There has been a lot of talk lately about how to secure a budget from the C-suite. While most people seem to understand the need for cybersecurity, many companies and organizations are still lagging behind, and it can be difficult to get buy-in from all levels. One of the challenges of overcoming capital inefficiencies is knowing how to explain whether your systems are secure or not and that investing in cybersecurity is also investing in safety.
Joining Gary Cohen, senior editor of Industrial Cybersecurity Pulse, are Jim Crowley, CEO of Industrial Defender; Ryan Heidorn, co-founder and managing director of Steel Root; Pranav Patel, founder and CEO of MediTechSafe and Resiliant; and Tyler Whitaker, CTO at Leading2Lean.
This discussion has been edited for clarity.
ICS Pulse: Why is it that cybersecurity efforts are still capital inefficient? And how do we start overcoming that problem?
Tyler Whitaker: The real challenge with the capital inefficiencies in cybersecurity right now is related to the fact that the remediation efforts are typically manual. The documentation efforts, to put the structure around what that incident was and what the remediation steps were, is onerous from a labor perspective. So as cybersecurity professionals in this industry, we need to look at better ways at optimizing and automating these steps, so that we can be more efficient with the capital we deploy and the security controls that we can actually operate.
Jim Crowley: Yeah, I had a customer conversation the other day who basically said it’s still easier to get side load technology funded in their organization, as opposed to getting buy-in across the organization. They’ll do a project that might take some level of risk out of a network segment or on a particular asset type, but aren’t really looking at things holistically, even though they know they should do it. It’s just organizationally too hard to get larger programs put in place. So they’ll try to pick it off, and then you end up with a smorgasbord of technologies and practices, which creates gaps and seams in the organizations from a security perspective.
Ryan Heidorn: I actually came to this conversation with something that I read recently and found interesting. I’d just love to get the opinions of the others on this call. It was an academic article. A lot of it was over my head, but the National Academy of Sciences published this article several years back that was looking at the inherent unfalsifiability of security claims. Basically, the message there was that there’s no way to say that a system or particular security technique is secure because you can only demonstrate when something is insecure.
What I took from the article was that it was saying there’s no effective way to prioritize security measures because you can tell when a measure is ineffective because you get breached or something like that. But you can never tell whether a particular measure is necessary until it’s too late.
That makes it hard to prioritize spending, especially when there are security initiatives across all of these different systems and pieces of the business. You’ve got vendors coming and saying, “I’ve got this great zero-trust solution,” to just use the most recent buzzword. Those things may be good, but there’s no systematic way to say this is what I need when the scope of potential security vulnerabilities is so high.
“If you don’t know how many doors and windows you have, that is also a problem. A lot of times in industrial areas, they just don’t know what assets that they have in their environment.”
Crowley: I’d actually disagree with that argument pretty vehemently. In that, if you look at all the standards, I’ve been involved with security for over 20 years, involved with anything from PCI to HIPAA compliance, to NERC CIP, all of SOC and now some of the other standards that are coming down the line. They all come from the same playbook, right? This foundational security are things that everybody needs to do. And the example of: If you don’t know if the doors and windows are locked, you are inherently insecure. And if you don’t know how many doors and windows you have, that is also a problem. A lot of times in industrial areas, they just don’t know what assets that they have in their environment.
If a vulnerability is published on Saturday morning or Friday morning in The Wall Street Journal, and the CEO calls the CIO to say, “Hey, do we have any of these safety devices that are vulnerable in our refining facility?” They may not know. They have a real hard time figuring that out. So just not having the sort of basic stuff around asset inventory and configuration management and knowing what software, knowing what vulnerabilities are. You’ve got to do that basic stuff. I would say, if you don’t do that basic stuff, you are insecure.
There are things that you can do at a foundational level that every company should sort of buy into. And, again, pick a standard. It’s all there. Then you can layer on the more sophisticated things over time, whether that’s machine learning capabilities or zero trust, or whatever else is threat hunting, threat intel. It’s all great stuff. There’s lots of layers you can apply on it, but you’ve got to have the foundation. You’ve got to get your house in order to start before you could really execute on a good program.
Whitaker: I think, Jim, you’re right there in the fact that the basic hygiene that everybody should be doing are those things. The challenge is that nobody wants to be the guy that says, “Yeah, the security team told me that this was a possibility, and I said no. I said that was enough.” Where do you draw the line?
How much security can you afford? How much should you invest in above and beyond that? It’s more art than science at this point, and that’s really the biggest rub that I see is security teams trying to push for tighter security controls where it’s not warranted. Because of a lack of understanding on the OT side, they don’t invest or require the security controls that they should be because they don’t know about it, or the standard doesn’t promote it yet.
Pranav Patel: I’ll just add two things to it. No. 1 is I think what Ryan said is probably true. It’s hard to know the effectiveness, but to Jim’s point, it’s easy to know ineffectiveness, right? You could take a list of the things and say, “Hey, here are the things I am doing or not.” Then you have to peel the onion, and you go a layer down and say, “Well, if I’m doing these things, am I doing it efficiently or not?”
Another example would be if you said, “Oh my gosh, I’m doing these activities.” Now, next one is what’s a cost of inaccuracy? What’s the utility? I roll these things out, but nobody’s using it. So when you go down to those lists, this is when you really peel the onion. You figure out where you have inefficiencies that leads to capital inefficiencies. You start with, “Hey, these are the things minimally I’m going to do that I know if I don’t do it, I’ll be ineffective. If I have those things, I still don’t know if I’m 100% effective or not, but at least this is a starting point.”
Within that, if you take an approach that any ops guys do: Am I the best at it? I’m spending the least. I’m being the most effective, and that’s how you really draw most out of you. I think that’s a cultural thing. The ops guys, they go to the manufacturing floor. That’s what they live and breathe every day. I’m not sure if that’s in the DNA of the tech team. Their goal is: How do I solve the same problem through integrating and connecting and stuff, but not really thinking that I have support infrastructure to put in place afterward.
I have other risks that actually come after that because they think it’s somebody else’s job. I think silos within an organization usually also cause a lot of the capital inefficiencies. The fundamental reason, if you think today that things are broken, it’s nothing more than an organizational issue and engagement issue. If you could teach people to engage across the board, I think you’ll solve, to Jim’s point, more than 85% of the problems. You become lot more efficient at it.
Crowley: Yeah, I agree. I think it’s a cultural issue and sort of the corollary is safety. People don’t put an ROI around safety. It’s a cultural thing and many, many meetings that we’ll take with our energy clients, they’ll start the meeting with a safety message. Whoever the presenter is will spend two minutes talking about a particular safety issue. So that’s a cultural thing that they could be ingrained into. We may need you to start thinking that way in terms of how we’re working with our clients and sort of positioning. I think this would help in the C-suite, as well, and we’ve got a couple of business partners that are consultants that do this pretty well.
They’ve mapped the cyber speak to the safety speak, because the executives understand safety. They understand the value of safety. They have invested in safety, so it’s not a new thing. If someone gets in and changes settings on a styrene plant and it explodes, that’s a safety issue. Cyber and safety are pretty interlinked in some of the facilities we operate in. If you can start to spin that message a little bit toward how people actually think, safety is probably a good place to start.
Heidorn: I think that’s a great comparison in the same way that I can’t go to the C-suite and say, “This purchase is going to make this system secure.” I can never say that. I can say, “I think that I have a measure of certainty that this will make us more secure or more safe,” and C-suites are willing to make investments in those sorts of things. But it does complicate, as the others were saying, calculating ROI. If I’m putting before the board a decision to roll out a new PAM solution versus a new EDR solution, I have to take a sort of qualitative approach to say why I should choose one investment over the other.
For more with Crowley, Heidorn, Patel and Whitaker, check out their first roundtable discussion where they talk about how to secure a cybersecurity budget from the C-suite.