Gary Thompson: What I thought probably would be a good place to start with Kenneth is for you just to introduce yourself and to give an overview of your current role and a bit about yourself as well?
Kenneth Titlestad: I'm Kenneth Titlestad. I've been around six months now in the role of Chief Commercial officer in Omny. So Omny is a start up company from Norway having worked three years with a platform solution for OT cybersecurity. So we are born out of OT with our main owners being The Aker Group, Telenor and Cognite. So really born out of OT. Aiming for solving some of the big, big challenges in OT cybersecurity, how to model the physical infrastructure and the digital infrastructure in one single digital model, to be able to identify the risks, the threats, the vulnerabilities and what actions you need to take to handle those challenges. So that's Omny, where I'm Chief Commercial Officer. Coming over from Sopra Steria where I spent seven years in starting from almost from scratch when I started with focusing on OT cybersecurity in in Sopra Steria and I headed up the work there and over seven years we were able to build one of Europe's strongest consulting houses on OT cybersecurity, a journey which I'm very proud of and have of course, a lot of friends and colleague colleagues over there in Sopra Steria, but also who have gone on and have come into other different roles in industry across Norway and the Nordics. At the same time, I've also been a very passionate guy on OT cyber security so I've also been chairman for the International Standardisation Committee in Norway, the Norwegian Electro Technical Committee where we administered the IC 62443 which is the international standard on this area. So I get to meet a lot of passionate engineers and technical authorities who are working on OT cybersecurity across industries.
Gary Thompson: Kenneth, everyone has a story of how their careers started and how it all come to pass, what's your story? How did you break into cybersecurity?
Kenneth Titlestad: I would say that it happened as I came from IT infrastructure, I worked as an architect and team manager in Equinor, one of the Big Oil and gas companies so was responsible for Windows. The large parts of the windows environment in Equinor. And I was starting to look at going offshore on the oil and gas platforms on the Norwegian continental shelf. So on my first trip offshore, I was going out there just to do some investigation on a on a troublesome firewall out there. I don't remember the brand of it, but it was kind of noisy, creating some noisy alerts without actually being real alerts, so it was false positives. But when I was out there I got to understand the tremendous focus they have on HSCQ safety is everything, IT is just troublesome. It's much more important to always have a focus on safety. So I was really amazed by, for instance, seeing that in the control room at the facility they had this big screens on the wall and they were actually misbehaving a bit with blue screens, the blue screens of death, which we know quite well from old legacy IT stuff. So with basically running Windows XP behind it. So I had done courses and training on what to do with blue screens, and how to troubleshoot it so I was actually able to fix it deep in the industrial control system due to a bad HP driver. Kind of the typical culprit of those kind of blue screens. So that was that was the start where I saw that I my IT skills kind of old skills actually can be used to fix stuff in really high critical control systems. So that was the start for me. Seeing that my IT skills can really mean a difference deep into business critical systems for Equinor.
Gary Thompson: You've obviously journeyed through engineering into management of business building into leadership. We were just talking a short while ago about now responsibilities towards investors. Well, what's been the greatest learning curve for you in all of those different journeys?
Kenneth Titlestad: I would say that it's all the time being reminded that it's about people. So even though I dive deep down into technology risk cybersecurity incidents, threats and those kind of things, fear and certainty, doubt. And lots and lots of interesting technology, evolution, technological breakthroughs. It's always about people. So it's people trying to make it work. It's people trying to develop new stuff. It's people behind each role in in the company kind of really happy about their work or their collaboration with their colleagues, or being frustrated about not being able to collaborate between the different departments in the company or between the different disciplines. So I tend to always be reminded that it's always people, but we have to see with the lenses that we look at technology.
Gary Thompson: When you're not dealing with threats or compliance or security issues, how do you switch off from all of it? What do you, what do you do away from all of this?
Kenneth Titlestad: I think I'm kind of the person that doesn't put really strong barriers between work and private life. So, kind of the personality type that lets everything flow and I'm really happy about it as well. So I have most of my best friends are colleagues as well and vice versa. So and I can take sort of a break during the early morning or during the day and then I gather myself and take some hours working in the evening instead to get the work done. So yeah, I get through it due to being passionate about it and having a lot of my best friends around me at work.
Gary Thompson: The convergence of IT and OT has been a buzzword for years. Where do you still see the biggest blind spot when securing that overlap?
Kenneth Titlestad: I think I would like to bring forward the safety critical interfaces so when IT meets OT we have a different… kind of different technology merging, but it's often about Windows, it's often about Cisco, different kind of digital technology. It is very similar, but what is very different is the potential consequences when you move far out in the physical world. So, it's the potential consequences. On the Pure Digital area is information, but when you move it over completely over to the OT side where you actually go into the physical world, the consequences are purely physical. So then, it's about things that are really threatening and dangerous. So that's a completely different ball game, completely different consequences than just handling information, and I think that's a continuous blind spot where we work in our screens, in our applications, in our risk assessments matrixes, and we tend to overlook that this can actually be very dangerous and life threatening if we don't do it properly.
Gary Thompson: You've obviously worked in the consulting arena for many years and you've probably seen a shift in the boardroom mentality in the last five to 10. What has that been like in terms of that perception of OT security at boardroom level in that period of time?
Kenneth Titlestad: Yeah, I would like to see it in, in the light of the vuca volatility, uncertainty, complexity, ambiguity. So now we're we are have been at least a couple of years in in the age of Vuca where everything is just complex and volatile, so I've seen the board members really pick up on that. The investment decisions they take a longer time, they double down on analysis to ensure that they that they actually do the right decisions when everything is changing and when cyber incidents can happen all or everywhere, they need to make sure that they are resilient towards it, not necessarily prevent it, because that's that would be impossible, but that they are actually resilient and can recover from them properly and also regulations coming on top of it. So they have to do it due to regulations, they have to do it due to compliance reasons. So that makes it nowadays a very different conversation with board members and executives because they really know about the cybersecurity issues, the volatile environment around us, complexities, uncertainties, and they know that they have to do something about it due to the regulations. So I hear for instance executives often saying that it's a common topic between executives at social meet ups and dinners and those kind of things where cybersecurity is a very, very common topic to talk about. In addition to everything else that you talk about between executives.
Gary Thompson: You touched upon regulations and frameworks, frameworks like this too, and IEC 62443 in your opinion, are they genuinely improving resilience or do you feel that organisations are still approaching them as a box ticking exercise?
Kenneth Titlestad: Both. In the short run I think they can make it worse. because there's a really, really big need for resources to go into the regulation terrain, understand it like for instance 62443 alone is over 1000 pages, if you also consider some of the draft documents. So it's a terrible thing to dive into and get to know what it is. It is very, very hard to understand the principles behind it. The same with the NIS1 and NIS2 Cyber Resilience Act. The Machinery Regulation, this Radio equipment directive, there are lots, there's lots of them, and all of them are lots and lots of pages. So, I see that kind of the access to resources breaks down completely When all companies in Europe need to do this approach at the same time. So that's a major challenge. But in the longer run, I hope that we are able to do it in a kind of scalable, balanced way together in Europe across the different sectors across the different companies. So in the longer run in, it will actually be the minimal cybersecurity level of our products and services. But I am actually concerned that it will rather break down instead. So it will take years and years to actually come through it and actually start to increase maturity.
Gary Thompson: If you could redesign how organisations approach OT security from scratch, what's the first thing you would change and why would you change it?
Kenneth Titlestad: I would think that it would have to be something about the approach or how we balance people, process and technology don't buy a technology to solve it. So like Bruce Schneider is saying that if you think technology can solve your cybersecurity issues, then you don't understand cybersecurity or you don't understand technology. So cybersecurity is a process. And in that sense, it's also a never ending process. So I would recommend the businesses to start looking at it as a process. Start where you are, dive into it and understand kind of what's your current status, your kind of maturity level. You don't need a perfect picture of it, but you need to start somewhere and then start to focus on what's the most important things you need to do right now. Prioritise heavily. So that takes into consideration the risk based perspective or the principle of proportionality. Start with what matters most. If you are concerned for sort of safety issues or whether your company can survive a ransomware attack, then you need to start there. You need to involve the right experts to figure out what you should do going forward with that kind of really hard prioritised place to start. So prioritise and do the kind of very, very basic risk assessments.
Gary Thompson: You've got some quarters who are saying AI is an absolute game changer and others who are saying the world's going to end. It's a game ender. It obviously is the new reality, but where do you kind of sit in on the whole topic of AI currently?
Kenneth Titlestad: I'm a technology optimist in that sense. I don't think it's something that will end the world. I don't think it's will completely revolutionise the world either, but we need to take it seriously because it's actually going to make a lot of work much more efficient and in that sense it's also called going to change roles, some going into the future there could be work types not actually out there anymore because it's been automated away with AI, so we need to be able to take that into consideration. But now we see that they're off on the cybersecurity side, the adversaries, they are using it. Of course we as defenders need to use it as well but do it in a kind of piloted way where we can't just jump in and trust it from day one. We need to test it out in safeguarded environments, put in guardrails, so we let it play in a sandbox and when it recommends solutions, then we make sure that we audit it and validate it before we actually go onwards with the recommendations coming from AI. But in that way we can actually start to use it and pilot with it. Even in safety critical systems, we need to safeguard it and guard rail it properly and if we do that then we actually can start piloting more on it, and we have to.
Gary Thompson: On that topic, how far away do you think we are from seeing AI driven automation play a practical trusted role in industrial security operations?
Kenneth Titlestad: I think it's still there or it's actually there now, so there's moderate model predictions, for instance. That's something that automation OEMs have been delivering for I think it's around 10 years or so they have been doing that, so it's kind of advanced algorithms and neural networks they've been doing that for 10 years, so there's a really fine line on whether you call it AI or not, and but they have been doing it for at least 10 years already. So AI is or primitive AI is already doing lots and lots of industrial automation.
Gary Thompson: If you could use AI to remove one pain point from your job today, what would you remove?
Kenneth Titlestad: My handling of my emails so I would love to have an AI agent that could handle my emails.
Gary Thompson: On the topic of AI, do you think it will help attract more people into cybersecurity? Or do you think it'll be harder to develop the deep domain specific expertise that OT requires?
Kenneth Titlestad: Both. With AI in cybersecurity, it gets… Cybersecurity gets kind of more sexy, so cybersecurity could be a discipline where there it's kind of the conservative people who jump in on it, while they're the ones really wanting to work on new technology and cutting edge. They go into the development area instead of cybersecurity, but with AI coming into cybersecurity it gets more exciting, but it's also challenging to become an expert in the field, because as graduates or beginners in the field of cybersecurity, you are competing with all the other ones who are heavily using AI themselves, so to stick out among all of the other ones, I think the competition gets much worse now with everyone being cyborgs with their own AI agents. So I'm really curious about what the future of, or the future cybersecurity expert will look like, but I do think that it's someone who has really got the knack of using all the right AI agents and AI tools.
Gary Thompson: What do you think if you were kind of making recommendations to the next generation in terms of skills that they should be developing to break into this this ecosystem and to have a kind of a long lasting career, what advice would you give to people going on that journey?
Kenneth Titlestad: I would recommend them to stay curious on new technology coming as to be able to navigate the shifting landscape we will definitely be having in the future. Stay curious. Look into new technology. Experiment with new technology. Don't be afraid of it. Put guard rails in place, the necessary ones so we can experiment with new technology and also look for multipliers. So for instance, when you look with AI and AI agents. If you're able to in your work or in your studies, if you are actually able to use AI and AI agents, you get the effects of multipliers. So that's also something that companies and businesses and societies will be compensating if you are able to make solutions that gives good effects for lots and lots of people and companies, that's something that will ensure you a job and a good role kind of forever. So there's something about looking if you're able to, looking for the multipliers that benefit you and your friends and your school or your company, that's something that companies will be hunting for those kind of people.
Gary Thompson: If you're hiring or mentoring someone and they don't have the certifications, they don't have the technical expertise, I know you've mentioned a few things already there, but what other things would you look for to see whether they could make that natural transition into a cyber role?
Kenneth Titlestad: A personality profile. I think that's very interesting to have a look at. If they are curious in nature, if they dare to try out new technology and they would like to look at how to build safeguards around it or barriers around it so they can actually play around with new technology. I don't think it would be necessary for them to have certification or a master's degree in the specific field to make them interesting. So that's also back to my entrance into OT cybersecurity. I don't have a degree in cybersecurity. I don't have an engineering degree. I have to take in some certifications lately, but that was just lately. So my degree is in organisation psychology. So that's also something I think about when it comes to recruiting, you don't need to have the formal education or the formal certification, but the personality traits, that's something that is very, very important.
Gary Thompson: Kenneth, I set your expectation at the beginning, then I'd thrust in some quick fire questions on you. Some interesting ones here, so you know, answer them as you see fit.
Kenneth Titlestad: Yeah.
Gary Thompson: So in your opinion, what's the most overused phrase in cybersecurity?
Kenneth Titlestad: MDR.
Gary Thompson: Which security framework do you secretly enjoy working with?
Kenneth Titlestad: NIS Cybersecurity framework.
Gary Thompson: If you could eliminate one common security mistake forever, what would it be?
Kenneth Titlestad: Easy guessable passwords.
Gary Thompson: One book or podcast that every cyber security professional should check out?
Kenneth Titlestad: Darknet Diaries.
Gary Thompson: One quality every great security leader needs.
Kenneth Titlestad: Being able to motivate people.
Gary Thompson: Can you name a mentor or a figure who's had the biggest impacts on your cybersecurity career?
Kenneth Titlestad: Robert Lee from Dragos.
Gary Thompson: When you're in a situation where you need to focus and channel your energies. What songs do you have on your playlist?
Kenneth Titlestad: None. Completely silent.
Gary Thompson: A guilty pleasure app or game on your phone.
Kenneth Titlestad: TikTok.
Gary Thompson: Finish this sentence. “If I wasn't in in cybersecurity, I'd be…”
Kenneth Titlestad: Working with psychology.
Gary Thompson: Working with psychology. Excellent.
Kenneth Titlestad: Yeah.
Gary Thompson: Kenneth, it's been an absolute pleasure. It's been brilliant. I just want to kind of open the floor to you because I recognise as we were speaking about a little while ago and we've known each other for a little while and I recognise the impact you've made on the industry and understand that you have within it. Tell me a bit about Omny because we were obviously speaking about the transition between Sopra Steria to Omny, but tell me a little bit about the business, the plans and how you found it in your new environment.
Kenneth Titlestad: Yeah. So Omny is something I really got more and more interested in, especially the last year or in 2024. I've been following Omny from the beginning, but in 2024, I saw the consultancy business around Europe starting to break down due to too much demand. So all of the companies around in Europe, they need lots and lots of senior cybersecurity people. Hunting for the same ones. The consultancy companies not able to deliver properly and the cannibalism started heavily in 2024 when all of these companies started to hire for themselves. So that's an effect I see will be just be exacerbated going forward with all the regulations and the increasing threat levels. So that's a future which the consultancy business it's not scalable the way we do it now. We need to be able to put AI into the loop, the right tools into the loop as well so that we can help the different businesses with a much bigger multiplier, and that's where software comes into the picture. And I see that for instance software solution is something, and AI is something that we really need to have for the increasing threat levels we have and volatility. So that's where I saw Omny as a really interesting prospect for me, where they focus on OT cybersecurity software solution, and I jumped over to Omny seven months ago and we are born out of OT with an ambition to build a really powerful digital twin or digital representation of the facilities you'll have in your business. So it means covering and showing and modelling the physical infrastructure, the motor, the engines, the valves, the turbines as well as all the digital equipment you have with which switches, firewalls, networks, operator stations, those kind of things. They are in the same model with everything being connected or you have your IP addresses, you have your documentation, you have your technical drawings and with that model you're much more able to see your assets inventory, your complete asset inventory on both cyber and physical. and with that asset inventory, you are much more prepared when you need to protect it more your asset more you look to your digital twin the same way when you have to detect something. You need to understand, “OK, I've detected something in my plant. What kind of potential consequences could it have?” You need your digital model to understand it and response and recover as well to be able to rebuild something when you have a digital representation of it, you are in a much stronger position to actually to do response and recovery in a much, much shorter time.
Gary Thompson: How does the company look at the moment? So can you give a kind of a bird's eye view of the kind of head count and where it's positioned?
Kenneth Titlestad: Yeah. Currently we are three years down the road as a software start-up and we are around 45 people primarily in in Norway. Our ambition is for the next couple of years extend into Europe and then go for the rest of the world with a major, major global ambition.
Gary Thompson: You were telling me a little bit about the investment structure earlier on, which is naturally going to propel this significant growth journey. Would you mind just sharing a bit of information on that?
Kenneth Titlestad: Yeah, that's public information, so I can share that information at least. So we are Co owned by two of the biggest company in Norway with the ARCA Group having half of the company and Telenor as the major telco in in the Nordics having the other half of the company and Cognite being also on the ownership list, we have access to Cognite's technology as well in our platform. So that’s a very, very… for competitors that we see it as an unfair advantage because we have really, really strong access to industries, to plans, to prospects and clients deep into industry due to our 2 main owners.
Gary Thompson: I imagine there's going to be a fair bit of growth and recruitment happening for you guys, not just in Norway but across Europe as you mentioned and potentially further afield over the coming years. How would you, how would you pitch life at Omny to somebody who is potentially looking at you guys as a future employer?
Kenneth Titlestad: If you want to be part of a really big adventure where the ambition is to become a major company, solving some of the difficult, most difficult challenges in industries across the world, then you need to be part of Omny.
