So Martin for those of you who may not know you or may not have met you before today, can you give me a birds eye view of who you are and what you do today?
I'm Martin, and I live in a small place called Oppegård, just outside Oslo, about 20 minutes by train from the city. I grew up in Voss, a small town in the western part of Norway. I've been at Accenture for 15 years, working in the cybersecurity area the entire time. It's been a significant journey, moving all the way from analyst to managing director. This involved going from hands-on work with clients, doing analysis, reviews, and so on, to now leading larger engagements and helping clients with major issues. Overall, it has been a really rewarding journey. Outside of work, I'm married, and we have a small dog.
I would say one of the questions I get quite often is, "Why are you still at Accenture after all these 15 years?" I think there are two main reasons for that longevity. The first is simply the people: great colleagues who both support and challenge you. This ties closely to the second point, which is always having new opportunities to be challenged.
If you really want it, there is always a chance in a company like Accenture to take on new challenges. To be clear, this is not the company for someone who wants to stay in the same space and do the same thing for many years. While that is technically possible, if you really want to get the best out of Accenture, the key is to continually seek out and embrace new challenges.
I think with security and other IT topics, many people don't start their early years imagining a career in cyber, IT, or whatever it might be. When you were going through your teenage years, what did you imagine your career would look like? What were you planning for?
I remember going all the way back to my younger years. I knew of this fancy title in law that is basically the Norwegian Supreme Court leader, or something like that. It was also a very difficult word, so I thought, "Okay, that sounds cool." But as I grew up and went into high school, I really started to enjoy natural science and mathematics subjects. I really wanted to be an engineer.
I already knew, probably around 16, that I wanted to go to Trondheim to study there, and that was kind of how it started. I think I had five different variations of engineering when I was applying for university, so I ended up putting the most theoretical one on top - the one more focused on mathematics and physics. That's the path I stayed on throughout my studies.
Then I kind of discovered security, probably a little by chance, because I applied for the Accenture Summer Internship, which is a general internship where you are assigned to a project by the Accenture team. I was picked for a security project, which was super fun and very interesting. It involved a lot of changes and some very engaging discussions toward the end, and I definitely saw that this could be something to work with. That’s how it all started, and as I mentioned before, 15 years later, here I am.
From a global perspective, so much has changed during that period of time but you were the witness first hand from a security perspective, just how many different evolutions there have been from your perspective. From you starting to where you are now, what's been the most dramatic change?
I think the biggest change is that cybersecurity, if we go back to when I started, was definitely considered an IT issue. It was simply a matter of, "Okay, we have this system, what do we need to fix inside it?" Now, it has become a board-level issue. That is where the focus is today. We have C-suite interaction on security, and we are getting requests like, "The board needs input on what our actual position is." I think that is definitely the most significant change.
The second major change is the focus on operational resilience. It is no longer a question of if you will be hacked, exposed, or face a major issue; it is more a matter of when it will happen and what you do when it does. The focus is therefore on being as resilient as possible to quickly return to normal operations. This is driven by the understanding that you cannot catch or block everything outside your environment, so you need to be resilient from the inside out.
Looping back to the previous point. Obviously you've witnessed a huge change in terms of tech threats and environment, Accenture as a business, as an employer, what does it look like on the inside? How have you felt that big business development and specifically in the Nordics in the last 15 years?
Of course, I’ve also been rising through the ranks during this period, so I don’t have full insight from the very beginning, but a few observations stand out. Firstly, I think Accenture is becoming even more client-centric. When we are working, we need to be close to our clients and understand what they want to achieve because while we see market trends and new technology, different clients want to adopt them in different ways. Client-centricity is key.
Secondly, especially over the last year or two with AI appearing everywhere, it’s about how we take a transformation from a good Proof of Concept (POC) to full scale. Anyone can create a POC. That’s where Accenture has excelled, both generally and with earlier cloud adoptions - we help clients implement fundamental changes and transformations. That’s where we continue to evolve. It’s the same basic mantra, but we consistently follow the technology and help clients navigate new challenges.
Of course, the market and geopolitical environment are very different now than just a few years ago. We face new threat vectors, including more state-sponsored activity and criminal enterprises with very different motivations compared to early DDoS attacks in 2010. For example, when I started in security, it was often teenagers doing it for fun. Now, you have teenagers running ransomware businesses. This is reshaping the market, and we need to follow that development and constantly ask, "How can our services evolve to keep up with these changing threat vectors?"
You were touching a moment ago on board level attitude towards cybersecurity and, certainly in terms of the leadership hires that we've been making in the last two years versus 10 years ago, we've seen a distinct shift towards patterns and skills and leadership. From your vantage point, what has the attitude been like at board level towards cyber in the last five to ten years?
As I mentioned earlier, cybersecurity is now firmly on the board’s agenda. Crucially, it is not only there as a compliance item, where regulations dictate that the board must be reported to once a year. Today, boards are actively inviting Chief Information Security Officers (CISOs) to meetings to provide status updates on current events. For example, when addressing the geopolitical market or new technologies, boards now ask, "What is the cybersecurity perspective on this?" It’s not only about, "What opportunities does AI present?" but also, "How do we protect against it?" Or, taking the war in Ukraine as an example: "How will this impact us as a company? Do we have any suppliers in Ukraine that could be affected?" These issues are now on the agenda, and they are no longer treated as purely compliance matters. Boards understand that operational resilience, which I mentioned earlier, is also a board-level concern.
I think this represents a big change, but it also poses a challenge for us as security professionals. We need to move beyond the tech stack and explain these concepts in business terms. We cannot simply say, "It’s because this protocol isn’t communicating with that protocol." We need to be able to discuss business resilience. This ties directly to the difference in the profiles companies are hiring. We still need the "techie nerds" who can handle the details, but we also need security professionals who can communicate effectively at the C-suite level.
With everything that's happened in in the last few years and with all these transformations with cloud adoption obviously going back in time and still being a big topic right now and cyber resilience of course, where do you see the biggest blind spots when organisations are attempting all of this at scale?
Yeah, I would split it into three areas. First is coverage of security - making sure we cover all the new technologies and areas, especially because it’s now much easier to procure new services. It’s like you can just swipe a credit card and buy a cloud service. That’s something we’ve been managing for a few years now. You can also buy agents, set up services, and integrate data into them. That’s where it gets a bit scarier from my perspective. How do you ensure security is involved when buying, acquiring, and integrating new services?
Second is training people for this new landscape. We need to make sure they are using the right processes and technology while also understanding that humans remain in the loop.
The third is operating models - where does security responsibility sit? If we go back to when systems were monolithic, like a fortress, everything was inside the walls, and it was easier to say the CISO was responsible for protecting the perimeter. Now, with systems starting from the centre, you have identity, data, system owners procuring self-service solutions, and others integrating services, you need an operating model that distributes security ownership across the organisation. This is the most important aspect because it connects to the first two. If you cannot operationalise security in a distributed organisation, you are setting yourself up for failure. Everyone just points at the CISO, but they won’t have the mandate, budget, or capacity to be everywhere. Clear roles and responsibilities in the operating model are therefore crucial.
In terms of everybody's favourite topic - NIS2- obviously it’s been very widely talked about in the last couple of years and on everyone's agenda, ISO is increasing, organisations are genuinely becoming more resilient, but from speaking to people, there seems to be a bit of a division. Some are really embracing it and doing it for all the right reasons. Some are doing it as a bit of a box ticking exercise. What's your perspective on that?
I think, as we touched on earlier regarding the board topic, developments like NIS2 and DORA are definitely putting this on the map. What we will likely see is a widening gap between mature and less mature organisations. The mature ones, as I mentioned earlier, will treat cybersecurity not as a compliance exercise, but as part of operational resilience. They will ask, “How can we use this as a benefit?” We’ll see organisations like telco providers really focusing on security in their offerings and marketing, to ensure they provide a secure product. For example, in Norway, Telenor is doing this quite aggressively - selling and integrating security products as part of their commercial strategy. That is a very conscious approach.
However, there will also be laggards. These organisations will continue to treat cybersecurity purely as a compliance exercise, and they will fall behind. That is where, regrettably, we are most likely to see successful attacks. Those who embrace cybersecurity and use it as a competitive advantage will perform well. But those who continue to treat it as a box-ticking exercise are exposing themselves to significant risk going forward, in my personal opinion.
I can partly see as to why these things happen, but I guess in your opinion, what's kind of the rationale behind falling behind for some of these organisations? I recognise you may have personal experience of this but seems a bit crazy from my perspective. What's your take?
I think it’s a very good question, and of course, it’s hard to be extremely specific. But a general observation is that many boards don’t fully understand how significant a business risk cybersecurity really is. There is a clear lack of understanding. We are also seeing some boards bringing in more tech experts to infuse the board with greater knowledge - not only on cybersecurity but also on general IT - because technology is a pillar for all corporate transformation these days. Especially, as we mentioned earlier, AI is set to transform many businesses.
I think those who are not taking these steps. The ones who are still thinking, “Okay, we’ve had this business process for many years, so we’ll continue with the same process and make that our focus” risk being left behind. In my view, the two biggest factors are a lack of understanding of technology evolution and a lack of understanding of the associated business risk. That’s why this is happening and why there will be laggers.
If you have the opportunity to take an enterprise organisation and kind of remove all of the legacy constraints and redesign their enterprise security strategy from scratch, what foundational principle would you build it and why?
I’m not sure if I can choose just one, but I would definitely say two. First, we need a very solid understanding of asset management - knowing what assets we have, what their value is to us, and how we classify them. That is a key foundational principle. Then, I would build everything around those assets using an identity-first security approach. We start with identity, build around it, and use it to establish guardrails. This may be a bit of a “too good to be true” scenario, but that’s definitely where I would start if I had the opportunity to build from the inside out.
If it ever happens, it would be amazing, but unfortunately I think that's in the realms of partial fantasy. But risk is something that's been a topic for a long time, and specifically with technology evolving at the pace it is. In your view, what is the most underestimated cyber risks that large organisations continue to overlook?
The classical consulting answer would be, “It depends.” But if you want to put me on the spot, I would say the insider threat. The fact is, and referring back to our previous discussion, if I could build from scratch, the reason I would build from the inside out is this: no matter how many outer layers you have, there is always a risk of an insider. Of course, this could be someone planted maliciously from the start, carrying out a long-term plan. But it could also be influenced by market pressures - employees see that new technology is streamlining processes, reducing the need for staff, and that discontent can increase the insider threat.
Looking at mature threat analyses, there’s a quote I’ve seen referenced many times: “Hackers don’t hack, they log in.” Often, this happens because they have gained access through an insider - either someone recruited or someone who no longer cares - getting hold of valid credentials. Of course, further activity is needed after that login to escalate privileges and achieve their goals. But fundamentally, the hackers don’t hack, they log in. In many cases, this is directly linked to insider threats.
We do have opportunities to address insider threats more effectively, but it requires finding the right balance between an individual’s privacy rights in Europe and a company’s right to protect itself. In general, I think companies are not doing enough. There is room to manoeuvre, and it must be done skilfully and thoughtfully, but there are definitely steps that could be taken to better protect against insider threats.
Hot topic at the moment, and it has been for some time, but one that's is just going to continue to be talked about in many different ways is AI. Now naturally it's going to have a big impact on how business processes, security and recruitment generally speaking will play out in in the modern world, but if you were to look at the cyber life cycle, what part of it do you think will transform the most as a result of AI in the next three to five years?
I think we need to start by looking at where the most data is. After all, what is AI good at? Analysing data. Depending on how far we want to go into the generative AI space, it can also suggest or take actions. In that sense, it’s easy to highlight detection and response, because those areas generate a lot of data. For some scenarios, AI can take immediate action, while in others it can recommend actions to a human in the loop. That’s already something we are seeing.
Another topic I would like to raise is third-party risk management. As you mentioned earlier, new regulations like NIS2 and DORA put significant focus on third-party security and supply chain risk. This will generate a lot of data. Questions sent out, documents received, evidence collected. That’s an area where we have an opportunity to make a real difference. From a purely technical perspective, detection and response is key, but on the process side, third-party risk management is where we can drive meaningful change.
It’s also an area with stronger regulations, which will create additional controls. Human nature often means organisations will initially handle this manually and only later look for efficiency. That’s where AI can help, just as it has in detection and response, where machine learning has been applied for years. Going forward, we can expect more use of agentic AI in these areas as well.
I guess, with so many different things at play, whether it's with all the different things that are coming together in cloud, hybrid infrastructure and now lots of organisations looking at different ways to adopt AI, does AI ultimately make security easier, or do you think it introduces a whole range of new risks that we're just not prepared for?
I think we have to be very conscious that it will do both - it brings significant benefits, but it also comes with risks. It goes back to the idea that even inventions as simple as the light bulb or the wheel were game-changing, but in the beginning there were accidents. We just need to be mindful about where and how we use AI. We still need to keep humans in the loop and ensure that AI is designed to support people, not replace them. We can definitely be more efficient, but it’s not going to replace all of us.
When it comes to the risk side, governance is key. We need to make sure we have the right policies, the right controls, and that we are following the correct regulations. That’s how we maintain control over what AI actually does. I’m not talking about the nitty-gritty details - all of us don’t need to understand that - but we do need to know what data is being used as input, what integrations exist, and what outputs are generated and where they go.
This goes back to the classic approach I used in risk assessments about 15 years ago: break down the elephant. Look at where the data flows, where it ends up, and what type of data it is. This ties directly to what I mentioned earlier about asset management - do you have control of your data, your assets, and their flows? It’s a long answer to a short question, but I think that’s the real part of AI that we need to address, from both the benefit and risk perspectives.
The next question you've partly already answered, but I guess from my industry, I see a lot of organisations who are racing to get the next shiny new thing into their business that's going to save them time and money but they don't really understand what value it’s bringing, and then I imagine there is going to be a cycle of retrenching. So, you know, having people like yourself, who can guide and kind of build the right sort of programme is brilliant. But I guess the question was more so around where do you believe organisations are most underprepared? Is it the technology, the governance or the workforce readiness.
I think it’s going to be governance, because we can learn new technology and take training. I’ve done a lot of AI training lately from an Accenture perspective, and some of these trainings really stress the importance of governance. We need to make sure we have a modern set of policies in the organisation, and that we are allowing adoption a bit more than we have done before. At the same time, when we are allowing AI to be used, especially integrated with third parties or through LLMs, what controls do we have around it? And of course, it’s not only about the initial approvals, but also about how we do fundamental tasks like security testing of these models and what they are actually producing.
We have a very good offering around Red Teaming AI systems, where we go in and test them from a functional perspective to ensure they don’t produce output we don’t want. For example, we make sure they don’t start answering questions that are inappropriate for a bank or retailer - if a customer is chatting with an AI agent, we don’t want it answering political questions. At the same time, we look deeper at the technology, asking: where does the data actually flow? Where are the integrations? What opportunities exist to input something malicious into a chatbot, for example?
So I think that’s also where new security offerings will emerge. But again, the short answer is governance.
In terms of Accenture, do you mind giving us a quick overview of Accenture security business in the Nordics and where you're seeing currently the strongest momentum?
Yeah, I don’t think I can go into too much detail, but we are definitely growing across the markets and across industries in general. We’ve seen a lot of momentum recently around core transformations. Companies with legacy systems need to ask themselves, “Okay, in order to compete in the modern world or to set up our corporation or group using AI, what do we need to do?” They need to move out of legacy systems and gain a better perspective on their data. That’s where Accenture as a whole thrives - not only Accenture Security, but really supporting those transformations across industries.
Some industries are quicker to follow the market, while others, like the public sector, are more steady and structured. But from our perspective, we are seeing growth across all areas. To give a quick answer to your question: right now, in the Nordics, we are 250 people and growing.
One of the things I've been really impressed by, and obviously I speak to a lot of leaders across the consulting, many services and vendor community globally, but Accenture’s numbers over the last few years. All these reports keep coming out about growth and revenue increase and all these positive things, which is unbelievable, and there are lots of other organisations, small and big, who haven't been able to produce quite the same positive noise. Why is extension doing someone at the moment? What makes Accenture different?
Yeah, I think there are three main things, and I think I’ve already covered two of them. The first is that we have delivered the transformations. We’ve really implemented the changes where our bigger clients need them. That’s the first factor.
The second is continual involvement. Right now, we are running app scaling for all 800,000 of our people in AI. And that’s not just a one-off. We have online training, classroom workshops, and courses in cooperation with third parties, such as universities, to bring in the latest research. This helps everyone get up to a general level, while also providing role-specific training. So we are constantly evolving.
The third factor is our relentless focus on clients and their needs, having a full understanding that we must be able to adapt and change accordingly. I think those are the three factors I would highlight. As you said, Accenture Cybersecurity, as we’re now called, is actually the biggest growth engine in Accenture right now. It’s the area that is growing the most in a company that is always growing, which is quite significant and something we are really proud of from an Accenture Cybersecurity perspective.
Like I said, I've kind of seen it first hand through the last 10 years of working together but ultimately I've seen lots of others struggling in the marketplace. So watching you guys do what you do is incredible and I guess you've kind of given a really good compelling reason there as to why somebody might look at Accenture as a future employer. One of the common challenges particularly with people who are thinking about where to take their IT career next is do they even look at consultancy as to career and you know, there's a lot of noise that comes with the career and with consulting. There’s the hours and travel and all these different, sometimes mythical things and sometimes they are realities. But if you were kind of pitching a consulting career to somebody making that decision right now, how would you describe it? How would you pitch it?
As I said, there are definitely some myths about hours and travel. At the same time, let’s not sugarcoat it. Accenture does expect you, if you want to take the next steps and grow, to occasionally step up a little extra when there is a need. We might have a client who requires it, or a proposal that needs to be submitted. That expectation is there, but it’s also up to the individual whether they are willing to take it on. I think that’s the honest answer.
On a more positive note, we have a very good model to support individual growth. This includes coaching, training, certifications, and each of us having a personal career counsellor who really engages in dialogue with you: What is the next step? What is the next project? What is the next training you should do? What is the next internal role you should look at? That kind of constant support network exists across all levels, from the lowest to the highest, and is reinforced by our performance process. If you take the chances and go after opportunities, you will be rewarded.
As I mentioned in my introduction, and as I often get asked after 15 years here, Accenture provides opportunities that bring challenges. So if you really want to be challenged, the opportunities are there.
Finally, looking at some of our latest wins in the Nordics, especially in the public sector, we are doing projects that have a real societal impact. If you want to help drive systemic change through your IT career, Accenture can help you do that. We’ve helped modernise pension systems and defence systems. These are projects where you’re not just working for a company with thousands of clients, but creating solutions that affect a significant portion of the population in Norway, often 20 to 30% of inhabitants. That’s when you know you’re making a real difference.
We often get asked a question and we're often coaching different hiring personnel and looking beyond the CV and things like the softer skills or the things that don't naturally appear but are vital for organisations to say scale, but if you're looking at somebody and you don't necessarily see the credentials or the technology, what traits or what skills do you look for that you think make a great either Accenture employee or a consultant or a cybersecurity professional?
Just to put a little context, we cover a wide range. We provide services from deep technical skills to C-Suite consulting with doctors and executives. So we need the tech experts, the extroverted consultants, and the very deep analytical profiles. But across all three, the key trait we look for is curiosity. Someone who genuinely wants to ask questions and is willing to dig for that little extra bit of information.
One thing I always ask in every interview I conduct is, “Do you have any questions?” If a candidate has zero questions, I have to admit that’s a yellow flag for me. Even after 15 years at Accenture, I still have tons of questions about the company and its internal processes. So if someone coming from the outside has none, it does make me a little concerned.
Curiosity is key and interest, isn't it? If you're going to solve the problem, you need to know how to get under the skin of that problem and need to be able to ask the right questions to understand how to approach it. So I completely agree.
Yeah, definitely. And that’s one of the core things. We also ask our interviewers: are they able to solve the problem? I always tell them to ask themselves, “Is this someone you would like on your project?” That is the key question we teach our interviewers. Of course, not every interviewer is a perfect fit with the person they are interviewing, but we do our best to make the match. That question still stands: is this someone you would want to bring on your next project?
I've got some quick fire questions for you now. What's the most overused phrase in cybersecurity right now?
AI.
If you could eliminate 1 common security mistake forever, what would it be?
I would say the technical misconfiguration that someone just makes an error because there's so many things that could be avoided if we just kind of avoided that one error.
Can you give a shout out to a mentor who's had the greatest impact on your career?
There’s so many I would say but if I have to choose just one I'll go a little bit off the standard one and it's a colleague, their name is Fenella Kosness. He's also a managing director in Accenture here in Norway. But we've had many good conversations over the last, I would say 8 plus years on kind of what is consulting, what is our position, what is the right roles. And it's always dead honest. There is, there is no sugar coating and that's good because we're in completely different parts of the organisation. So that's something I really appreciate.
One guilty pleasure app or game do you have on your phone?
I’m not sure if this counts as a guilty pleasure, but the first thing that came to mind was a chess app. Then again, that’s not really a guilty pleasure, it’s more of a mind exercise. But yeah, I think my phone habits are fairly boring. For someone who probably works too much, I do spend a bit too much time scrolling Instagram. It’s just a mindless activity to do sometimes, especially when sitting on a train. So I wouldn’t really call it a guilty pleasure, but if I had to choose, it would probably be Instagram - or my chess app.
Finish the sentence for me: “If I wasn't in cybersecurity, I'd be...”
Political advisor.
Ok. Interesting.
When I was studying, I was quite involved in student politics. I served as head of the student parliament at the University of Trondheim, which at that time was the largest university in Norway. We were representing 20,000 students. If I had wanted to, I think I could have continued down that path, potentially moving to the national level and exploring other opportunities. So I think that would have been it. At this point, though, it’s probably a little too late for a fallback career in that direction.
I don't know. When you’ve solved the region's cyber issues that could be something you dive into next.
Oh, well, I think that’s going to be a continuous challenge that will last long after my time. I don’t think it’s fully solvable, but we can at least try to resolve a few incidents and help clients along the way. I also think it’s smart to approach it with the understanding that this is an ongoing journey, because if we ever think we’re done, then that’s exactly what happens: we’re done.
Yeah, 100%. These issues never sleep, so we've got to be got to be vigilant, alert and thinking three steps ahead at every turn.
