In the world of Cybersecurity today, we are starting to
realize that not all assets are digital in nature. For example, it’s not all about the VMs or
Virtual Desktops that you in Microsoft Azure or the AWS. There is also a physical component to as well,
which is just as much prone, or even more, to various threat variants.
These are the legacy systems and even the modern systems of
today that are used to support our national electrical grid or even run the robots
along the manufacturing line.
This can all be referred to what is known as “Operational
Technology”, or “OT” for short.
Technically, it can be defined as follows:
“It is the hardware and software that detects or causes a
change, through the direct monitoring and/or control of industrial equipment,
assets, processes and events.”
(SOURCE: https://www.gartner.com/en/information-technology/glossary/operational-technology-ot)
So, the keyword in this definition is industrial equipment,
no matter how old it is. And as just
mentioned, they too are just as vulnerable.
Just think about some of the past events that have happened – the Colonial
Pipeline attack, the various attacks to our water supply, etc.
These need to be secured as well as the newer forms of OT
come out. But, this means asking for
more money.
So how do you go about doing this, when you have enough of a
hard time trying to get just a regular Cybersecurity budget approved? Here are some things to keep in mind:
1)
Think about who are you are going to ask the money
from:
Ultimately in the end, it is the C-Suite
that will give more or less the final nod for some increased spending. So, think about the language they want to
hear. Unfortunately, IMHO, the only thing
they can really understand are just a bunch of numbers put together with some buzzwords
attached to the presentation. The big
buzzword right now is “Risk”. So in your
proposal or memo in requesting for money, try to approach from this perspective. This is not the place to dazzle the C-Suite
with fancy models and algorithms, just simply point out where the current level
of risk your OT technology stands at this point in time, and how the increased
spending can reduce it down to a much more tolerable level. And also, don’t forget to include the ROI
that will be gained from increased spending, as this will be the next question
to be asked by the C-Suite.
2)
Explain how the other areas could be
mitigated:
Whenever a company is impacted by a
security breach, whether it is on the digital assets, or even the OT technology
itself, there will always be costs that will be incurred, no matter what. These include downtime, getting the mission
critical systems back up and running ASAP, the costs of employees containing the
attack, etc. can all add up very quickly.
Explain to your C-Suite a what of scenario: What if had the extra spending, the possibilities
of having these extra costs will be mitigated.
But if not, and we are hit, they will be there, and the chances of even
getting a payout on your Cyber Insurance Policy could take time as well. I am sure that your C-Suite will like the former
approach better.
3)
Come up with a plan:
In making the pitch to your
C-Suite, always show a high-level plan as to how the extra funding will be
used. It does not have to go into a
super amount of detail (that is your CISOs job), but showing where the money
will be allocated to beef up with segments of the OT processes you have in place
will go a long a way. It will show to
them that you have done your homework, and will know how to spend the money
rationally and effectively as possible.
If you are asked for some details, then you will need to provide them as
well. In this instance, use the document
that you created for your CISO, and pull stuff from that, but remember to keep it
short and easy to understand.
4)
Provide some metrics as to how the money will
be spent:
One thing about the C-Suite is that
they like to see things presented as an incremental plan, rather than throwing
everything in and the kitchen sink. So
rather than showing a PPT slide deck showing just how one large dollar volume
will be spent, break that up into different slides and show how the money will
be divided up and allocated to the various components of your OT assets. Try to put this in a chronological approach,
like first say X amount of $$$$ will go here, then the next bucket of money will
be spent here, etc. And if you really
want to dazzle them, try to show the ROI at each step as well, but the C-Suite
needs to fully understand that this also be just an incremental measure as
well.
My Thoughts On This
Well, there you have it, some quick tips that hopefully you can
use. Keep in mind that asking for extra
funding for OT security may actually prove to be a little bit easier than you
may think. For example, the C-Suite is
always inundated with requests for the digital asset protection. Remind them of the recent attacks that
happened to the Critical Infrastructure.
Then play the what if scenario if all of a sudden there was
a simultaneous hit where we had no water, gas/oil, electricity for weeks. Then remind them that if there was just simply
increased funding to protect all of these OT processes and technologies, the chances
of this scenario from actually happening may never occur in the first place.
That should hopefully perk up your C-Suite’s ears quite a
bit.
No comments:
Post a Comment