Sten Eikrem

Cybersecurity governance and risk management for industry, manufacturing and energy

I work on cybersecurity risk in industry, manufacturing and energy, where downtime means safety incidents and production losses. My job is to make security a business decision, not a stack of documents that satisfies the auditor and changes nothing on the plant floor.

I have done this at scale. Building a global OT security programme across 40+ manufacturing sites cut response to the same class of incident from weeks to minutes.


Focus areas

Security programme design for industrial and energy environments. Project security architecture through buy-build-run lifecycle. Security governance that drives decisions, not documentation.

Fifteen years in industry, manufacturing and energy, spanning major incident and problem management, enterprise security governance, and OT security programme delivery.

I’m open to the right opportunity in security leadership, and to selected advisory work.


Latest from the blog

Your certificate signals. It doesn’t tell you what to protect A certificate signals that you follow a recognised process. It won’t tell you your risk context, or what your programme should cover and what it shouldn’t. That decision is yours, and it is the part that actually reduces risk. 10 July 2026

OT telemetry in the SOC is the easy part Getting OT telemetry into the SOC is the easy 80%. The part that decides the outcome is organisational: who owns the assets, and how a detection becomes a safe action the automation team can actually take. 9 June 2026

AI in your business: the decision is yours, not the model’s The value of AI and its risk are the same feature. You cannot control the decision yet, only the boundary, so deploy AI only where you can accept the worst it can do, and stay out of everywhere else. 28 May 2026

Sizing cyber for the company you actually are A cyber programme for a newly standalone business should be dimensioned from its market position, management’s actual intentions, and the mandatory floor. Not scaled down from the parent’s programme. 26 May 2026

Risk appetite is not where you think it is Most organisations confuse risk appetite with risk tolerance. Between the two sits governance, and almost nobody manages that gap. 10 April 2026

View all blog posts →


Portfolio highlights

The ISMS beyond the certificate, why most organisations have an ISMS but not a management system, and what changes when compliance is no longer enough.

Core ISMS capabilities framework, a capability model covering governance, risk, controls, operations, and measurement within an ISMS.

System security concepts (7 articles) A methodology for implementing systematic security documentation within ISMS frameworks.

Capability sections covering Risk Management, Governance, Policy and Guidelines, Instructions, Communication, Controls, and Assurance are in development.

View full portfolio →


Research & publications

Technical writing and analysis on security frameworks and risk quantification.


Get in touch

If you’re hiring for security leadership in industrial environments, or want a second opinion on an existing programme, I’d be glad to talk.


This site is built with Quartz and published under CC BY 4.0.