I have worked in the technology industry for over 30 years, lately as a strategic consultant. On the heels of a recent large-scale OT security transformation program with a big pharmaceutical, I have been connecting with many organizations and coaching individuals on their journey to effectively improving their OT cyber security risk posture.
From my experience leading security transformations, I have come to the conclusion that big companies struggle to implement a successful OT cyber security transformation. I would like to share my thoughts on why this is so and what to do about it. My goal is to help not only the technical people involved in the actual security regime, but also the business leaders who are increasingly held responsible.
Cybersecurity is usually not defined in a business context, but it should be. I approach cybersecurity as a business continuity risk that, if realised, can result in dire consequences such as:
- Theft or corruption of vital business data, including IP and personal information
- Destruction of the operating environment
- Serious safety events that may physically harm persons and industrial processes
These consequences can lead to severe impact on reputation and revenue, and can result in harsh fines and penalties both to company and persons. Even worse, they can lead to inconvenience and even danger to customers, such as pharma patients not getting their medication.
I have observed three common big-company situations that impede progress on security transformation programs:
- Companies that know what they want to do, but can’t get the sponsorship or funding.
- Companies that have the funding, but don’t know where to start.
- Companies that have started, but cannot get traction within operating business units.
Here are my recommendations to help big companies get past these impediments and move onto implementation and maintenance of effective security transformation programs.
In large companies, security transformation programs tend to be centrally led. Sponsors tend to seek justification based on technically positioned risk, but this doesn’t attract senior management because it doesn’t bring the business context – risk and impact— to life. Sometimes, funding will be forthcoming, but then the onus moves to operating business units who must understand and prioritise the numerous changes to their operations even as they lack context.
I recommend that security transformation be positioned in a business context like supply chain continuity. This will bring it to life as well as help position risk ownership.
2. Accountability, Ownership, and Governance
Even with a compelling business context, the size and complexity of a company will have considerable influence over the security transformation program. Business relationships between the central organizations that don’t own a P&L and the operating business units who do, not to mention the overarching need for consensus across many governing bodies, may be obstacles to success. Additionally, the natural desire to outsource much of the crown jewel operations can lead to a very slow and expensive security transformation journey.
I recommend a joint venture between business units and central organizations to get everyone onto a common playing field before even talking about security strategy. This comes in the form of central and business teams understanding what Operating Technology (OT) is, what they have invested in it, and what are the risks associated with it. Then, it is time to translate those risks into business impacts.
Building a common language across the joint venture communicates real understanding in the company. It answers the big question for everybody concerned: “What is cyber and why should I care?” Central teams gain understanding of how the business units physically operate and what operating priorities need to be factored in, e.g., safety, quality, Overall Equipment Effectiveness (OEE), regulations, etc.
Once the joint venture reaches a common understanding, the program takes on a discussion of what has been discovered, what looks doable and impactful, and moves onto building a joint strategy with specifics – what steps will be undertaken and in what order to get the fastest return, along with how to govern decision-making going forward. I have found that a winning formula is to create a process whereby business unit leaders report progress and learnings while the central team acts as a service that provides solutions to reduce risk.
3. Embedding and Sustaining Value
It’s important to remember that there is life beyond establishing the program. It’s easy to forget that OT Security Risk Management is a continuous process in need of constant management. Consideration must be given to developing an ongoing OT Cyber Security Operating Model that answer questions such as:
- Who is going to be responsible for running this new technology, both OT and IT?
- What processes need to change?
- Systems Lifecycle Management
- Business Continuity Plans (BCP)
- Disaster Recovery (DR)
- Do we buy or build security capability?
- What skills do we need to grow and where are they to be located both physically and in the reporting structure?
4. Slowly But Surely
There is a big-company tendency to look at the full programs that peers have already implemented or to bring in an external partner who will recommend a very long list of activities and tasks. Trying to cover everything in one go will overwhelm the organization. So don’t do that! Start with a few baby steps that will deliver risk reduction at an acceptable cost. But even to begin with baby steps, you must know where you are in the security journey, what risks you are dealing with, and how you will measure improvement. Then, you can get some quick wins like looking at and testing your BCP, and educating staff on what is cybersecurity and their security roles.
At this stage, it’s worth considering an experienced trusted partner who may be able to help with the heavy lifting (like computer network changes) and possibly establishing some of your operating capabilities as a service, e.g., security monitoring, incident response, risk assessments, employee training.
There’s no doubt that the journey to achieving an effective cyber risk posture is a challenging one. Many organizations are still living in the world of “It won’t happen to me” or reeling from “My operating costs are already too high!” But don’t be fooled. Cyberattacks will happen to your company as they are happening all over the world in every industry. You are at risk whether you want to admit it or not. In addition, NIS2 is right around the corner (October 2024) and it comes with a very heavy price for non-compliance. You must act now!
I recommend that you take a look at Radiflow’s very helpful NIS2 whitepaper which provides specific guidance on establishing and maintaining an effective security transformation program and compliance with the new directive.