RitS provides IT operations to four municipalities in Ryfylke. After a security incident and a rapidly changing threat picture, they went from monitoring themselves to handing over responsibility to Netsecurity as a strategic security partner and provider of round-the-clock security services.
- "It's a jungle out there, and we knew we had to find someone who could monitor around the clock," says Ellen Gundersen Husebø, CEO of RitS.
Ryfylke IT-samarbeid (RitS) is a municipal joint venture that provides IT operations and portfolio to the municipalities of Strand, Hjelmeland, Suldal and Sauda. With responsibility for the entire IT portfolio of 3,700 employees and thousands of residents, they are a critical supporter in the Ryfylke region. They have always had monitoring at different levels, developed in line with the threat situation. But in 2021, things came to a head.
Specific municipalities were hit by cyber attacks - the hacker attack on Østre Toten municipality set a precedent for how serious things could actually get. Shortly afterwards, RitS itself experienced a compromise. Husebø describes it as a turning point.
- "The incident was handled satisfactorily, but we saw that this could explode. We, like all other municipalities, have limited financial room for maneuver and are not always able to keep up on all fronts. Firefighting often takes precedence over proactive work, and skills are often developed through "learning by doing". We realized that it was unrealistic to keep up with everything ourselves in the field of cybersecurity," says Husebø.
The most important internal discussion was simple but crucial: Should we wait for the public sector to put something in place, or should we do it ourselves? RitS checked whether KS or other public players could deliver services that solved the challenges they faced, which they did not. The board of RitS was clear: safety must be in the driver's seat.
The idea of acquiring a strategic security partner was included in the investment plans for 2022. RitS also invited other municipalities to join, and raised the idea of innovative procurement to gain insight into what the market could actually offer.
Together with advisors from the Supplier Development Program (LUP), they chose a competitive dialogue as the procurement method. Several suppliers were invited to dialog meetings before the competition was announced.
- "Through the dialog, our expertise matured. We gained the insight to set correct and timely requirements. It was demanding, but incredibly useful," says Husebø.
The most important requirements they landed on were a 24-hour security monitoring center (SOC) that operates when they go home for the day, an incident response team (IRT) that can respond outside working hours, and that the supplier should be an active strategic advisor. In addition, they required that the supplier was approved by NSM and that all dialog took place in Norwegian.
Husebø is clear that the Norwegian language was not a "nice to have" requirement, but a contingency requirement.
- If there is a crisis, there should be no language barrier. In retrospect, the geopolitical situation has only reinforced the importance of a Norwegian supplier.
Netsecurity won the competition in the fall of 2023, and Husebø is impressed by their ability to understand RitS's situation and quickly implement the first part of the service.
- "They have a very humble approach to gaining an understanding of our needs. They are open to sparring and strive for good deliveries. Their understanding of our needs and their humility are very important to us," says Husebø.
RitS and Netsecurity had a common goal: to get the most critical monitoring in place before the Christmas holidays in 2023. And they succeeded. According to Husebø, Netsecurity did everything they could to get it in place in time.
- "Then we could take our Christmas break with a clear conscience and sleep well at night," she says. The value has been demonstrated on several occasions, especially after normal working hours. In particular, Husebø highlights cases where users have given away their passwords in phishing attempts - which without monitoring could have had serious consequences.
Husebø describes IT security as a marathon where the finish line is constantly moving. The threats she keeps an eye on range widely: massive phishing attacks, the geopolitical situation and AI used as a method for data attacks.
She is clear that IT security is not the responsibility of the IT department alone - it lies at the top level of the municipality. The NIS2 directive reinforces this, with its requirement that security is a management responsibility and must be documented operationally.
- "In a way, it's good that it's coming as a law. For example, we've always had a Personal Data Act, but I think many people "fell asleep a bit" - until GDPR came along and you could be fined for not being compliant. I think it's positive that the same thing is now happening with the regulation in NIS2 and the AI Act," says Husebø.
For Husebø, this is about something bigger than compliance.
- The world is a small place, and the geopolitical and security situation makes it all the more scary. At the same time, we have the rapid development of technology, which in turn affects everyone. We can do something about some things and not others.
- As the municipality's IT department, our task is to secure the municipality's information and data, and to help keep all our IT users safe when they are in the digital space. That's why it's reassuring to know that we have Netsecurity to monitor behavior and trends in the digital space. Or, as Husebø poetically concludes:
"We go home when the workday is over. Knowing that Netsecurity is working, while the rest of us are sleeping."