A typical risk report can take one and a half years to develop. Now, Aker, Cognite, and Telenor's joint-venture will create it in minutes.
The established company Omny as a joint venture between the three companies. In the beginning, Omny had eight employees - all from Cognite. Since then, they have hired Sigvart Voss Eriksen as CEO and expanded to 45 employees.
The company recently launched its latest product, Omny Risk. It is a platform for assessing a company's risk profile in terms of vulnerability to attacks from various threat actors.
With this product, they aim to dominate the market for risk reporting in large companies, both in Norway and internationally.
Image: Sigvart Voss Eriksen, CEO of Omny and Ronny Løvbakke, CSO of Aker BP
Changed geopolitical security landscape
It is no coincidence that Omny Risk is being launched now. With increased digitalization and automation of the industry in Norway, as well as increased unrest in the world and advancements in hacking and cyber attacks, Aker BP and Telenor found it necessary to devise a plan for how to protect themselves in the future.
The focus has not only changed internally within the companies: investors also began to demand increased focus on cybersecurity.
-
Especially in the industry, the fear is not only that another state actor can hack into a company's IT network systems, but that they can hack into the facilities and take control of physical machines, explains Eriksen.
-
Digitalization of the value chain and operation of future fields are important focus areas for Aker BP, but this can also create new vulnerability surfaces that we must take measures to reduce the risk, explains Ronny Løvbakke, Chief Security Officer at Aker BP.
From six months to minutes
Through Omny Risk, customers will have the opportunity to access updated, data-based risk analyses and overviews more or less in real-time, as opposed to traditional risk analyses that are often done annually or even less frequently.
- Ultimately, our platform and reports will replace the old, outdated solutions for risk reporting - at least for large and complex companies, says Eriksen.
Until now, risk analyses and planning have often been something a company orders externally from consultants, which they receive once or twice a year if they are lucky. The reports vary in terms of being data-based, and the conclusions are often based on subjective assessments from the consultants without sufficient clarity on uncertainty and data basis for the assessments.
In addition to providing a good and detailed picture of the security situation in the companies, Omny Risk will follow up with recommendations and measures that the customer can implement to be better prepared for various forms of attacks.
- Like getting the weather forecast six months too late
Løvbakke, who has a background in the Police Security Service, explains how it was to start at Aker BP in 2018. The analysis processes were analog, and the reports were long and complex. The reports were entirely confidential, and planning was kept in safes. It was challenging to see the connection between measures and analyses, and especially to communicate this to the risk owners.
-
Since the reports were often outdated when new events and factors came up for consideration, we largely relied on our own assessments of the security situation and gut feeling.
-
It was like getting the weather forecast six months too late.
Ronny explains that the threat landscape is changing and evolving much faster now than before, and that the consequences of outdated information will be all the more serious.
How is risk measured?
When Shifter visits Aker BP's Tech Hub at Fornebu to speak with Eriksen and Løvbakke, they present a slide on the PC full of mathematical formulas that are part of the risk calculation.
- This looks very complicated, but the essence is that the risk is assessed based on three factors: threat, vulnerability, and value. These are part of what we call the risk triangle, explains Løvbakke.
The threat aspect encompasses how many and how significant security threats a company faces, and how interesting and attractive the company and our values are to various threat actors.
Vulnerability is about how well equipped one is to meet the threats.
The value aspect is about which parts of the company we consider to have high value and want to protect. If we are talking about billions of kroner, the risk is naturally very high. This is why Omny primarily envisions delivering the product to large companies.
Customers and the road ahead
Eriksen and Løvbakke have no doubt that the customers are primarily large industrial companies in Norway and abroad - those who are most vulnerable to attacks. These are the ones who have the most to lose from outdated information.
- Cybersecurity for IT solutions has been developed for a long time, and there are good solutions on the market, but in OT - operational technology, there has been very little development, explains Eriksen.
Omny was established primarily because Aker's industrial companies and Telenor needed good security solutions on the OT front, but the product will be sold on the market to private and public companies.
-
We do not want to reveal which companies, but we are in discussions with several potential customers, both in Norway and internationally, says Eriksen.
-
And then we will soon launch phase two! exclaims Eriksen, but does not want to elaborate on whether phase two is a new product or another act of Omny Risk.