When it comes to cybersecurity, 2021 was a wake-up call for most industrial sectors. Cyber vulnerabilities in operational technology (OT) were exposed and we learned that critical American infrastructure can be crippled with the click of a button. Attacks were present in the news monthly, with the most highly publicized including the shutdown of one of the nation’s largest pipelines, Colonial Pipeline. The recent surge of cyber incidents and the correlating effect on operations highlights the fact that threat actors have moved beyond traditional information technology (IT) targets, where their main goal is to obtain important information and data, to OT, where their primary mission is to cause physical disruptions or harm.
By Ryan Moody, President and CEO at ABS Group
As the end of the year approaches and we begin making organizational plans for 2022, CISOs within industrial sectors must take time to reflect on this year’s unprecedented events and how they should shape their priorities.
First, CISOs need to reassess their cybersecurity programs to properly address the current threat landscape. We now know that cybercriminals have set their sights on making an impact in OT environments; therefore, CISOs must completely shift their focus. The traditional solutions implemented in an IT environment do not address the unique needs and circumstances of OT.
To build out an entirely new cybersecurity program that addresses IT and OT cyber environments independently, CISOs must educate and garner buy-in from their board of directors. This crucial task will not be quick or easy to accomplish, but if done correctly, it can result in greater resources that will enable organizations to keep their digital and physical assets secure and preserve their reputation.
Although many boards know their organizations need to act on cybersecurity following the barrage of incidents in 2021, the biggest obstacle standing in the way is education. Most of the public – including board members – do not understand the differences between IT and OT networks and the challenges of protecting the less mature OT networks from threat actors. The media coverage and conversations on the topic are filled with myths and misinformation. There is also no real clear understanding of the distinction between IT and OT cybersecurity, which presents a significant risk to organizations.
CISOs should begin their discussions with their boards by educating the members on common myths about cybersecurity versus the realities. They should be prepared to explain:
Companies won’t spontaneously invest in cybersecurity. CISOs are often challenged by the board to explain what the real impact will be should a cybersecurity event occur. And since many board members don’t fully understand cybersecurity, let alone the key differences between IT and OT, CISOs must focus on what will resonate most. The need to emphasize the impact of cyber-attacks on market valuations, competitive advantages, ability to bid, and key financial performance indicators.
CISOs should also explain why managing cyber risk for both IT and OT environments is a business imperative. Their discussions should offer examples of how previous cyber-attacks in IT and OT have impacted the business performance and operations of those that have been a victim of these types of attacks. For example, the Colonial Pipeline cyber incident caused an entire shutdown of the pipeline operations that supplied 45% of fuel to the East Coast, cost the company millions in ransom, and had a substantial impact on the supply chain.
Communicating cybersecurity, and more specifically the different approaches to managing IT and OT cyber risks, to the board will not be an easy task for CISOs as they map out their needs and priorities for 2022. However, they must remember that education is key and that an attack on OT systems can significantly impact people, property, and the environment. Cyber attackers will not stop; they will only increase their activity and become more intelligent as they leverage the weakness of organizations. Boards of directors must grasp this concept, and act now (not later) if they wish to keep their organizations truly secure. 2021 opened pandora’s box, and it will take focused effort and investment to close it.
About the Author
Ryan Moody is President and CEO of ABS Group of Companies, Inc. (ABS Group). He previously served as Vice President of Strategic Development for the American Bureau of Shipping (ABS), where he was responsible for guiding and supporting ABS’ and ABS Group’s strategic activities and corporate growth globally. He brings 18 years of experience primarily in the oil and gas sector. Prior to ABS, he held leadership positions at Siemens Government Technologies, Siemens Energy, and FMC Technologies. His experience includes engineering, business segment management, product management, cybersecurity strategy, and corporate strategy. Moody holds a B.S. in Mechanical Engineering from Texas A&M University and an MBA from the University of Houston.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
The post How CISOs Can Communicate the Need for Both IT and OT Cybersecurity appeared first on CISO MAG | Cyber Security Magazine.
Click to Open Code Editor