do you have to rely on others? “Above all, resilience is based on taking proactive action,” says Tiina Sarhimaa of the Finnish cybersecurity company WithSecure.

The airport departure display goes dark. A production line at a factory stops. A hospital loses access to patient records. In the summer of 2024, a single security update brought systems around the world to a standstill, and the impact on everyday life was immediate.

According to Tiina Sarhimaa, WithSecure’s Chief Legal Officer, the threat to information systems and cybersecurity is not just from singular flaws, but from how widespread a single technological solution is. Only a disruption will reveal how many critical functions are tied to the same system or supplier.

“A major disruption like this can paralyse many European organisations at the same time. And when the disruption also affects the US, who will be helped first? In a scenario like this, that’s a big concern.”

• Founded: 1988 (F-Secure, the corporate data security business was spun off into WithSecure in 2022)
• Headquarters: Helsinki
• Sector: Cyber and security solutions for businesses
• Business areas: Software and services to help businesses identify, prevent and manage cyber threats
• Clients: Businesses and the public sector, especially in Europe
• Personnel: approximately 600
• Listing: Nasdaq Helsinki delisting underway following a takeover bid by a consortium formed by Risto Siilasmaa and the European fund CVC.

Resilience based on identifying dependencies and risks

Resilience is not just about whether systems can withstand disruption and attack. What matters is whether your ability to act in the event of a disruption is in your own hands. As the geopolitical situation becomes more tense, technology is no longer a neutral factor, but part of the wider security environment.

According to Sarhimaa, resilience is first and foremost a proactive effort. Dependencies and risks should be identified and addressed before problems arise.

“In Europe, and especially in Finland, we are rather dependent on non-European cybersecurity technologies. We should think about guaranteeing our autonomy if something happens. Digital sovereignty means, effectively, freedom of choice – freedom from being totally dependent on one or more parties over which you have no control.”

Cybersecurity rises above climate and economic risks

Tiina Sarhimaa, Chief Legal Officer at WithSecure, says that at the Munich Security Conference in February, cybersecurity emerged as the biggest risk for industrialised countries – more serious than climate and economic risks. The digital ability to act is seen as part of society’s foundations.

“Cyber attacks target societies, businesses and individuals. They are a persistent phenomenon, and often there is a state actor behind them. More than just individual cases, it’s the bigger picture that really matters.”

At its best, resilience can give a company competitive advantage. “It is important to identify and prevent disruptions so early that the client may not notice anything,” says Tiina Sarhimaa, WithSecure’s Chief Legal Officer.

Sarhimaa says that businesses and other organisations should not treat cybersecurity as an isolated technical issue. Consideration should be given to how and what technology to buy, how to build systems and who to ultimately rely on.

“In Finland, most companies and most of the public sector use Microsoft’s security solutions. This is an example of how much we rely on one provider, even though alternatives are available on the market.”

According to Sarhimaa, there is a reason for this. Technology is offered in bundles that include tools, cloud services and security. For a business, this is often an easy solution, but it also creates dependency that is not easy to shed.

“When a business buys office and cloud services from a single supplier, security solutions often come bundled with them. This may give the impression that everything has been taken care of in one go. In reality, managing all of this requires a lot of skill and resources.”

Regulation has created a new problem

In Europe, regulatory responses to this concentration of technology and growing dependency have imposed new obligations on companies and made cybersecurity part of leadership. According to Sarhimaa, this is a good thing, but the way in which regulation has been implementation has created a new problem.

“A huge volume of legislation has been introduced all at once, and for many companies this has become a big exercise in compliance. The focus is often on keeping the paperwork in order and making sure reporting runs smoothly. Instead, it should be on being able to identify and counter attacks and to react quickly.”

“It is important that all aspects of cybersecurity are taken into consideration,” says Sarhimaa

She adds that there is also room for improvement in the European market. Technology is being developed, but it is more difficult to create a global business here than elsewhere.

“Europe lacks a mechanism to rapidly scale up innovation. In the US, the government can be the first big client to enable growth. In Europe, businesses are faced with a regulatory jungle and fragmented application practices.”

Resilience can offer competitive advantage for a company

According to Sarhimaa, resilience can at best offer a company competitive advantage is clients see it as operational reliability.

“If you can identify and prevent disruptions early enough and react quickly, the client may not notice anything, even though a lot may have happened in the background. This is the outcome we should be aiming for.”

It is important that cybersecurity works as a system. Supply chains are one critical factor: which partners have access to the company’s systems, where is data processed and how do your partners secure their own operations.

“This is one of the most common blind spots in business. Typically, the focus is on your own environment, and then the attacks come through your supplier. If the supplier has a vulnerability and access to your environment, it can be used to gain entry. That’s why you need to know and understand who is part of your security environment and how well their systems are working.”

Artificial intelligence is the latest addition to the cyber mix, but the traditional set-up in the industry has not changed: it is still a race between attackers and defenders.

“Artificial intelligence is already used to a huge extent in attacks, and it is imperative that we know how to use it in defence. Artificial intelligence makes both sides more efficient.”

WithSecure’s Tiina Sarhimaa’s tips for businesses:

Treat the supply chain as a system. Know which suppliers are part of your environment, what their dependencies are and where your data is processed.
Define the goal state before deciding on solutions. Start with what kind of security outcome you want and what capabilities it requires – not with specific regulations.
Consider where the technology comes from. Using solutions developed in the EU will strengthen the market, the security of supply in Europe and Finland, and create alternatives in the long term.

Text: Mikko Viljanen
Photos: Liisa Takala