Cybersecurity governance in an industrial business
March 20, 2022
In my first blog post in this short series on cybersecurity for industrial companies across the region, I looked into why Chief Information Security Officers (CISOs) often have limited control over the cybersecurity measures deployed in operational technology (OT). This increases the risk that successful cyberattacks on OT could disrupt the business’s industrial plants and even breach the enterprise’s IT systems.
I added that the best way to address this risk is by implementing a modern organizational and governance structure for cybersecurity encompassing both IT and OT. In this follow-up blog, I zero in on what such a structure looks like, and how to put it in place.
Operations usually have the most power…
To understand why extending the CISO’s remit to OT is a challenge that must be addressed, let’s step back and look at the underlying balance of power in many industrial companies. Often, the most influential people are those who keep the operations up and running, since the company depends directly on them to make its money.
As well as having the most decision-making power, the operational leadership also tend to be quite protective of their area. Since they’re accountable for anything that goes wrong with OT, they’re generally unwilling to allow anyone from outside their own teams to make changes to it.
This autonomous mindset was fine in the old world of OT, when industrial control systems weren’t connected to the internet or to enterprise IT. But today, OT’s rising connectivity means it’s subject to similar cyber threats to IT. Yet in many cases the approach to cybersecurity governance hasn’t kept pace.
The result? An increasing need to extend the CISO’s cybersecurity remit to OT. What’s needed is people sitting in the OT space who report directly to the CISO, and who ensure cybersecurity is properly managed in the OT environments – while collaborating close with OT personnel and serving as the CISO’s eyes and hands on the ground.
There are two main hurdles to achieving this. One is that because the OT team haven't been involved in decisions about which cybersecurity measures to implement in OT, they often distrust or even resist the proposed changes. The other is that the skillsets required by OT cybersecurity specialist are in short supply, having started only very recently to be taught in universities. Also, most of the existing talent in the OT security space is very experienced people who have developed these skills in the course of their work. As a result, this talent is scarce and expensive.
Steps to overcome the challenges
How to surmount these hurdles? While creating and embedding a new governance structure will take some time, there are a number steps that companies and their CISOs can take immediately to start putting the building-blocks in place.
The first – overarching – step is to give the CISO a seat at the top table . In many companies the CISO sits below the CTO or CIO, putting them a long way from operations. The head of operations will invariably be reporting directly to the CEO. To have the necessary level of visibility and influence across the enterprise, the CISO should be reporting at a similar level.
A further positive move is to put in place a formal governance body that brings together all the parties involved in OT security – including cybersecurity, IT, corporate risk and OT – to discuss the potential angles and implications of cybersecurity in OT. This grouping could be termed a “steering committee” for cybersecurity, with objectives including:
Achieving alignment on OT cybersecurity objectives, strategy, initiatives and investment.
Providing enterprise-wide oversight and visibility on cybersecurity and risk.
Steering, supporting, and endorsing cybersecurity decisions.
Overseeing the development and adaptation of the cybersecurity capability to meet corporate requirements.
By involving operations in decisions related to OT cybersecurity, this governance body can reduce the pushback that sometimes occurs from OT teams. At the same time, a further valuable step is to create a community of practice for OT cybersecurity – a more informal grouping that provides a platform for discussing OT cybersecurity issues at different levels, identifying trends and necessary actions, discussing approaches to problems and unearthing “hidden talent” in OT cybersecurity within the business.
Why does this talent need to be unearthed? Currently, people with formal qualifications in OT cybersecurity are rare. Yet hidden within the operational teams in most industrial companies, there will be a handful of OT personnel who take a personal interest in the security of the systems they manage, and combine this with a deep understanding of the company’s operations.
These spontaneous, self-designated “OT cybersecurity champions” have often acted on their own initiative to develop their cybersecurity skills. This gives them a unique skills profile that makes them a hugely valuable resource for – and a perfect fit to populate the organizational structure for expanding cybersecurity to OT.
To help guide the journey, companies may also want to engage with independent, trusted cybersecurity advisory firm that can work across IT and OT and speak the language of OT people. This advisor can help with all aspects of the necessary changes, from providing cybersecurity insights to clarifying responsibilities and facilitating dialogue between different teams.
No time to lose
These step will help your industrial business begin to reinvent its cybersecurity governance for the world of connected OT. And when to embark on the journey? With cyber threats growing continually, there’s no time to lose. So start today – and get ahead of your OT’s cyber adversaries before the worst happens.
As ever, if you’d like to discuss anything in this blog, please drop me a line. I’d be delighted to hear your views!
Disclaimer: This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.
Managing Director – Technology, Cybersecurity Energy Lead, Middle East