Sunday, November 14, 2021

Need To Get More $$$ For Your OT? Try These 4 Golden Tips

 


In the world of Cybersecurity today, we are starting to realize that not all assets are digital in nature.  For example, it’s not all about the VMs or Virtual Desktops that you in Microsoft Azure or the AWS.  There is also a physical component to as well, which is just as much prone, or even more, to various threat variants. 

These are the legacy systems and even the modern systems of today that are used to support our national electrical grid or even run the robots along the manufacturing line.

This can all be referred to what is known as “Operational Technology”, or “OT” for short.  Technically, it can be defined as follows:

“It is the hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.”

(SOURCE:  https://www.gartner.com/en/information-technology/glossary/operational-technology-ot)

So, the keyword in this definition is industrial equipment, no matter how old it is.  And as just mentioned, they too are just as vulnerable.  Just think about some of the past events that have happened – the Colonial Pipeline attack, the various attacks to our water supply, etc. 

These need to be secured as well as the newer forms of OT come out.  But, this means asking for more money.

So how do you go about doing this, when you have enough of a hard time trying to get just a regular Cybersecurity budget approved?  Here are some things to keep in mind:

1)     Think about who are you are going to ask the money from:

Ultimately in the end, it is the C-Suite that will give more or less the final nod for some increased spending.  So, think about the language they want to hear.  Unfortunately, IMHO, the only thing they can really understand are just a bunch of numbers put together with some buzzwords attached to the presentation.  The big buzzword right now is “Risk”.  So in your proposal or memo in requesting for money, try to approach from this perspective.  This is not the place to dazzle the C-Suite with fancy models and algorithms, just simply point out where the current level of risk your OT technology stands at this point in time, and how the increased spending can reduce it down to a much more tolerable level.  And also, don’t forget to include the ROI that will be gained from increased spending, as this will be the next question to be asked by the C-Suite.

2)     Explain how the other areas could be mitigated:

Whenever a company is impacted by a security breach, whether it is on the digital assets, or even the OT technology itself, there will always be costs that will be incurred, no matter what.  These include downtime, getting the mission critical systems back up and running ASAP, the costs of employees containing the attack, etc. can all add up very quickly.  Explain to your C-Suite a what of scenario:  What if had the extra spending, the possibilities of having these extra costs will be mitigated.  But if not, and we are hit, they will be there, and the chances of even getting a payout on your Cyber Insurance Policy could take time as well.  I am sure that your C-Suite will like the former approach better.

3)     Come up with a plan:

In making the pitch to your C-Suite, always show a high-level plan as to how the extra funding will be used.  It does not have to go into a super amount of detail (that is your CISOs job), but showing where the money will be allocated to beef up with segments of the OT processes you have in place will go a long a way.  It will show to them that you have done your homework, and will know how to spend the money rationally and effectively as possible.  If you are asked for some details, then you will need to provide them as well.  In this instance, use the document that you created for your CISO, and pull stuff from that, but remember to keep it short and easy to understand.

4)     Provide some metrics as to how the money will be spent:

One thing about the C-Suite is that they like to see things presented as an incremental plan, rather than throwing everything in and the kitchen sink.  So rather than showing a PPT slide deck showing just how one large dollar volume will be spent, break that up into different slides and show how the money will be divided up and allocated to the various components of your OT assets.  Try to put this in a chronological approach, like first say X amount of $$$$ will go here, then the next bucket of money will be spent here, etc.  And if you really want to dazzle them, try to show the ROI at each step as well, but the C-Suite needs to fully understand that this also be just an incremental measure as well.

My Thoughts On This

Well, there you have it, some quick tips that hopefully you can use.  Keep in mind that asking for extra funding for OT security may actually prove to be a little bit easier than you may think.  For example, the C-Suite is always inundated with requests for the digital asset protection.  Remind them of the recent attacks that happened to the Critical Infrastructure.

Then play the what if scenario if all of a sudden there was a simultaneous hit where we had no water, gas/oil, electricity for weeks.  Then remind them that if there was just simply increased funding to protect all of these OT processes and technologies, the chances of this scenario from actually happening may never occur in the first place.

That should hopefully perk up your C-Suite’s ears quite a bit.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...