Jonas Wenderup is the Head of IT Security and Operations at Lund Municipality, where he leads their security and cybersecurity efforts within a cross-functional team. With over 20 years of experience in IT, Jonas recently visited Truesec Studio for a conversation with Truesec founders Marcus Murray and Mats Hultgren. Watch the video above or read the text to learn more about how Lund Municipality approaches cybersecurity.
How would you describe the threat landscape for municipalities?
Until three years ago, municipalities were often seen as easy or “fun” targets. But today, we live in a world where we increasingly feel like we’ve made it onto a to-do list. There are operations here that can be disrupted and undermine trust in society. We’ve had to significantly improve our security measures. Given recent events with municipalities and public sector operations in Sweden, it’s no longer a question of if, but when it will happen.
Is there an opportunistic threat?
Cybercriminals always seek easy targets, and municipal operations are often complex and fragmented. It’s not about a clear-cut operation that simply delivers one thing in an easy way. We have a societal responsibility and must maintain our security. But that’s essentially impossible — there will always be threats and vulnerabilities in the system. The problem is that there are too many vulnerabilities and attack vectors are too large.
How have you actively worked on security at Lund Municipality based on the threat landscape?
We rethought our approach over time. Initially, we focused on patching, but we realized that wasn’t enough — we had to be prepared for attacks. So, we shifted our focus to recovery, defense, and detection. Now, our priority is identifying and mitigating threats before they cause harm.
We engaged municipal leadership early on. When other municipalities were attacked, cybersecurity became a top priority. We structured our efforts around recovery, protection, and detection, ensuring we can respond effectively while minimizing attack vectors.
You’ve invested heavily in cybersecurity without being attacked — why?
We learned from other municipalities and chose to act before an incident forced us to. Those affected had to manage both the crisis and decision-making under pressure — we made our decisions in advance.
We learned from other municipalities and chose to act before an incident forced us to. Those affected had to manage both the crisis and decision-making under pressure — we made our decisions in advance.
Our priority is delivering services to citizens, and we can’t rely on luck. While 100% security isn’t possible, we’ve minimized the risk of severe impact.
Was it easy to get politicians and daily operations on board?
IT security is ongoing, and while it’s often seen as a hurdle, both leadership and politicians trust us because we speak a shared language — framing IT crises as organizational crises.
We follow NIS2, which we see as a strong framework for cyber hygiene, setting clear IT requirements while considering operational needs.
The landscape has changed — not just threats but also the shift to hybrid work. Traditional security models no longer suffice, and adapting is essential. Those who haven’t started that journey will face challenges.
Do you have any tips for other municipalities?
Start with a proper risk analysis. If you can’t do it alone, sit down with leadership and go through it together. And be honest — does your security really hold up against a serious attack? It’s easy to assume you’re covered, but realism is key. Also, don’t hesitate to seek knowledge and learn from experts who can help you make a solid assessment.
Be honest — does your security really hold up against a serious attack? It’s easy to assume you’re covered, but realism is key.
Do you collaborate with other municipalities?
We’d love to, but the reality is that everyone is so busy with their own work that it often feels like we’re all reinventing the wheel. There’s no reason smaller municipalities can’t pool resources during incidents or share expertise — it just requires coordination.
Transparency is also key. When a municipality is hit, sharing what they can helps everyone learn. The instinct in cybersecurity is often to stay quiet, but is that really the best approach? Are we protecting ourselves, or are we doing what’s best for society as a whole?
Another big realization is that IT isn’t just a 9-to-5 operation. Systems run 24/7, and so do threats. Even with on-call staff, security can’t be treated like a daytime job. Municipal leadership needs to understand that IT security is an ongoing process.
Systems run 24/7, and so do threats. Even with on-call staff, security can’t be treated like a daytime job. Municipal leadership needs to understand that IT security is an ongoing process.
And it’s not just about cybersecurity — this shift is happening across the board. Citizens expect access to services at all hours, not just during business hours.
How do you approach technical debt?
We’re working hard to implement a digital model and build a structured approach to accountability — so it’s not just IT making decisions in isolation. Our goal is to create a management culture where cybersecurity is a given, ensuring our systems stay updated and secure.
It’s all about balance — maintaining strong security while keeping operations running smoothly. To respond effectively to threats, we need input from across the organization and a clear understanding of the challenges employees face in their daily work.
How do you approach cybersecurity in practice — technology, mindset, and perspective?
We have a cross-functional cybersecurity team with architects, system specialists, tool experts, and infrastructure leads. The team works strategically to reduce attack vectors and has invested in 24/7 monitoring and security tools.
Another key focus is shifting the cybersecurity culture by engaging employees and the organization. We’re here to protect individuals in today’s digital world — if their work accounts are compromised, their personal information may be at risk too. Before making these investments, it was crucial to build an understanding of why these steps were necessary.
How do you work to build understanding within the organization and ensure governance is aligned, so the organization supports initiatives and understands the investment needed?
We follow ISO 27001 but focus on what truly delivers results rather than just relying on a framework. The cybersecurity tools market has grown rapidly in recent years, making it harder to filter relevant information. The best approach is to analyze real incidents — who handled them and how — rather than relying on those who simply sound convincing. It’s also important to recognize who benefits from withholding key information.
When it comes to risk analysis, the key is to do it and be honest. When we conducted ours, we were completely transparent about our needs and the best solutions for us.
How has Lund’s journey been to get to where you are today?
Lund’s journey to where we are today has been shaped by making decisions with the right expertise, both from tool providers and detection capabilities. We’ve received valuable support and skill development, but we are still evolving. The toughest part has been acknowledging to our IT department that we can’t fully protect the organization from an attack and need external solutions, which is a hard realization for many.
As a municipality, we struggle to attract top talent, as they often seek other opportunities or are deterred by the salaries we offer. That’s why we rely on external services and specialists.
During an incident last week, we were helped by Truesec when an anomaly occurred, revealing dumped passwords. If this had happened a year ago, without Truesec, we’d have been uncertain and worried. But with expert support and 24/7 monitoring, we could understand the situation — it was likely a bug. In such cases, it’s vital to seek external help. It’s unrealistic for a small team to bear the full responsibility for securing the entire organization.
How has the workplace culture around security changed?
Over the past three years, awareness and curiosity about cybersecurity have grown, largely driven by media coverage. However, translating this awareness into daily practices and making things more complex to reduce risks is still a challenge. The leadership and politicians have really taken this on board, especially after cases like the one in Kalix.
Looking ahead, we may face larger-scale incidents. While the most recent one was a false alarm, we’ve learned important lessons from it.
How are you addressing the new regulations like NIS2 and the cybersecurity laws, and where do you stand on them?
Many of the new laws and regulations address things we already require within our operations. They help us structure our work and tackle unresolved issues. It’s not just about having functioning incident management; it’s also about documenting it correctly. But we can’t focus solely on cybersecurity. When considering laws like GDPR, we must also think about the overall mission of the municipality — to deliver services to citizens. To do that properly, we need to look at the big picture and not let laws and regulations get in the way.
How are you handling the challenges with supply chains and suppliers?
One advantage of NIS2 is that it clearly defines responsibility. In the past, we in the public sector set requirements for suppliers, and they would agree, but later, weaknesses were found. NIS2 ensures that we don’t just set requirements but also verify that they’re being met — something we’ve lacked before. We need to get better at ensuring that the “yes” we get in procurement actually means compliance. Previously, we didn’t have control over whether suppliers followed our environmental policies. The legislation forces us to start this dialogue, as it’s impossible for 297 municipalities to sample the same supplier. Coordination between suppliers and requirements is necessary for suppliers to prepare — something we’ve never had to demand before.
What are your best tips for a municipality starting its cybersecurity journey?
Conduct an honest risk analysis based on all available information. Seek knowledge and approach the analysis not just from an IT perspective, but also from the needs of the business. I’m confident that if you do this, you’ll reach the same conclusion we did.