There have been many papers and blogs written recently about how to ask your CISO for a cybersecurity budget or how operational technology (OT) personnel should engage with CISOs to ensure funding for their security programs. These topics paint a vivid portrait of a cybersecurity house divided. Unfortunately, two decades of OT cybersecurity evangelization by industry leaders and an onslaught of OT security startups have not made the conversations much easier. Instead of speaking the same universal language, we still resemble IT and OT teams struggling in the aftermath of the fall of the Tower of Babel.
To understand how OT engineers should engage with a CISO for security budget, we first need to consider why this is even an issue at all. Although it seems like not too long ago, there was a time when OT was not even on the security roadmap, and CISOs couldn’t spell OT if you spotted them the T. But then STUXNET, UKRAINE, NOTPETYA, and most recently the ransomware attack on Colonial Pipeline happened. These external events have accelerated the learning curve and cast two groups into the Thunderdome: two teams enter one team leaves (joking…sort of). In reality, what has happened is that the CISO has had a crash course on the criticality of OT to their business and the lack of visibility into OT environments within the enterprise cybersecurity stack, forcing two siloed teams to work together.
This forced interaction is not an easy one, with both parties playing it close to the vest. These new relationships may cause the OT engineer some consternation, as they may look at it as a loss of oversight or control. The CISO initially may be caught off guard by how unbound the problem set is and with the overall lack of standard security controls in OT that are typically found in the enterprise. This is where the engagement can become messy if the OT engineer and CISO don’t look at each other as partners, but rather as political adversaries.
Setting aside the soft issues of group dynamics, there are other obstacles to extracting cybersecurity budget for OT. Up until now the OT engineer has more than likely dealt with engineering problems that can be quantified and prioritized. For example, if you do X you can expect to not run so many dollars of on demand generation, or you can run a transmission line at this LTE (Long Term Emergency) limit for 24 hours without impacting the grid operation.
How do you change the mindset of basing all decisions on well-established data and operational practices, when the case for OT security spending is based on limited probability and risk exposure data? One of the biggest inhibitors to OT spending has been the risk equation and the data inputs available. What happens when the probability is viewed as negligible, and the impact is undefined?
This issue isn’t just an OT engineer and CISO problem. The entire C-suite has traditionally been reluctant to invest heavily in cybersecurity projects. Until recently executives could focus on operating the business and returning shareholder value, which is the primary goal of any company, to the chagrin of many in IT security organizations. Executives were further emboldened by the fact that in most cases OT security failures had yet to impact their business unit or overall operations. In these scenarios, requesting security budget from an executive was typically a losing battle. The problem is that exploits such as ransomware that were once just an unlikely nuisance to individuals or randomly targeted companies, have started to become pervasive across industries, and attacks that were solely IT-focused have now famously started to impact OT operations.
Let’s start by how you shouldn’t start the conversation with the CISO. Do not try to convey to the CISO that they don’t understand OT or that OT cybersecurity is drastically different from IT. Even though at my core I’m an OT engineer, I know there is no difference between the two once assets have been IP-enabled. Maybe OT processes are more critical, the protocols are less understood, and the hardware that supports our most critical infrastructure is old and unpatchable. But once you get past that, it’s still IT; it’s still network equipment; and it’s still servers and hosts.
Here are some tips on how you should make the case:
1. Focus on Risk Reduction Benefits
2. Propose a Concrete Plan
3. Be Human
I’m reminded of a quote from Bill Belichick when a reporter asked about Tom Brady’s injured thumb a few years ago. Belichick responded, “Tom did a great job, and he’s a tough guy but we’re not talking about open-heart surgery here”. In the case of OT engaging with the CISO for cybersecurity budget, my response would be “The CISO and the OT engineer should work well together to reduce OT risk for the company, but it’s not like they’re trying to become NERC CIP compliant.” ;)