Netox Oy’s customer representative Nina Ekman and Kaarea Oy’s IT manager Tero Nyman are looking forward to the launch of the new operating model and the beginning of a smooth and secure everyday life.

Cities are now responding to tightening cybersecurity regulations by separating the IT systems of city-owned companies into their own entities.

Six city-owned companies are separating from City of Turku’s centrally managed IT environment. Netox was selected as the IT and cyber security service partner through a public tendering process.

Previously, the companies operated as part of the city’s shared IT environment, and they had no opportunity to build IT based on their own needs. The separation also enables cost management in city companies of different sizes.

“In the shared environment, there are companies of various sizes and the city’s organization, along with shared system licenses with the city. As a result, even the smallest city companies have been using licenses intended for large organizations. By rationalizing just this aspect, savings can be achieved as city companies can procure licenses that meet the specific needs of each company,” says Tero Nylund, IT Manager of Kaarea Oy, who was involved in the tendering process.

Nylund recently transitioned from Turku’s service to become the manager responsible for Kaarea’s IT systems. Kaarea is one of the six companies undergoing the IT reform and participating in the tendering process.

Nylund is well-acquainted with Turku’s IT systems, having worked with them for nearly 25 years. He was also responsible for the technical specifications in the city’s tendering process for the IT systems and cyber security services of the companies.

IT that meets needs and reliable cyber security

At Turku, the background for the reform includes, among other things, tightening cyber security regulations. In the reform, IT and cyber security systems tailored to their needs are being built for companies maintaining critical functions.

In the future, the IT and cyber security services of these six companies will be provided by a single partner: Netox.

According to Nylund, Netox’s selection as the partner for both IT and cyber security services was based on a flexible, customer-oriented bidding process and the provider’s high-quality expertise. Netox delivers services at the required standards.

“Netox was selected as the provider for many reasons. First, they had all the required quality, cyber security, and environmental certifications. Additionally, Netox demonstrated from the very beginning of the bidding process that they operate based on the customer’s needs. Netox has acted flexibly and identified how the city’s different companies operate, rather than trying to force everyone into the same mold,” Nylund assesses.

Over the next four years, Netox will deliver services tailored to each company’s needs, after which the contract will continue indefinitely.

“The joint tender was a sensible solution from the client’s procurement perspective. As the tender progressed, we wanted to consider each company’s unique entity from the start. We are building IT as a logical whole that supports the high-level security requirements,” says Nina Ekman, Netox’s client manager.

“It’s excellent that Turku is leading the way in how IT and cyber security are implemented with quality,” Ekman continues.

Netox will provide the companies with, among other things, the following services:

  • Cyber security services (e.g., 24/7 SOC)
  • Domain (Entra), cloud services
  • Telecommunication services
  • Capacity services
  • Integration services
  • E-commerce service
  • Data protection services
  • Endpoint device services
  • End-user services
  • License services
  • Development and expert services
  • End-user and administrator training

Security incidents must be reported within 24 hours

Netox is responsible for the system’s around-the-clock SOC monitoring.

“When we monitor a system that we built ourselves, we can respond immediately not only to security incidents but also to the need for IT system updates without intermediaries or passing responsibility. This is a straightforward partnership where cyber security is integrated as an essential part of the whole,” says Ekman.

The EU directive NIS2 will come into force in October. It obliges companies organizing critical infrastructure and services for society to respond to detected security incidents within 24 hours of the first detection.

“Turku’s current IT environment was built to meet the needs of a single legal entity, the city. As several different legal units, such as limited liability companies, have formed within organizational structure, the systems do not optimally meet the needs of the different entities. Particularly, the companies’ ability to organize their cyber security according to new requirements would have been challenging without the reform,” says Nylund.

Information flow through organizational layers should happen within 24 hours according to NIS2’s requirements. In a multi-tiered city organization, this would be at least challenging.

“NIS2 clarifies the division of responsibilities and obliges companies to take care of their IT environment and cyber security. Companies are their own legal entities, and now the responsibilities are more straightforward: the companies are responsible for organizing IT and cyber security. The most significant aspect of the IT environment reform is that companies now gain continuous visibility into their IT systems and cyber security,” Nylund emphasizes.

Access management is a central part of the security whole

Previously, maintaining access rights required a significant amount of manual work. This can be reduced or completely automated with properly built systems.

“In Kaarea alone, nearly 700 access requests have been handled in 2023. These involve opening, renewing, or removing access rights, and this has been done manually. In the future, such work will be completely eliminated as systems are designed to be appropriate from the perspective of the companies. For example, at Kaarea, this is one of the first things that will be automated.”

The companies’ implementation projects have now begun. Both the companies and Netox are looking forward to the start of the new operating model and the beginning of a smooth, cyber-secure everyday life.

Turun Sanomat also reported on the topic: (in finnish)

Turun osakeyhtiöt vaihtavat it-toimittajansa yksityiseen, sillä ne kaipaavat ketterämpää ja kustannustehokkaampaa otetta

Aiemmin it- ja kyberturvapalvelut toimitti Kuntien Tiera, joka on suurin ulkoistettujen it-palveluiden tuottaja kuntakentällä. Netoxilta odotetaan räätälöidympiä palveluita.

Muun muassa TVT-Asunnot tilaa jatkossa it-palvelunsa Kuntien Tieran sijasta Netoxilta. Yhtenä syynä muutokseen nimetään kustannusten hallinnan lisäksi esimerkiksi kiristyvä tietoturvasääntely, johon kaupungit reagoivat eriyttämällä omistamiensa yhtiöiden it-järjestelmät omiksi kokonaisuuksikseen.