Resources

Article

Voice of Visma: “How do you make people care about security?” with Joakim Tauren

Article

Voice of Visma: “How do you make people care about security?” with Joakim Tauren

Article

Voice of Visma: “How do you make people care about security?” with Joakim Tauren

Security

Article

Voice of Visma: “How do you make people care about security?” with Joakim Tauren

Security

<iframe width="755" height="425" src="https://www.youtube.com/embed/EnmooCU67bc" title="Ep 04: “How do you make people care about security?” with Joakim Tauren | Voice of Visma" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

On the Voice of Visma podcast, we sit down with leaders and colleagues from around Visma to hear their stories, learn from their expertise, and share the best lessons they’ve learned throughout their careers. These are the stories that shape us… and the reason Visma is unlike anywhere else. New episodes are released Wednesdays on Spotify, Apple Podcasts, and YouTube.

The text in this article is from Episode 04 and has been edited for length and clarity.

<iframe width="755" height="425" src="https://www.youtube.com/embed/EnmooCU67bc" title="Ep 04: “How do you make people care about security?” with Joakim Tauren | Voice of Visma" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

Welcome, Joakim! Can you tell us a little about yourself?

Yeah, I’m Joakim Tauren. I’m from Finland and am over 40 years old – I won’t disclose how many years exactly (maybe someone could try to guess). I have three daughters, and I live in Seinäjoki. It’s a city kind of in the middle of Finland, and we call it the Capital of Space.

I’ve been in Visma for quite some time. In theory, I’ve never changed companies. I started at a company that was later acquired by Visma, so my entire 20+ year career has, in theory, been in the same company all the time.

I’ve been in all kinds of roles. I started as a developer, then I became an IT manager. Then I became the company’s security manager. After that, things kind of took off a little bit, and I started working with security throughout the entire Visma Group, helping all the different companies with security.

Where did your interest in working with security come from?

I think I was maybe around 7-ish, 6 or 7, when we got our first computer in my house. I knew then that I wanted to work with computers. Around maybe 13 or 14, I hacked my friend – who is now a developer at Supercell. Turns out his mom was on the computer then! So, that kind of sparked a little interest in security and hacking. I think it might have been in some kind of movie, as well, during that time.

But then it kind of went away a little bit. I always knew I wanted to get into IT. I had the chance to go to the United States for a trainee programme from the university where I studied. So I went to Lawrence Berkeley National Laboratory in Berkeley in California, working at the particle accelerator with a nuclear scientist. He had like this Microsoft Access database with a ton of information about the experiments that they’ve done, and I created a website where other nuclear scientists around the world could search data from his database.

So it was from the early stage of your life where you had that spark?

Yeah. And, actually, my dad doesn’t remember it, but I was always playing with everything on his work computer. So, I accidentally formatted his entire computer, which means everything was deleted from his work computer. He had one of the first laptops, and I tried all the commands that were there – and then it was suddenly empty. That was not fun at all. And he was the CEO of a pharmaceutical company in Finland. So, yeah… luckily, he doesn’t remember it.

Could you tell us how Visma focuses on having the most secure products?

Well, security isn’t always the most fun thing to talk about. So step one is to make security fun. Step two is to create a security program where we empower the companies to make security decisions themselves. So, we provide them with all kinds of services and tools that they can use to make better security decisions. In essence, it’s really about providing them with information because data-driven decisions are something that is also quite important in Visma. We try to use the same kind of methodology for the security program, to enable the companies to make those decisions.

We, as the ‘security people’, try not to be the gatekeepers. Instead, we empower all our companies and the people working in those companies to make good decisions when it comes to security.

“We are like teachers, and the end goal is that the students become the masters. The goal is for it to become part of their daily life and the culture of the company.”

What’s the process like to get companies onboarded to the Visma Security Program?

First, before we even buy a company, we do due diligence on the security of the company where we check all kinds of other things. So it’s not just security; it’s tech, finance, legal, HR, and all kinds of different tracks.

Then, when they onboard to Visma, we have a pretty clear process on how they should do it. And, again, it’s not really us onboarding them. We show them how to onboard different things and which services are available to them.

From a security perspective, we have four different tiers, based on what type of products they have: the platinum tier, gold, silver, and bronze. Platinum and gold essentially is any kind of newer SaaS product that is in the cloud and is growing. Silver and bronze are for products that maybe are not that important for the companies, for whatever reason.

“Everything is dependent on what type of products the companies have. These tiers help them understand how to prioritise the work they do related to security.”

Of course, the most important strategic products have to be onboarded to all our security services and fix all the vulnerabilities that are found quite quickly. When it comes to the platinum tier, for example, they need to fix all the vulnerabilities within a certain number of days. Otherwise, they get points – and these are penalty points that nobody likes. So, they try to get rid of them as quickly as possible.

How are the companies responding to the whole process? What’s the feedback that you get?

I think most of them really like it. Some of them find it to be quite a bit of work, of course, depending on their experience with security. So, we have to take care of them. The ones that really appreciate it understand also how far along it is compared to other companies in Europe; how comprehensive it is, how much protection they can get, and how many great services we provide to all the products that we have.

How many products are in the Visma Security Program?

I think we have about 700-ish products. As you know, Visma is quite big. I think the latest number was about 180 companies in the Group – so, 700 products, 180 companies, 15-16,000 employees. The people that don’t really understand and know Visma might not realise that it’s actually a pretty big company. So, when I mention to some people that I talk to at conferences and things like that, it’s like, “Oh, we actually have about 700 applications.” And they ask about a specific one, for example, “Okay, what’s the situation with this one?” And I’m like, “Well, I can’t remember. But I can check it later. But I don’t remember because we have 700 products.” Yeah. It’s a pretty big company.

Now imagine if we were like a traditional company where security is gatekeeping everything and doing all the things for everyone. Then imagine I would have to do everything for all the 700 different products. That would take quite some time. We would need a massive security team to be able to do that.

What are some of the impacts that you see for our customers?

One of the biggest impacts is how we handle incidents. It’s really not about if something happens, it’s when. So, when something does happen, we have a process for how our companies should handle it, working alongside the Visma security team. That allows for all the different companies, regardless of how many incidents they’ve been through, to handle it in a good and professional way. They write down everything that has happened before and what has been done during the incident – that enables them to communicate with their customers, which instils greater confidence and trust.

We also have the Trust Centre where customers can go and look up any product and see all kinds of different technical aspects – where the data is stored, etc.

Final question: What does “Champions of business software” mean to you?

I mean, champions are number one. They’re the best. So, that’s pretty clear. We try to be number one in all the markets, for all the different products that we have. We strive to have the best products and, of course, we try to be the best at security.

“I think we are champions in our own way and in a lot of different aspects. It’s kind of like if you’re training for the Olympics – you have to be consistent throughout the years.”

As an example, our security team was nominated in the Outstanding Cybersecurity Team category at the 2024 Cyber Outstanding Security Performance, which is quite impressive. I feel like we’ve been consistent throughout the years, and we’ve improved and added quite a few services. We’ve done all kinds of things to improve the entire security program over and over again, iterating it.

Also, gamifying the security program through our internal index has really kind of helped the companies to understand better what they should do and how and when. So, I think it’s consistency over time and then just continuously improving our performance, just like any athlete.

Related content