Security protection as a competitive advantage

Security protection has quickly become a business-critical issue. In an increasing number of procurements within infrastructure, energy, real estate and the public sector, security protection is no longer a “nice to have” – it is a basic requirement just to be allowed to participate.

At the same time, many organizations experience the area as complex, time-consuming and full of uncertainties. HiQ supports clients in understanding whether they are subject to the Security Protection Act, building the necessary capabilities to meet requirements – and turning it into a competitive advantage rather than an obstacle.

One of the people leading this work is Nico Stark, Security Protection Specialist at HiQ, with extensive experience from both the police and the Swedish Security Service.

“Security protection is often perceived as heavy and bureaucratic. But for many, it is also the key to the most interesting assignments. If you have your security protection in order, you are in a much stronger position when the major procurements come,” says Nico Stark at HiQ.

When your business becomes part of national security

Security protection concerns the parts of an organization that are critical at a national level – functions that Sweden as a country depends on to operate. This can include everything from our liberal democracy, energy supply and communications to critical IT infrastructure and physical facilities.

Nico explains:

“Security protection is a specific form of protection against espionage, sabotage, terrorism and other serious crimes for operators engaged in the most sensitive security-related activities – in other words, what is most critical to the nation and what Sweden depends on in terms of services, products or capabilities. These activities must be given enhanced protection against antagonistic threats, where the threat actor has both the intent and the capability to cause harm. For Sweden’s sake.”

This means that the consequences of a disruption or attack often extend far beyond a single project or municipality.

“You could say we are talking about activities that – if disrupted or disabled – don’t just affect a local area but have tangible consequences at a national level. That’s where security protection comes in.”

For many companies, this only becomes tangible when a contracting authority includes security protection requirements in a procurement. The question then quickly becomes: Can we meet the requirements – and how fast can we get there?

From legislation to practical security protection work

The foundation of the work is the Swedish Security Protection Act (2018:585) and its associated ordinance. Based on these, the Swedish Security Service has developed regulations and guidance to clarify how organizations should work in practice.

“We have a dedicated law, the Security Protection Act, which came into force on April 1, 2019. Alongside it is the Security Protection Ordinance. Based on these, the Swedish Security Service has developed regulations and guidance describing how to work with security protection in practice,” says Nico.

Over time, the support from authorities has become more practical and accessible.

“The Swedish Security Service has broken down the regulations into more user-friendly guidance and even provided fictional examples of a security protection analysis. That makes it much easier for municipalities, authorities and companies to understand what is actually expected.”

HiQ often helps clients translate this regulatory framework into their own reality: which parts of the business are affected, which roles are required, and how this connects to ongoing and future business opportunities.

The security protection analysis – the key to qualifying

Whether an organization is subject to security protection requirements is determined through a security protection analysis. This is also where the foundation is laid for participating in procurements where security protection is mandatory.

A security protection analysis should not be confused with a risk and vulnerability analysis. The key analytical difference lies in their purpose. A risk analysis aims to ensure business continuity during disruptions or crises and typically evaluates risks based on probability and impact.

A security protection analysis, on the other hand, focuses entirely on the consequences of antagonistic threats, where probability is irrelevant as it cannot be meaningfully assessed in the context of national security. Instead, the focus is on vulnerabilities and robust protective measures rather than risk calculations.

A five-step model for structured and prioritized action

“It’s a five-step model for civil operations. You follow a structured method, answer a number of questions and assess whether your operations would have national consequences if something goes wrong,” says Nico.

The work can be divided into five main parts:

1. Business description
   Describe core operations and dependencies.
   “What does the organization deliver? What are the key outputs? What dependencies exist – technical, organizational, external, both domestic and international?”
2. Identify and classify assets
   Identify what is truly critical – the “crown jewels” – and assess consequences.
   “If you suspect that you are conducting security-sensitive activities, this must be justified. What happens if delivery is disrupted? Does it impact municipal services, regional emergency response, or have national consequences?”
   
   “There are four levels of consequence, from minor to severe. This step is often the most time-consuming.”
3. Threat assessment
   Analyze antagonistic threats such as foreign intelligence, organized crime and terrorism.
4. Vulnerability assessment
   Map weaknesses in physical security, agreements, processes, training and IT environments.
   “This is where the real gaps become visible.”
5. Proposed measures
   Define realistic, prioritized actions.
   “It’s better to have 5–10 clear actions that get implemented than 100 points that stay on paper. The analysis must also be reviewed at least every two years.”

HiQ often leads this work as an external facilitator, ensuring the results are actionable – not just documentation.

“These are largely assessments. That’s why workshop formats are effective – bringing together different functions to challenge and validate assumptions.”

When security protection determines whether you qualify

For many organizations, security protection becomes most visible in procurements. Requirements such as a security protection analysis, a designated security protection officer, and the ability to handle classified information determine whether you qualify at all.

“It’s quite simple: if you cannot meet the requirements, you may not qualify at all. It doesn’t matter how competitive you are on price or technology. You won’t get past the gatekeeper,” says Nico.

Building security protection capabilities requires investment, especially in large projects.

“A major infrastructure project with security protection requirements can be around 15–20% more expensive. But these are often the most attractive business opportunities. For many clients, security protection is an entry ticket to a part of the market they otherwise wouldn’t reach.”

HiQ helps organizations balance security level, cost, timeline and business value.

“For many of our clients, it’s about unlocking a new part of the market. With security protection in place, you can participate in major, society-critical procurements.”

Common pitfalls – and their business impact

When HiQ supports organizations, several recurring patterns emerge:

• Analyses are done once and not updated
• Security-cleared personnel are not followed up
• Planned measures are not implemented
• Security clearances are not properly terminated

This is not just a legal issue – it affects trust and business.

“Much of this is not about unwillingness, but lack of structure and time. But from a procurement perspective, these are still deficiencies that must be addressed. Otherwise, you risk both relationships and future opportunities.”

A comprehensive security offering

HiQ’s security offering covers several interconnected areas:

• Security protection and security protection analyses
• Information security and cybersecurity
• Personnel security and vetting
• Support for security protection officers, HR and management
• Processes, structures and training
• Internal audits of security protection

The goal is to create sustainable security – not just pass an audit.

“If you conduct your analysis properly, build long-term processes and follow up on measures and personnel, external reviews are not a threat – they’re an opportunity. You reduce risks and position yourself as a trusted partner in security-sensitive assignments. Ultimately, it’s about developing your own security culture,” Nico concludes.

Do you want to turn security protection into a competitive advantage?
We help you understand the requirements, build the right capabilities, and strengthen your position in procurement processes.