There have been many papers and blogs written recently about how to ask your chief information security officer (CISO) for a cybersecurity budget or how operational technology (OT) personnel should engage with CISOs to ensure funding for their security programs. These topics paint a vivid portrait of a cybersecurity house divided. Unfortunately, two decades of OT cybersecurity evangelization by industry leaders and an onslaught of OT security startups have not made the conversations easier. Instead of speaking the same universal language, we still resemble information technology (IT) and OT teams struggling in the aftermath of the fall of the Tower of Babel.
Challenges for getting an OT cybersecurity budget
To understand how OT engineers should engage with a CISO for security budget, we first need to consider why this is even an issue at all. There was a time when OT was not even on the security roadmap. Then Stuxnet, NotPetya, and the recent ransomware attack on Colonial Pipeline happened. As a result, the CISO has had a crash course on OT’s importance to their business and the lack of visibility into OT environments within the enterprise cybersecurity stack, forcing two siloed teams to work together.
This forced interaction is not an easy one, with both parties playing it close to the vest. These new relationships may cause the OT engineer some consternation, as they may look at it as a loss of oversight or control. The CISO initially may be caught off guard by how unbound the problem set is and with the overall lack of standard security controls in OT that are typically found in the enterprise. This is where the engagement can become messy if the OT engineer and CISO don’t look at each other as partners, but rather as political adversaries.
Setting aside the soft issues of group dynamics, there are other obstacles to extracting cybersecurity budget for OT. Up until now the OT engineer has more than likely dealt with engineering problems that can be quantified and prioritized. For example, if you do X you can expect to not run so many dollars of on demand generation, or you can run a transmission line at this long-term emergency (LTE) limit for 24 hours without impacting the grid operation.
How do you change the mindset of basing all decisions on well-established data and operational practices, when the case for OT security spending is based on limited probability and risk exposure data? One of the biggest inhibitors to OT spending has been the risk equation and the data inputs available. What happens when the probability is viewed as negligible, and the impact is undefined?
This issue isn’t just an OT engineer and CISO problem. The entire C-suite has often been reluctant to invest in cybersecurity projects. Until recently, executives could focus on operating the business and returning shareholder value, which is the primary goal of any company, to the chagrin of many working in IT security organizations. Executives were further emboldened by the fact that in most cases OT security failures had yet to impact their business unit or overall operations.
In these scenarios, requesting security budget from an executive was often a losing battle. The problem is that exploits such as ransomware that were once just an unlikely nuisance to individuals or randomly targeted companies, have started to become pervasive across industries, and attacks that were solely IT-focused have now famously started to impact OT operations.
Three ways to make the case for OT cybersecurity spending
Let’s start by how you shouldn’t start the conversation with the CISO. Do not try to convey to the CISO that they don’t understand OT or that OT cybersecurity is drastically different from IT. Even though at my core I’m an OT engineer, I know there is no difference between the two once assets have been IP-enabled. Maybe OT processes are more critical, the protocols are less understood, and the hardware that supports our most critical infrastructure is old and unpatchable. But once you get past that, it’s still IT; it’s still network equipment; and it’s still servers and hosts.
Here are some tips on how you should make the case:
1. Focus on risk reduction benefits. Don’t frame the problem as a technical one that just needs an additional tool. All OT cybersecurity issues are not going to be solved by purchasing another point solution. Frame the problem as a risk to the business. Speak in terms of risk reduction. Leverage real world events and use those events and the data to start creating a risk framework. Remember Risk = Likelihood x Impact. Unfortunately, likelihood is increasing, and we are painfully starting to realize the true impact of a cyber incident in the forms of ransom payments, loss of operational revenue, and increased cyber insurance premiums. These values are becoming better known, which means the organizational risk can be better defined.
2. Propose a concrete plan. Break down the proposed solution down across tactical and strategic phases. Identify areas where improvements can be inserted into projects that have already been started. Show the CISO that you understand your business area, how it impacts the larger organization and how investments today will have cost-reduction benefits tomorrow.
3. Be human. In the end, we’re not a C-level position, or an engineer, or two opposing factions. We’re just people. If we can approach the OT cybersecurity budget issue with a mutual respect for each other and understand that we are both looking out for the best interests of the company, the conversation on how to reduce risk across the OT landscape should be a fairly easy and productive one.