Our Mission: Securing IKEA Together with the Cyber Journey

At IKEA, the security of our systems and the protection of our customers’ and co-workers’ personal data is not just a goal; it’s a responsibility that aligns with our core values. We understand that implementing Cybersecurity and Privacy measures in day-to-day work can be challenging for many. To overcome this challenge, the Cyber Journey comes to the rescue. Through our Cybersecurity and Privacy engagement, we will evaluate the product’s security posture and align Cybersecurity and Privacy controls based on the criticality to the business.

Understanding the Cyber Journey at IKEA

The Cyber Journey is a comprehensive approach to operationalizing Cybersecurity and Privacy practices across the entire Ingka Group. Our aim is to standardize and automate security services, fostering a cost-conscious, human-centric, value-driven approach to securing IKEA together. One of the key objectives of the Cyber Journey is to measure the success of Cybersecurity and Privacy processes within IKEA teams and map the maturity of these practices across different domains.

Exploring the Structure of the Cyber Journey

The Cyber Journey comprises five essential steps, each contributing to the overarching goal of creating a secure digital environment:

Step 1: Engaging with Product Teams and Collaborating for a Strong Foundation

Our first step in the Cyber Journey involves engaging with product teams to gain a deep understanding of their products and ensuring the effective integration of Cybersecurity and Privacy risks. Collaboration is key as we work closely with product teams, understanding their workflows and challenges to tailor Cybersecurity and Privacy measures to fit seamlessly into their processes. By bringing together the right stakeholders, we form a cohesive team ready to tackle Cybersecurity challenges.

Step 2: Metal Model Assessment: Categorizing Your Data and Assets

The Metal Model Assessment plays a crucial role in categorizing data and assets, enabling effective security measures. This step involves three key components:

1. Metal Model Assessments: The primary purpose of the Metal Model Assessment, is to aid in the identification of our existing assets, enabling us to initiate and maintain a methodical approach to securing our systems. Identifying the critical aspects of our business, including key functions, valuable assets, and data points within the organization. This forms the foundation of our security strategy, ensuring we prioritize protection where it matters most.
2. Data Categorization: Classifying and organizing our data assets into categories such as confidential, highly confidential, sensitive, and non-sensitive. This enables us to prioritize the implementation of Cybersecurity and Privacy controls based on data importance and potential risk.
3. Control Assessment: Mapping internal controls to industry standards and compliance frameworks, aligning our security measures with established best practices to ensure a robust approach to protecting our data and assets.

Step 3: Identifying and Implementing Cybersecurity and Privacy Controls

In this step, we manage the risks and threats in our systems and data. Let’s delve into the process:

1. Assessment of Basic Controls: Exploring and assessing basic Cybersecurity and Privacy fundamentals and controls suitable for our products and systems. These foundational controls form the basis of our security measures and help safeguard against common threats and vulnerabilities.
2. Customization and Implementation: Customizing and tailoring the basic controls to fit our specific product and system requirements. This ensures that controls are adapted to address the unique challenges and risks we face. Collaboration with our teams during this phase is vital as we work together to integrate the controls seamlessly into our products and systems.

Step 4: Measuring Progress and Mapping Security Maturity

To gauge the effectiveness of our Cybersecurity and Privacy measures and understand our security maturity across various domains, we adopt a comprehensive approach involving three key components:

1. Metrics Building: Utilizing key performance indicators (KPIs) to track the success of the implemented controls. These metrics provide objective benchmarks, demonstrating the value and impact of our Cybersecurity efforts and illustrating the benefits they bring to the business.
2. Data Visualization: Enhancing comprehension and decision-making by utilizing data visualization tools to construct real-time dashboards. These visual representations depict the advancement of our Cyber Journey in a user-friendly format, enabling stakeholders to stay informed and empowered to make well-considered decisions.
3. Communication: Ensuring transparent communication throughout our Cyber Journey by providing regular progress updates to relevant stakeholders. This open communication fosters awareness and alignment with our security initiatives.

Step 5: Continuous Improvement

Continuous improvement is a fundamental aspect of our Cyber Journey, ensuring the ongoing enhancement of our Cybersecurity and Privacy measures. This process involves three essential components:

1. Feedback: Actively seeking and incorporating feedback from relevant stakeholders to refine our security practices. This iterative feedback loop enhances the effectiveness of our security measures, making them more adaptive and responsive to emerging threats.
2. Regular Check-ins: Implementing regular check-ins and audits to monitor the effectiveness of our controls. These assessments enable us to ensure the integrity, validity, and overall effectiveness of our security measures and identify potential weaknesses before they escalate.
3. Training Programs: Establishing a comprehensive, company-wide training program to increase Cybersecurity awareness among our co-workers. This initiative empowers our workforce with the knowledge and skills needed to identify and mitigate security risks, creating a stronger line of defense against potential threats.

Operational Pillars of the Cyber Journey

As we progress through the Cyber Journey, we remain committed to continuous improvement. With that, significant enhancements are introduced to streamline the process and provide teams with improved guidance and support:

1. Automation via the Metal Model App: The app “Metal Model” has been internally developed to improve the visualization, tracking, and measurement of Cybersecurity and Privacy fundamentals, as well as controls. The Metal Model App introduces automation, efficiency, and user-friendliness to the Cyber Journey. Teams can now easily access the Cybersecurity and Privacy fundamentals associated with their Metal Rating, allowing them to identify relevant controls specific to their needs. The Metal Model app enables teams to mark completed controls, simplifying progress tracking and providing better visibility of their security efforts.

Image Source: Metal Model Application

2. Guidance on Ways of Working: The Metal Model App includes a dedicated section for each control, offering high-level guidance on the ways of working with each fundamental. This guidance helps teams gain a better understanding of the control’s requirements and align their workflows accordingly. Additionally, the app provides insights on how to prioritize work and addresses frequently asked questions, easing the adoption process.

3. Improved Communication Materials: We have revamped our communication materials to enhance teams’ onboarding experience. The new resources provide comprehensive information on the Cyber Journey, guiding teams through each step and empowering them to make informed decisions. These materials aim to improve collaboration and ensure everyone is equipped to contribute effectively to our Cybersecurity and Privacy goals.

Conclusion

By leveraging the potential of the Cyber Journey, we are committed to creating a smoother and more effective process for our teams. Embracing continuous improvement and valuing your feedback, we progress towards a more secure digital environment. Together, we strengthen our organization’s Cybersecurity and Privacy defenses and protect our valuable assets and data. Let’s embark on this journey of growth and advancement, making our digital landscape safer and more resilient than ever before.

Together, we secure IKEA, safeguarding our customers and co-workers, and ensuring a safe digital future for all.

Glossary:

Controls — NIST controls are security policies and guidance for organizations to secure their systems. They are based on the NIST Cybersecurity Framework, which is a framework of best practices and standards for improving the cybersecurity posture and resilience of organizations.

Metal Model App— The application “Metal Model” has been internally developed to improve the visualization, tracking, and measurement of Cybersecurity and Privacy fundamentals, as well as controls.

Fundamentals— Fundamentals are the set of security controls that have been selected to form the base of IKEA’s Cybersecurity and Privacy program.

Metal Rating — The metal rating system provides a means for us to prioritize our efforts in Cybersecurity and Data Privacy. This rating system is designed to offer more detailed insights into how these priorities are assessed.