Expert-interview:

Kalle Kivi on personnel security and why cybersecurity begins and ends with people

Cyber threats are rarely just about technology. Despite advanced systems and protections, breaches still happen – often with people at the center. Kalle Kivi, personnel security expert at HiQ, explains why the future of security starts with understanding, supporting, and protecting individuals.

Cyber threats begin and end with people  

Today, cyber security and risk management are a natural part of everyday life for many organisations. Firewalls, encryption and technical safeguards are in place. Yet breaches, leaks and irregularities still occur. For Kalle Kivi, personnel security expert at HiQ, the explanation is clear: security begins and ends with people. 

”Regardless of which attack method or vulnerability we talk about, sooner or later we end up with an individual who acts, reacts or is manipulated,” he says. ”Technology is important, but it is not enough if we do not also protect the people who uphold the organisation.” 

“Regardless of the attack method or vulnerability, we always end up with an individual who acts, reacts, or is manipulated.”

Kalle Kivi, Personnel Security Expert, HiQ

Personnel security may sound abstract, but is in fact both concrete and regulated. For organisations that conduct securitysensitive activities, it is part of the security protection legislation. But Kalle sees an equally important dimension beyond the legal paragraphs.’ 

”From a legal perspective, personnel security is a statutory part of security protection. In practice, however, it is about protecting people so that they can protect the organisation,” he says. ”Before someone with large debts is exploited by criminals or foreign powers, we should have picked up the warning signs. It is just as much a responsibility towards the individual as towards the organisation.” 

In HiQ’s offering within security protection and risk management, this perspective is central. Information security, physical security and personnel security belong together. When HiQ supports clients with security protection analysis and risk work, people are an integrated part of the whole, not a separate side track. 

When the threat targets people’s weaknesses 

The security landscape has changed. When several European countries, including Sweden, expelled Russian diplomatic staff, traditional intelligence capability was reduced. The consequence was a shift in methods. 

”Foreign powers are making greater use of socalled expendable agents. These are ordinary people without formal training who are recruited via, for example, social media,” says Kalle. ”At the same time, we see a strong interest from criminal networks in recruiting people inside organisations. If you have debts, addictions or other vulnerabilities, you can end up in a very exposed position.” 

Here, personnel security becomes a protection in two directions. The organisation reduces the risk of insider threats and coercion. The individual employee avoids ending up in a situation where private problems suddenly become a security risk. 

”We do not want anyone to have to choose between their employer and their own or their family’s safety. Our task is to identify the risks in time, before someone ends up there,” says Kalle. 

“We never want anyone to have to choose between their employer and their own or their family’s safety. Our job is to identify the risks early, before anyone ends up in that situation.”

The myth of the lamp in the face is hard to shake

When Kalle meets new organisations, there is often a very clear picture of how personnel security works – and it is rarely flattering. 

”A common misconception is that we are going to put someone under a lamp, interrogate them harshly and dig into their private life in an almost cinematic way,” he says. ”That is not the case at all. The whole point is to build trust, not fear.” 
In practice, security vetting interviews are about a professional, structured conversation where the individual understands why the questions are being asked and how the information will be handled. 

”The only way to get a solid basis for assessment is if the person sitting opposite me trusts me. People share things with someone they experience as sensible, respectful and discreet. Our methodology is built on exactly that – clarity, safety and transparency. We explain why we ask, not just what we ask.” 

Culture, trust and poor systems are common obstacles 

Swedish workplaces are often characterised by a high level of trust. We hold doors open for each other, we assume that others are authorised, and we hesitate to ask uncomfortable questions. Kalle sees both strengths and risks in that culture. 
”We grow up in a trustbased worldview, which creates a pleasant environment. But when the sign on the door says ‘authorised personnel only’ and I still let in someone I do not know, we suddenly have a security risk,” he says. 

For him, it is crucial to explain the purpose of personnel security internally. Simply saying ”we are here to catch spies” is not enough. 

”When I ask about someone’s finances, it is not to moralise, but to prevent that person from ending up in a situation where someone uses gambling debts or loans as leverage. That explanation makes a huge difference to how the work is received.” 
Equally important is how the systems around employees function. 

”You can have as many policy documents and analyses as you like. If your systems and processes make it impossible to do the right thing, people will take shortcuts. Poor systems lead to security breaches, not poor people. That applies just as much to values and culture as it does to security.” 

Weak leadership is a security riskrisk 

When Kalle talks about personnel security, he often returns to leadership. For him, it is more than an HR issue. It is a direct security factor. 

”Leaders cannot hide behind not knowing. They have the mandate, the salary and the conditions to take responsibility. That includes prioritising security, listening to the experts and pushing through measures even when they are uncomfortable,” he says. 
He sees weak leadership, where no one dares to make decisions or follow up, as a concrete security risk. Employees do not do what it says in a document; they do what their managers actually do in everyday life. 

Here, HiQ’s role is often both advisory and educational. It is about giving the leadership team a clear picture of the risks, but also showing how personnel security can be integrated into business, culture and daily operations without blocking the organisation.  

How organisations get support based on their reality 

When HiQ enters an organisation, the work always begins with understanding what the organisation does, which assets and values need to be protected and which roles have access to what. A security protection analysis and a clear description of the operation form the basis. 

The next step is to clarify which positions need to be security vetted and possibly security classified, which ones require checks against official registers and how background checks should be carried out in a structured and legally robust way. At the same time, training and internal communication are developed so that employees understand both the purpose and their own role. 

For some clients, the assignment is about building everything from the ground up. For others, HiQ is a partner that complements an existing security setup with the personnel security component. 

”Some organisations have already carried out an extensive security protection analysis. In those cases, I can come in, familiarise myself with the material and look at the whole from a personnel security perspective. Quite often it is enough to adjust roles, tighten a few routines and add training to raise the level significantly,” says Kalle 

Personnel security as an enabler

For Kalle, the goal is not to slow the organisation down, but rather to make it possible to act faster and more safely. 
 
”I usually say that we do not have brakes on a car in order to stop, but in order to be able to drive as fast as possible in a controlled way. It is the same with security work. Properly designed personnel security makes it possible to give people mandate, share sensitive information and use the full power of your organisation,” he says. 
When security measures are perceived as unreasonably complicated or illogical, something has gone wrong. People then work around the systems, and security is in practice weakened. 
 
HiQ’s work with personnel security is therefore always aimed at combining legal requirements, risk reduction and human understanding with solutions that work in reality. People are the starting point – and the greatest opportunity. 

Do you want to understand how personnel security impacts your organization in practice?
Let us help you identify risks, strengthen protection, and create the conditions for both secure employees and a resilient business.

Work at HiQ

Get in touch!

Choose your nearest office, looking forward to hear from you!

More Expert Interviews

hiqexperts Nico Stark
hiqexperts The major AI shift has begun – but leadership is falling behind
hiqexperts Naim Latifi
hiqexperts Matthias Bauhofer
hiqexperts Gustav Isaksson
hiqexperts From AI Hype to Business Value – How Companies Can Unlock Real Impact with AI  
hiqexperts Reviewed by DIGG
hiqexperts Digital Accessibility – How to Get Started!
hiqexperts Exploring Data Science and AI
hiqexperts Unlocking Insights: Victor Martinez Albarracin on Data Platform and Analytics
hiqexperts The Data Quality Dilemma: How Poor Data is Killing Projects
hiqexperts Building a User-Centric Product
hiqexperts Leadership Lessons from Role-Playing Games
hiqexperts Product Cybersecurity in a Changing World
hiqexperts Exploring the Future of Front-End Development