Supporting cybersecurity in international peace mediation   

CMI’s work centers on trust. Conversations between parties are often highly sensitive, placing information security at the core. If protection is weak, there is a risk of attackers gaining access to information that could be used to undermine peace processes. For that reason, CMI has continuously invested in strengthening its information security capabilities.

“When we invite parties to the negotiating table, the space must be safe and trustworthy. Information security and trust-building work make this possible,” says CMI’s Security Manager Johannes Laaksonen.

Reversec’s work with CMI goes back to the pandemic period, when our consulting services still operated under F-Secure. CMI is a visible and trusted Finnish mediator, and we shared the same Nordic reliability, which made the partnership a natural fit. As an organization operating globally in complex environments, CMI recognized the value of strengthening its security capabilities through partnership with Reversec.

“When we invite parties to the negotiating table, the space must be safe and trustworthy. Information security and trust-building work make this possible.”

Rather than aim for a single strategy or one‑off fix, we set out to build a broad collaboration with a defined target state: to support CMI in raising its maturity as the operational context for conflict resolution continued to evolve. We wanted CMI to grow independent capability rather than rely on us for its future cybersecurity needs.

The first step was a current state assessment together with CMI’s leadership and the organization’s IT provider. We reviewed the environment, highlighted what worked, mapped pain points, and separated immediate fixes from longer-term process improvements. In parallel, we ran technical reviews, including a workstation penetration simulation and a walkthrough of CMI’s cloud structure.

Based on the findings, CMI and the provider addressed critical technical gaps. “At the process and policy level, we intensified cooperation with the IT provider and improved our documented operating practices,” Johannes Laaksonen explains.

Cybermeter

The Cybermeter (Kybermittari) is a tool developed by Finland’s National Cyber Security Centre to assess the maturity of cybersecurity capabilities. It offers a structured way to review governance, cooperation with suppliers, threat and risk awareness, and the suitability of controls. We helped create the first version and have since contributed to its development, so the tool is familiar to us.

In CMI’s case, using the Cybermeter prompted a substantive dialogue with the IT provider where responsibilities were clarified, operating procedures were reviewed, improvement needs were defined, and communication routines were agreed.

Awareness training

To make the “why” of security tangible, Reversec’s Principal Consultant Antti Laatikainen delivered training to staff, leadership, and external stakeholders, including EU and UN groups.

“We use real stories about how attackers gain access to systems in practice, then tie that to everyday behavior: use the chosen tools correctly, follow guidance, keep communication and escalations clear,” Laatikainen explains.

The conversation at CMI was curious and engaged, which helped the message stick. Sessions ran at multiple levels, from the management team to all‑hands and team‑specific needs. An external expert added credibility and helped rollouts land.

Strategy and digital transformation

Elements of the information‑security thinking we shaped with Antti Laatikainen were integrated into a broader IT and digital transformation effort, including digital peace mediation and an AI strategy.

The dialogue around security extended to CMI’s top leadership, and that growing interest was reflected in the decision to recruit an in‑house manager responsible for IT and information management. It was a strong signal to invest and move operational work forward.

Security handbook and risk management

Together we produced a clearly documented information security handbook and trained staff to use it. The handbook covers recurring field needs with ready patterns for communication and response.

Strongly informed by our work together, CMI also developed its project risk assessment model, which now accounts for information security more explicitly. Physical and information security are treated as closely linked, because improvements in the latter often benefit people’s physical security. This is vital in environments with limited room to maneuver, where handling information can directly affect the level of risk.

Flexible support

When fast guidance was needed, we supported CMI with practical advice and a focus on strengthening internal capacity. This reflects our Advisory services, which offer flexible, low-threshold support from a trusted advisor. Antti Laatikainen recommends the same combination of real-time sparring and maturity development to other actors in the field.