Recent cyberattacks on everyone from Colonial Pipeline to JBS Foods to Twitch have proven cybersecurity is essential no matter which business you’re in. According to experts, companies should spend between 10% and 15% of their annual information technology (IT) budget on cyber defense, but the reality is few companies are even doing that. While spending money to prevent an attack is a lot cheaper than the cost of remediating a successful attack, it can still be hard to get C-suite buy-in for increased cybersecurity, and especially an increased cybersecurity budget. So how do you get organizational buy-in for cybersecurity? Once you have the buy-in, how do you scale?
It all begins with improved communication and speaking a language business executives understand, said Matt Leipnik, lead industrial cybersecurity specialist for Nexus Controls, a Baker Hughes business. Operational technology (OT) and cybersecurity are technical, engineering disciplines, which can complicate matters.
“The business management side of the organization is not necessarily as well versed or aligned to the engineering side of things as perhaps to the commercial side of things,” Leipnik said. “I think one of the key things is positioning the language. Using detailed technical terms and abbreviations and things like that, and trying to flip that into more, like, what is the direction of the business, understanding the goals of the business and then trying to tie the technical side of the business back to the business goals.”
For example, during the pandemic, many people have moved to remote working. That shift is underpinned by security, Leipnik said. While the IT and OT sides see the benefits of increased security, the business side sees the flexibility of being able to keep the lights on and continue serving customers while everyone is at home. Statistics and data can help underpin your argument, but it’s important to align to business goals when talking to corporate executives.
“The worst thing you can do is go to the board and say, ‘Oh, there’s 3,000 threats more than there were last month, and SQL injection is really, really bad for us,’” Leipnik said. “They’re just going to go, ‘Well, 3,000 threats? What does that mean to me?’”
Talking the talk
Of course, communication is about more than just convincing the C-suite of the need for increased cybersecurity budgets. There must also be communication, especially in larger organizations, between executives with similar job titles. For example, if a company has a CISO, a CIO and a CTO, who is in charge of cyber efforts? How do you define the roles and make sure everyone is in alignment to create a strong cyber defense?
According to Leipnik, this can be a tricky area. Often, as an organization evolves over time, responsibilities that fall under the CTO might be better suited for the CIO, and vice versa.
“One of the things we talk about on a technical level right at the start, if you look at something like the NIST (National Institute of Standards and Technology) cybersecurity framework, is identify,” Leipnik said. “I would look at that more from a business point of view as, like, what are the roles and responsibilities, and who should really have them? Who does do what, and who doesn’t do what? Because that is often where the tension comes from, the communication between the silos, if you like, of those roles and their direct reports. That actually lays the groundwork for things like incident response, because knowing who’s responsible for what when bad stuff happens is the key to managing an incident and reducing that kind of incident downtime.”
Leipnik cited IT/OT convergence as another area where communication is key. The language always centers around “convergence” or “bringing the two sides together.” In reality, there should just be one team working together to solve problems, whether that means taking some OT people and rotating them into the IT security team, or taking IT personnel and having them spend time in plant operations and production.
“A lot of our problems, if you like, are caused by poor communication,” Leipnik said. “And that’s not just in business and industrial environments. That’s in life generally, as well. So, yeah, it is a very important factor and perhaps one of the first places we should probably start to look when we’re trying to iron our outlook out.”
Scaling cybersecurity after buy-in
Once a company gets buy-in for its cyber efforts and all sides are communicating well, the next step is figuring out how to properly scale cybersecurity. Leipnik breaks it down into a few key areas. It all begins with basic hygiene, or nurturing the minimum fundamentals most companies should be “dong in their sleep.” After that, companies reach a middle ground, or hybrid, where they’re often introducing a visibility tool into their environment.
There are some growing pains associated because it often results in a “load of alerts,” and companies might not have the people, time or resources to properly manage them. Once companies come out the other side, they can begin to move from a reactive approach to cybersecurity to a more proactive and holistic view.
This is where additional resources will likely come into play, whether that means outsourcing, teaching new skills to existing personnel or investing in new technology. Managing this process can be tricky, which is why it’s important to formulate a plan to bring those resources up to speed.
“The key is flexibility and building off of what you’ve got without trying to throw it all out and start again,” Leipnik said. “You can leverage your existing culture, especially in industrial because we’re coming from that health and safety point of view. Cyber is a nice extension of health and safety culture. So it’s perhaps easier sometimes to get the OT side of the organization more cyber ready than to try and get the IT cyber part of the organization more OT ready.”
When companies have reached the point where they have a solid budget, sufficient personnel and a plan in place, that’s a nice place to be. It makes incident response and planning much easier. In a perfect world, companies can then start to automate parts of the process.
“I think success, really, is your ability where you can handle anything that’s thrown at you, and you’re not bursting the seams when it comes to not having enough people or not having enough time,” Leipnik said. “You’re effectively prepared, even though you don’t know what the day will unfold and give you. But whatever happens, you know if that crops up, we know what to go and do next. If this crops up, we know that we need to go and do that. That’s success for me. The cliche is, you don’t have an attack, and you never have a problem. But that’s unrealistic, and it’s never going to happen. So you just need to be, for me, prepared for anything.”
The good news, Leipnik said, is companies are no longer having to work as hard to achieve cybersecurity buy-in. While justification can still be a hurdle for some, thanks to incidents like the Colonial Pipeline breach and SolarWinds, most people have woken up and now understand they have to do something about cybersecurity.
“Linking it back to things that we want to do in the business that maybe we can accelerate — remote access, centralizing control rooms, predictive maintenance, analytics, those sorts of things — cyber enables all those things to happen, even though you can’t see it,” Leipnik said. “Positioning cyber as a business enabler is one way to tackle that justification battle. But, yeah, I still see it time and time again. We’re not quite moved past it. But every day, every new attack, we chip away at it little by little. And things are a lot better than, say, five years ago, where we weren’t even having conversations about it.”
Watch for Part 2 of our interview with Nexus Controls’ Matt Leipnik in the coming weeks, where he will discuss building a cybersecurity culture taking a risk-based approach and measuring toward goals. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.