We recently surveyed 2,000 security executives at large, global enterprises and found that about one in three focused, targeted breach attempts succeeded.
Still, 75 percent of respondents were “confident” they were doing the right things with their security strategies, and a similar number said security is “completely embedded” in their cultures, with support from the highest-level executives.
Clearly, there’s a disconnect.
Surviving in this increasingly risky environment requires a cybersecurity “re-boot” to embrace an end-to-end approach that recognizes a spectrum of threats across the information technology (IT) and operational technology (OT) environments, minimizes exposure and identifies high-priority assets. In particular, oil and gas businesses must expand their cybersecurity strategies to include operational technology and invest in advanced analytics, incident management programs and ongoing testing focused on protecting core operations. This takes a few fundamental steps.
Start by answering several critical questions:
To foster a culture of cybersecurity and move closer to a state of digital trust, organizations should emphasize an adaptive, evolutionary approach to addressing all aspects of security on an ongoing basis.
This means investing in education and training for IT and OT staff alike so that they can step out of their comfort zones and collaborate across the organization.
Together, they can help devise security strategies that make sense in both business and operational contexts, while encouraging deeper engagements with enterprise leadership on a day-to-day basis. Doing so requires IT to speak the language of OT, and vice versa.
Improve alignment of cybersecurity strategies with business imperatives, and improve ability to detect and prohibit more advanced attacks.
Engage "white-hat" external hackers for attack simulations to establish a realistic assessment of internal capabilities—across IT and OT environments.
Prioritize protection of the organization’s key assets (including industrial control systems) and focus on the internal incursions with greatest potential impact.
Invest in state-of-the-art programs that enable outmaneuvering adversaries, versus investing more in existing programs.
99% of breaches not detected by security team members, are found by employees. Prioritize training for all employees, including cross-training for IT and operations personnel.
CISOs must materially engage with enterprise leadership and make the case that cybersecurity is a critical priority in protecting company value.
Australia, Brazil, Canada, France, Germany, Ireland, Italy, Japan, Netherlands, Norway, Singapore, Spain, UAE, United Kingdom, United States.
Banking, Capital Markets, Communications, Energy (Oil & Gas), Healthcare (provider & payer), High Technology, Life Sciences, Products, Industrial Equipment, Retail, Utilities.
Security, IT and business executives at director level and above; 2,000 executives.
Understand extend to which companies prioritize security, how comprehensive security plans are, how resilient companies are with regard to security, and the level of spend for security.
Cybersecurity capability, across 7 domains: business alignment, strategic threat context, the extended ecosystem, governance and leadership, cyber resilience, cyber response readiness, and investment efficiency.