The hidden risk in public-sector digitalization
Public-sector organisations across the Nordics are under pressure to modernise while facing a growing threat landscape. Digital progress is necessary, but it also exposes essential services to new risks. The question is how to move forward safely in an environment where every new system expands the attack surface.
Across the Nordics, many public-sector organisations are facing a double-edged challenge. On one hand, they are trying to defend against a threat landscape that keeps expanding as attack methods evolve. On the other hand, they are under pressure to modernise ageing applications, consolidate systems, replace manual processes with more efficient solutions, and improve citizen services. These transformation efforts are essential for long-term resilience, yet they also increase dependency on complex technology stacks and third-party integrations.
Herein lies the paradox: the more digital and automated public-sector infrastructure becomes, the larger the attack surface. Recent incidents in Denmark, including attacks on municipalities and airports, illustrate how exposed the sector already is. Disruptions and data leaks now occur with a frequency that makes them hard to dismiss as isolated events.
This raises an unavoidable question for public-sector leaders. How do you drive the digital transformation that society depends on without simultaneously exposing the very services you are trying to strengthen?
A Zero Trust mindset
Before introducing three basic steps that are essential prior to launching any new digital initiatives in a municipal setting or similar public organisation, it is worth pausing for a moment to reflect on why these steps are needed in the first place.
In the Nordics, we take pride in our trust-based society. Rightfully so. It is a strong foundation, admired globally, and it shapes many aspects of the social contract between people and between citizen and state. However, the trust-based principle that most of us carry as a default behavioural setting does not translate well into the digital world. In fact, trust can become a risky starting point both when designing new systems and when working with user experience later on.
One could even argue that public-sector infrastructure should aim for the exact opposite. This is where the Zero Trust paradigm becomes relevant. It is a security approach built on a simple rule: never assume trust. Every user, device, system, and data request must be verified continuously. This creates tighter control of sensitive data, clearer visibility across systems, and fewer opportunities for attackers to move inside the environment.
In practice, this mindset helps public organisations strengthen their security posture while supporting the development of secure digital services for citizens.
Three basic steps
With that off my chest – trust nothing, assume breach, verify everything – we can move on to the three basic steps that support secure public-sector modernisation.
- Step number one: Digital projects frequently run on tight budgets and fixed deadlines, which leaves limited room for security until the very end. When security enters at that point, core design choices are difficult to change, and vulnerabilities risk being carried straight into production. Invite security to the table from the beginning of the innovation process. They belong there, alongside IT, business owners, and project leads. It is equally important that the security team revisits and updates the existing security assessment. Even if an assessment has been completed earlier, transformation projects change systems, processes, and technologies in ways that influence one another. A fresh assessment is therefore essential to reflect the new context.
- Step number two: Some public-sector projects go live based on technical readiness alone, even when security testing is incomplete.
A more balanced approach requires shared responsibility between technology, engineering, and security, ensuring that systems are evaluated from both functional and protective perspectives before they become operational. This leads to safer launches and reduces the cost of fixing weaknesses after deployment. Again, make security a decision-maker. Today, many projects rely on a single signatory. Instead, insist on a co-signatory model between security, IT, engineering, and technology. When they agree that the system is ready, the project manager can take it forward and approve the go-live.
- Step number three: As systems evolve, response plans, recovery procedures, and business continuity models must evolve with them. Many organisations realise too late that their plans reflect an earlier technology environment and do not account for new integrations or data flows. Updating these frameworks is important for handling disruptions and restoring stability quickly when incidents occur.
Modernisation is necessary and will help create a more efficient and responsive public sector. By involving security earlier, strengthening decision points, and keeping preparedness aligned with new digital realities, public organisations can limit risk and protect the services citizens rely on.
