During Accenture’s 2021 Operation: Next summit, I spoke with good friends Andy Bochman of Idaho National Laboratories and Agustin Valencia of Iberdrola about the need for organizations to strike a proper balance between IT and OT to minimize risk. One of many practical pieces of advice from the session was that if everyone does the basics, the attack surface can be minimized, and risk reduced.

So, what are the basics—what I like to think of as good habits—a cybersecurity leader should embrace for a healthier risk management approach?

  1. Understand Your Business and Industrial Processes

    How does your process work? What are your critical assets and crown jewels? What are your business and operations KPIs? You should understand your business and industrial processes to be able to effectively manage risk.

  2. Be Objective About Risk Management

    At least remove subjectivity, if possible, from risk calculations. As an example, likelihood most often is a very subjective parameter whose rationale can be challenged by lack of historical data, lack of complete data sets, black-swan effects, etc. Think about how to be as objective as possible when managing risk.

  3. Prioritize Efforts Based on Risk

    Move away from the use of compliance requirements or security maturity levels alone to prioritize your security efforts. Compliance should be the baseline of your journey, not the end-state. Maturity will not tell you all you should know about risk. For example, a process or location can be at maturity Level 1 (less mature) and be low risk. In a different area, you can be Level 3 (more mature) and have your process or location highly vulnerable, depending its criticality and specific requirements.

  4. Understand the Risk Needs of Your Stakeholders

    Take time to build relationships with your stakeholders (board, C-suite, business unit leads, etc.) to understand their needs and how best to communicate with them about risk, e.g., what to include in your risk report, frequency of updates, level of detail, KPIs, etc. By collaborating closely with business lines and the overall enterprise you can reach consensus on how risk is defined, measured, controlled, and mitigated. Collaboration also helps reduce duplication of effort

  5. Don’t Overengineer or Reinvent the Risk Management Wheel

    Your team’s time is valuable. Save time by following risk management standards, best practices, and methodologies widely adopted by your sector, country, or environment. Leverage the work that critical infrastructures, national security agencies, and standards bodies are doing for you.

  6. Strive for Resilience

    As the number of attacks increase, focus on security outcomes that support operational uptime and resilience to help you perform better under pressure. Ransomware in particular is a growing threat for most industries. Accenture Security recently took a deep dive into the current state of the ransomware threat. In our research, we identified how cybersecurity leaders can help their organizations gain ransomware resilience. Another area to strengthen is your incident response approach. Adopting proactive practices has been shown to improve response times when attacks do happen.

  7. Promote a Security Risk Culture

    Your risk management efforts should go beyond just cyber protection measures. You have to consider physical security, employee safety, IT, OT, etc. In any system, humans are always the weakest leak. Therefore, to properly manage risk start by instilling the notion that security is the responsibility of everyone in your organization.

  8. Be Selective About What You Trust

    Don’t assume something is trustworthy just because others are using it or you are told to trust it. This includes systems, people, or processes where you just assume trust as a point of convenience. Always question what you are doing: is it the right thing to do and are we doing enough of it?

  9. Foster Cross-Functional Collaboration

    As IT platforms take a greater share of the OT environment, it is imperative that IT and OT work closely and align on how to minimize risk. When you work in silos you create weaknesses in your organization. Adversaries will exploit those weaknesses. Collaboration also helps reduce duplication of effort and redundant investments. Accenture research found redundant investments in digital projects increased costs by 5.8%.

  10. Empower Your People

    Encourage your operational and security teams to adopt IT technology in the OT environment, and hold them accountable for the security systems they use and manage.

These habits provide a solid foundation for managing risk. However, if you are a critical infrastructure or large or multinational industrial company, I have a few more habits necessary to meet the high demands of your environment.

  • Build Your Own OT Security Framework
    You can leverage, adapt, and adopt applicable standards, best practices, and regulations to develop your framework, but alone these are usually not enough. Take the extra effort to incorporate your specific requirements and risk management methodology into your framework. Also, consider how you can benefit from, follow, adapt, or adopt relevant methodologies such as Consequence-driven Cyber-Informed Engineering (CCE), Cyber PHA, IEC 62443-3-2, and others.1
  • Begin with Security in Mind
    Inject risk management practices into the planning, design, construction, and operations of your infrastructures and projects, using your OT Security framework as the base reference. This approach is a critical component to prepare your OT security program for the future.
  • Know Your Threat Landscape
    Understand who your adversaries are, the potential for insider threats, and your reality in the geographies you operate. Develop strategic and tactical threat intelligence and incorporate it into your risk management processes.

Once you start exercising all these habits, sooner or later you will begin asking yourself: Am I doing enough? Am I doing too much? Should I do things differently? To answer those questions, you can look at the health of your organization, business, or process as an indicator of your progress. As you exercise these habits (with peaks here and there depending on other factors), you should begin to see a better-informed view of your risks, engaged and aligned stakeholders, and decreasing (or stabilizing) risk. And to be honest, luck also helps… but don’t rely on it!

1 The information in this blog post is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. You should independently assess your specific needs in deciding to use any of the tools mentioned. The Consequence-driven Cyber-Informed Engineering (CCE), Cyber PHA and IEC 62443-3-2), etc. tools/ methodologies are not an Accenture tool / methodology. Accenture makes no representation that it has vetted or otherwise endorses these tools and Accenture disclaims any liability for their use, effectiveness or any disruption or loss arising from use of these tool.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document makes reference to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.

Copyright © 2021 Accenture. All rights reserved

Samuel Linares

Managing Director – Global and Europe Industry X Security Lead

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog