Liisa Past, Chief National Cyber Risk Officer, National Security and Defence Coordination Unit, Government Office, Estonia

By Medha Basu

Women in GovTech Special Report 2019.

Image: Estonian Elections Office

How do you use technology/policy to improve citizens’ lives? Tell us about your role or organisation.

The Government Office in Estonia is an umbrella across government ministries and agencies. As the Chief National Cyber Risk Officer at the National Security and Defence Coordination Unit there, I am responsible for the cyber security element of comprehensive defence planning. My role allows to tackle all things cyber in a cross-government fashion, so it brings a wealth of issues and initiatives to my desk.

What has been the most exciting thing that you worked on in 2019?

While defence planning often focuses on what we are aware of and understand, the so-called known knowns, I am most excited about figuring out how to be ready for the unknowns unknowns. That means figuring out risk management for the possible risks and threats we might not be able to clearly conceptualise yet. So, I’ve been really excited to work on how to really meaningfully furnish resilience in cyber security.

What is the best thing you have experienced in your career?

My early career was in strategic communications and I moved into an increasingly cyber-security-focused role over the years with the NATO Cooperative Cyber Security Centre of Excellence and the Estonian Information System Authority. This process was facilitated by great teams and clever people to answer a lot of my questions.

Given the dynamism in the technology sector, the best thing in my career has been being able to learn from incredible professionals who have educated me on the finer details of technology, the fundamentals of international law as they apply to cyberspace or comparative policy frameworks across nations.

It’s been incredible to work alongside and learn from those defining how we view cyber security. These conversations - be it whether data could be considered an object in international law or how to set up the world’s largest international live-fire technical network defence exercise Locked Shields - are easily the most enjoyable element of my career.

If you were to share one piece of advice that you learned in 2019, what would it be?

Early this year, I read a piece on intellectual humility. This idea of constantly accepting that you might be wrong is powerful, particularly as that is the best way to not get cocky, which, in turn, could easily lead to careless mistakes. So, ironically, accepting that you might make mistakes allows you the mental agility to both recognise them and hopefully err less. Best advice: remain humble, remember you might be wrong.

What are your priorities for 2020? What tool or technique particularly interests you for 2020?

Currently, I am very much engaged in long term comprehensive risk management. This means figuring out how to be at least as agile and flexible as those wishing to compromise us in cyberspace, while at the same time maintaining the necessarily deliberation- and routines-based apparatus of democracy.

What is one challenge you would like to take on in 2020?

Supply chain security of software and machines will continue to be essential for organisations and nations in 2020. For some, it means starting with trying to map your tech stack and figuring out who’s involved in producing that equipment. For others, it’s an exercise of setting up procedures to increase transparency and accountability while many will also just need to recognise their own risk tolerance and how much related security costs.

Regardless, understanding where the elements of your software and hardware come from, who’s involved in making them and how it all comes together as well as the related risks, is essential.

What has been your fondest memory from the past year?

For 10 months in 2018/19, I was part of the Next Generation Leader programme of the McCain Institute for International Leadership. A mid-career sabbatical is a rare luxury in academia, let alone outside of it. This particular programme gives it a framework of practical experience, leadership training and planning on how to go about implementing your ideas. Therefore, an incredibly diverse group of participants is offered a combination of professional development, unfamiliar environment and space to focus.

Going in, I expected to be able to take a deep dive into issues of cyber risk management. I now know I got so much more out of it. Stepping aside meant being able to really re-conceptualise not just how to approach the challenges of the sector, it also gave a unique perspective to leadership and character.