All articles
Cyber Hygiene Remains Security’s Best Defense And Its Most Overlooked Discipline
Petra Klein, Group Chief Security Officer at Swedbank, argues resilience starts with access, habits, and culture before another tool joins the stack.

Make The Security Digest one of your go-to sources on Google
You have to have a mindset today that if you're reachable, you're breachable. You stop almost 90% of all cyberattacks with just pure cyber hygiene.
The attack window keeps shrinking. AI-enabled threats move faster than ever. And most organizations respond by looking for the next tool, the next platform, the next capability to add to a stack that already has more products than anyone can operationalize. Meanwhile, the red team walks in through an unchanged password.
Petra Klein is Group Chief Security Officer at Swedbank, one of the largest banks in the Nordic and Baltic regions, where she leads a 130-person Group Security and Cyber Defence unit spanning the CISO function, protective security, cyber defense center, offensive security, physical security, and executive security. Before joining Swedbank's leadership, she spent nearly a decade as an ethical hacker at Sweden's National Defence Radio Establishment (FRA), conducting authorized penetration tests against government offices and the Swedish Armed Forces. She has been named to multiple global CISO and security leader lists and approaches resilience as a culture problem first and a technology problem second.
"You have to have a mindset today that if you're reachable, you're breachable," Klein says. "You stop almost 90% of all cyberattacks with just pure cyber hygiene. Don't make it too complex. Continue with high focus on access management, multifactor authentication, and making sure that if an attacker gets a foothold, they cannot get any further."
Insider threat as employee protection
Klein's team has built an insider threat program structured as a cross-functional virtual team spanning security, fraud, legal, and HR. The scope is deliberately narrow. The program maps the most critical infrastructure to the roles that have access to it.
"Not all 17,000 employees. It's only a few roles," Klein says. "Those become the boundaries of the insider threat program." The detection engineering team builds scenarios around those roles: data leakage prevention triggers combined with anomalous behavior signals like unusual access hours. When two or more triggers fire simultaneously, the system escalates.
Employees with critical-infrastructure access are told that their role makes them a potential target for nation-state recruitment, and the goal is to make that vulnerability shareable rather than shameful. "No one wants to be the target of a nation-state actor," Klein says. "If you have a vulnerability and you share it with us, then it's not a vulnerability anymore. If it's not a secret, it's not a vulnerability." The vetting process is integrated into regular manager follow-ups rather than administered by security, because managers know their people best.
Mandatory training does not create culture
Klein is blunt about the limits of annual compliance training. "The mandatory training once a year is just compliance-based," she says. "It doesn't create culture." Her team has replaced that model with manager-led classroom training built around customizable topic kits. Managers choose from four modules, select the one closest to their team's actual work, and lead a one-hour session themselves. The pilot is underway and rolling out after summer.
The team is also deploying a security escape room built around an insider threat scenario. Participants follow a phishing email trail, review building access logs from pass entry systems, and work through a hands-on cyber exercise using gamification. "It's one or two hours, and it's really a hands-on cyber exercise," Klein says. "We just tested it in the management team."
The broader culture program runs on visibility and repetition. Signs in buildings, stickers that read "security is everyone's business," and campaigns on the coffee machines. One-liners that stick. "No one is going to read a hundred-page management system," Klein says. "You have to create that resilience in their mindset, in their DNA."
For Klein, tooling is secondary to people. "It doesn't matter anymore who has the biggest or the most expensive tooling," Klein says. "It's the people behind it, their skills, and the will to defend. That is what we are trying to build."






