It is often said that cybersecurity is a process, not a result. But in business, it is regularly implemented in pieces, or projects – each of which has its own timeline, finite goal and results. The way a company conducts such projects can actually reveal where there is room for improvement in terms of management and processes which, in the end, will speed up cybersecurity implementation.
In heavy industry, project implementation for industrial control systems is not easy. In particular, to install protection for computers which control an electric turbine or an automobile conveyor, for example, you need to consider numerous impacts. This includes making sure that implementation does not affect the production process, and that the protection will be built according to necessary standards and regulations.
Projects in these settings can take several years in some instances. From speaking to a number of our customers, I know that it can take up to two years just to draw up project documentation and purchase software. And while attacks are hitting almost half of organizations in the industrial sector and becoming increasingly sophisticated, it is important for these companies to not let the process take even longer. Below are some management and process hints that should help avoid that.
1. Assign clear responsibilities between departments
The speed of project realization highly depends on project ownership and coordination between the departments involved in the process. Therefore, it’s important to determine which team is the project driver, and which is involved in approval and implementation. For example, a project can be initiated by an OT engineering team, while deployment is catered for by the IT security department, or vice versa.
There may also be occasions where an IT security department is willing to implement something, but it doesn’t have the budget. Meanwhile, the OT team may have the budget, but it’s outside of their priority remit. Without this mutual buy-in, budget barging and arguments between departments may take months. A clear assignment of responsibilities, a smooth decision-making process, and criteria for justifying the project, are necessary to address this issue.
2. Optimize approval processes
How quickly the project goes from decision to implementation depends on management effectiveness within the company. There is a concept in computing systems called latency (or timing), which determines the speed of the processor. It shows the delays that occur when the processor executes a command. The better the processes – such as standard development, project design and approval at all levels, piloting, budgeting, and procurement – the lower the latency.
An unstructured approval process at all levels can affect that latency. The more teams involved, the more time needed to get all required approvals. This is one of the most frequently cited obstacles in industrial cybersecurity projects, along with delays in approval from a top-management level, as we found in a recent market survey.
To streamline the approval process it is important to have clear deadlines and clarity about what needs to be agreed, with whom, and at what stage. In a lot of cases, too many top managers – from CIOs to security service and CFOs – are involved in the approval process. They may need more time to get to the point and ask more details before making decisions.
Additional time also derives from the fact that cybersecurity projects don’t always demonstrate quick and clear ROI, as in automation, for example. Not understanding those immediate benefits often leads to a lack of motivation among decision-makers to approve such projects. This needs to be remedied so that, the advantages and long-term ROI are clearer to decision makers from the outset, ultimately streamlining the approval process.
3. Engage your C-level and speak to them in their language
There are also occasions where the C-suite is not properly involved in cybersecurity discussions, and therefore don’t see any value investing in it. This may be due to the fact that OT teams and management speak different languages. OT practitioners often use the wrong arguments and include too many technical details when protecting a project. Alternately, they say too little about the business goals the project will solve, what risks it will eliminate, and how much money it would ultimately save.
This soft skill of communicating in the same language can, and should, be developed. Last year at the Kaspersky Industrial Cybersecurity Conference I attended a keynote by Patrick Miller, Managing Partner at Archer International, a critical infrastructure protection services firm. He pointed out, very accurately, that a risk-based approach is key when justifying a project to the board. Don’t tell them how network monitoring will help you detect attacks at an early stage. Instead, tell them what they can lose if you are not able to do this. Primly, money, the trust of customers and partners, credit ratings and competitor advantage.
4. Align compliance with vital protection demands
Typically, a cybersecurity initiative comes from the bottom up. However, there is also a reverse case where management decides to invest in security, as there is a demand to comply with regulatory requirements. This trend was confirmed by market research that we conducted last year. For more than half of companies (55%), the main reason for investing in information security for ICS was regulation requirements.
Although such a project may be better than nothing, it would be much more efficient to synchronize the business request and the needs of IT security. It is important to motivate OT, IT, information security, the C-suite and the board for a dialog and conjoined efforts. Experts from consulting firm Oliver Wyman named such joint efforts as a fundamental culture shift which is necessary to close the gap in industrial protection.
5. Enhance your team’s expertise
Another obstacle to implementing information security projects is the lack of dedicated expertise. Project development, implementation and operation, and especially large complex projects such as SIEM, require special processes and practices. In a developing industry, these are not available to all specialists and can hardly be created overnight.
Therefore, along with the optimization of decision-making and approval processes, companies need to constantly drive employee education. Across both IT and OT, this means providing them with the most up-to-date information about threats, as well as conducting specialized training on solutions. This will help departments better understand each other's priorities and areas of responsibility, to communicate more effectively, and to then negotiate faster during projects.
Industrial safety follows the path of natural development. Unless an industrial company experiences a serious incident, very few seek to force or accelerate the implementation of ICS security. Of course, there are exceptions – one oil and gas company managed to deploy the protection of its industrial assets in just 18 months. This usually requires strong C-level involvement and very large resources – in the case of this company, 30,000 employees. For all other companies, it is more about evolution rather than revolution. The steps listed above should help evolve industrial cybersecurity implementation at a comfortable speed. Step by step, it will become easier and faster.
In turn, the market is sufficiently developed and ready to help with this, by clarifying ROI and benefits for security projects, communicating clear business risks, providing specific expertise and educational initiatives. This should be combined with the continuous improvement of protection methods. At this stage though, it is important for companies to understand what their obstacles are, to help overcome them.
Comment by Alexander Moiseev, Chief Business Officer at Kaspersky
