How to surmount these hurdles? While creating and embedding a new governance structure will take some time, there are a number steps that companies and their CISOs can take immediately to start putting the building-blocks in place.
The first – overarching – step is to give the CISO a seat at the top table . In many companies the CISO sits below the CTO or CIO, putting them a long way from operations. The head of operations will invariably be reporting directly to the CEO. To have the necessary level of visibility and influence across the enterprise, the CISO should be reporting at a similar level.
A further positive move is to put in place a formal governance body that brings together all the parties involved in OT security – including cybersecurity, IT, corporate risk and OT – to discuss the potential angles and implications of cybersecurity in OT. This grouping could be termed a “steering committee” for cybersecurity, with objectives including:
- Achieving alignment on OT cybersecurity objectives, strategy, initiatives and investment.
- Providing enterprise-wide oversight and visibility on cybersecurity and risk.
- Steering, supporting, and endorsing cybersecurity decisions.
- Overseeing the development and adaptation of the cybersecurity capability to meet corporate requirements.
By involving operations in decisions related to OT cybersecurity, this governance body can reduce the pushback that sometimes occurs from OT teams. At the same time, a further valuable step is to create a community of practice for OT cybersecurity – a more informal grouping that provides a platform for discussing OT cybersecurity issues at different levels, identifying trends and necessary actions, discussing approaches to problems and unearthing “hidden talent” in OT cybersecurity within the business.
Why does this talent need to be unearthed? Currently, people with formal qualifications in OT cybersecurity are rare. Yet hidden within the operational teams in most industrial companies, there will be a handful of OT personnel who take a personal interest in the security of the systems they manage, and combine this with a deep understanding of the company’s operations.
These spontaneous, self-designated “OT cybersecurity champions” have often acted on their own initiative to develop their cybersecurity skills. This gives them a unique skills profile that makes them a hugely valuable resource for – and a perfect fit to populate the organizational structure for expanding cybersecurity to OT.
To help guide the journey, companies may also want to engage with independent, trusted cybersecurity advisory firm that can work across IT and OT and speak the language of OT people. This advisor can help with all aspects of the necessary changes, from providing cybersecurity insights to clarifying responsibilities and facilitating dialogue between different teams.
No time to lose
These step will help your industrial business begin to reinvent its cybersecurity governance for the world of connected OT. And when to embark on the journey? With cyber threats growing continually, there’s no time to lose. So start today – and get ahead of your OT’s cyber adversaries before the worst happens.
As ever, if you’d like to discuss anything in this blog, please drop me a line. I’d be delighted to hear your views!
Disclaimer: This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.