Security pros often view cybersecurity as a process, not a result. But in business, it’s regularly implemented in pieces or projects, each with its own timeline, goals, and results. The way an organization conducts such projects can actually reveal where there’s room for improvement in terms of management and processes, which will ultimately speed up cybersecurity implementation.
A cybersecurity project implementation for an industrial control system (ICS) is not an easy task. There are several impacts that security teams need to consider, such as making sure that implementation does not affect the production process, and that the protection gets built according to necessary standards and regulations.
Projects like these can take several years in some instances, and with attacks hitting almost half of organizations in the industrial sector and becoming increasingly sophisticated, it’s important that ICS organizations are as efficient as possible when implementing cybersecurity. Below are five management and process tips to help speed-up cybersecurity implementation in ICS organizations based on years of first-hand experience:
1, Assign clear responsibilities between departments.
The speed of project realization highly depends on project ownership and coordination between the departments involved in the process. Therefore, it’s important to determine which team becomes the project driver, and which handles approval and implementation.
It’s also important to determine budget allowances. There are often occasions when an IT security department may want to implement something, but it doesn’t have the budget. Meanwhile, the OT team may have the budget, but it’s outside of their scope. Without this mutual buy-in, budget conversations between departments may take months. A clear assignment of responsibilities, a smooth decision-making process, and criteria for justifying the project are necessary to address this issue.
2. Optimize approval processes.
How quickly the project goes from idea to decision and final implementation depends on management effectiveness within the company. An unstructured approval process at all levels can affect how quickly approvals are made. The more teams involved, the more time the organization will need to get all required approvals. Along with unstructured approval processes, a recent market survey also found that project managers complain about delays in approvals from top-management.
Security teams find that to streamline the approval process, it’s important to have clear deadlines and clarity about what the team needs to agree upon, with whom and at what stage. In a lot of cases, too many top managers – from CIOs to security service and CFOs – are involved in the approval process. They often need more time to get to the point and ask more details before making decisions.
Cybersecurity projects also don’t always demonstrate quick and clear ROI. Not understanding immediate benefits often causes decision-makers to not approve such projects. Project teams can remedy this by making clear the advantages and long-term ROI to decision-makers from the outset.
3. Engage the C-level and speak to them in their language.
There are also cases in which the C-suite does not get properly involved in cybersecurity discussions, and therefore don’t always see any value in making a security investment. This can happen because OT teams and management speak different languages. OT practitioners often use too many technical details when presenting a project, and may say too little about the business goals the project will solve, what risks it will eliminate, and how much money it would ultimately save.
This soft skill of communicating in the same language can, and must be developed. It’s best not to tell decision makers how network monitoring will help the organization detect attacks at an early stage. Instead, tell them what they can lose if the company can’t do monitoring, primarily money, the trust of customers and partners, credit ratings and competitive advantage.
4. Align compliance with vital protection demands.
Typically, cybersecurity initiatives come from the bottom-up. However, there are also reverse cases in which management decides to invest in security, especially when the company needs to comply with regulatory requirements. This trend was confirmed by research conducted last year, which found that for more than half of companies (55%), the main reason for investing in information security for ICS was regulatory requirements.
Although these regulatory-inspired projects have good intent, it’s often much more efficient to synchronize the business request and the needs of IT security. It’s important to motivate OT, IT, information security, the C-suite and the board for a dialog and collaborative efforts. Consulting firm Oliver Wyman says these joint efforts are the fundamental culture shift required to close gaps in industrial protection.
5. Enhance your team’s expertise.
ICS projects around security often have a hard time getting off the ground because organizations lack the dedicated expertise. Project development, implementation and operation, and especially large complex projects such as SIEM, require special processes and practices. In a developing industry, these are not available to all specialists and companies can’t find these people overnight.
Along with the optimization of decision-making and approval processes, companies also need to constantly drive employee education across both IT and OT. This means offering them the most up-to-date information about threats, as well as conducting specialized training on new products and solutions. This will help departments better understand each other's priorities and areas of responsibility, communicate more effectively, and then negotiate faster during projects.
Industrial safety follows the path of natural development. Unless an industrial company experiences a serious incident, very few seek to force or accelerate the implementation of ICS security. In turn, the market has matured and stands ready to help, by clarifying ROI and benefits for security projects, communicating clear business risks, and offering specific expertise and educational programs.
Alex Moiseev, chief business officer, Kaspersky