Many experts say companies should spend between 10 and 15% of their annual information technology (IT) budget on cyber defense, but the reality is few companies are spending even that much. While most organizations understand that cybersecurity is essential in the modern climate, thanks to attacks like SolarWinds and JBS, some still struggle to justify the cost. So how do you get organizational buy-in for cybersecurity? And how do you scale cybersecurity efforts after that?
According to Matt Leipnik, lead industrial cybersecurity specialist for Nexus Controls, a Baker Hughes business, a lot of this comes down to simple communication. It’s essential to speak the language of the people you’re talking to. The business side doesn’t always respond to technical talk, while the operations side may not be moved by concepts like digital transformation.
In November, Leipnik sat down with us to discuss getting buy-in for cybersecurity, aligning to business goals and preparing for the worst. This is a transcript of Part 1 of his Expert Interview Series installment with Industrial Cybersecurity Pulse. It has been edited for clarity.
ICS Pulse: It can be hard to get the C-suite to buy into the need for increased cybersecurity, and especially an increased cybersecurity budget. How can you get buy-in from top-level executives and start promoting the importance of cyber defense throughout an organization?
Matt Leipnik: When we’re talking about other operational technology environments, it’s a very technical area. So the infrastructures, there’s a lot of technical terms. The processes are quite technical. It’s an engineering discipline. And if you think about it, the business management side of the organization is not necessarily as well versed or aligned to the engineering side of things as perhaps to the commercial side of things.
The worst thing you can do is go to the board and say, “Oh, there’s 3,000 threats more than there were last month, and SQL injection’s really, really bad for us.” They’re just going to go, “Well, 3,000 threats, what does that mean to me?”
So I think one of the key things is positioning the language. Using detailed technical terms and abbreviations and things like that, and trying to flip that into more, like, what is the direction of the business, understanding the goals of the business and then trying to tie the technical side of the business back to the business goals.
For example, a lot of the time, we’ll talk these days about digital transformation. So we could leverage digital transformation because the board or the senior management will generally understand that, and then we can tie the technical elements to how they align to digital transformation.
In the pandemic, we’ve seen a lot of people move to remote working, for example. Ultimately, that’s underpinned by security. Security has enabled that to happen, but that’s the kind of how. But what the business sees is the flexibility of being able to continue keeping the lights on, serving customers while everyone’s at home.
So that’s probably one of the key areas, and then it’s really about language and thinking about ways we can better explain the situation, taking the technical out of it, actually, and just thinking more common language or layman’s terms and then trying to align that so that everyone’s working toward the same mission.
The worst thing you can do is go to the board and say, “Oh, there’s 3,000 threats more than there were last month, and SQL injection’s really, really bad for us.” They’re just going to go, “Well, 3,000 threats, what does that mean to me?”
I think throwing statistics at them is not the way to start. Statistics and data underpin your argument, but really you’re sort of saying, “Look, if we do these things, we can achieve so much more as an organization.” That’s how we start to work toward getting the buy-in.
ICSP: In a larger organization where there might be a CISO and a CIO and a CTO, etc., how do you manage the conflict between those executives? Or at least define the roles and make sure all are in alignment to create a strong cyber defense?
Leipnik: It’s really probably one of the hardest areas, because what you’ll find is as an organization has evolved over time, responsibilities that are under the CTO should probably be under the CIO and they aren’t, and vice versa. Everyone has their patch that kind of gets built out as an organization grows over time.
One of the things we talk about on a technical level right at the start, if you look at something like the NIST Cybersecurity Framework, is identify. So I would look at that more from a business point of view as, like, what are the roles and responsibilities, and who should really have them? Who does do what, and who doesn’t do what?
Because that is often where the tension comes from, the communication between the silos, if you like, of those roles and their direct reports. And that actually lays the groundwork for things like incident response, because knowing who’s responsible for what when bad stuff happens is the key to managing an incident and reducing that kind of incident downtime.
Although it starts from, I would say, more like a human resources point of view of trying to understand who’s responsible and prioritizing those responsibilities in the right place — so depending on who’s got the resources and those sorts of things. And maybe even realigning the resources and then leveraging that, because, actually, it’s groundwork for things that you’ll do later when you dive deeper into a proper security strategy and things like response plans and response strategy.
ICSP: Is it an oversimplification to say that it really comes down to communication, that these people need to be talking to each other to make sure they know what their responsibilities are?
Leipnik: Yeah. I mean, that’s an interesting point, because we talk a lot about IT/OT (information technology/operational technology) convergence, and what we’re actually really seeing quite often is it’s not really one or the other coming together. Although you do get that, and it depends on the market that the company is in, the size of the organization. I’m not saying it doesn’t exist, but what we’re finding is, it’s not IT and OT. It’s just one of those, right?
So this idea of collaboration and trying to avoid this idea of silos coming together. Where, really, they’re not us and them. There is just one team, and working out how you can better position the organization from that side of view. Now, that might be taking some OT guys and rotating them into the IT security team for a bit, or taking the IT guys and having them spend some time in plant operations and production.
So they’re not seen as two different teams. They’re multidiscipline teams that you’re putting together to solve a single problem. Everyone’s trying to get to the same place. They’re all talking to each other, establishing common communication channels.
I mean, yeah, you’re right, a lot of our problems, if you like, are caused by poor communication. And that’s not just in business and industrial environments; that’s in life generally, as well, right? So, yeah, it is a very important factor and perhaps one of the first places we should probably start to look when we’re trying to iron our outlook out and formulate these kinds of ways to solve these things.
The cliche is, you don’t have an attack, and you never have a problem. But that’s unrealistic, and it’s never going to happen.
ICSP: Let’s assume you actually do get the buy-in that you need to create a strong cyber defense. How can you properly scale cybersecurity to get through those initial growing pains?
Leipnik: It’s a big question. We can probably cover this in multiple episodes, to be fair. I talked about identifying, leveraging something like the NIST Cybersecurity Framework, but I try to simplify it into three or four key areas, depending on how you view remote access.
But there’s the sort of hygiene piece of feeding and watering and nurturing the minimum basics you’ve got that you should be doing in your sleep, to be fair. Although people have not done them historically and are starting to wake up to that. Then you get this middle ground that I call hybrid, where you’re either introducing a visibility tool into your environment to, again, get a better awareness of what’s actually happening and what’s talking to what in a real-time view of what’s going on in your environment.
There are some growing pains associated with that, because what then happens is you get a load of alerts, and you don’t normally have the people that understand those alerts and have the time or resources or knowledge to necessarily handle them. You go through that growing pain, and then you come out the other side, and then that’s where you can start to look at moving from a kind of reactive approach to cybersecurity to a more proactive sort of holistic view.
Now, to manage the resources through that is quite tricky. So, again, that’s where you have things like the IT and the OT team being one team, relying on additional resources either from a third-party supplier or a services point of view. For example, we provide industrial managed services and industrial security operations center, so leveraging your IT security operations center and upskilling and training and bringing resources into that to then cover OT.
Then, over time, you need a plan, really, of how you’re going to bring that resource up, and that’s going to be different things to what you normally have today. So things like more Windows admin-type skills, virtualization experience, programming skills for things like scripting and those sorts of things, which aren’t naturally skills that you might have from what we see. Typically, a lot of organizations are taking their existing plant operations and engineers and trying to give them the additional responsibility of security, as well.
And OT security is a very fast market at the moment. There’s not a great deal of people in the space to go and hire, and that’s difficult, as well. So you’ve got to think about how you manage that gap until you either can hire or can upskill your existing people, processes of technology. How you’re going to augment that while you grow and learn.
Some organizations just will outsource their stuff and that will be it. Some will start on an outsource basis and then, as they mature and grow over time, they start to take that stuff back in-house, and then they can obviously scale and make that a bit more efficient from there.
But the key is flexibility and building off of what you’ve got without trying to throw it all out and start again. You can leverage your existing culture, especially in industrial because we’re coming from that health and safety point of view. Cyber is a nice extension of health and safety culture. So it’s perhaps easier sometimes to get the OT side of the organization more cyber ready than to try and get the IT cyber part of the organization more OT ready.
ICSP: In a perfect world, what does the design or structure look like that offers the most bang for your buck?
Leipnik: You’re asking big questions. Well, you’re supposed to start at identify, but I always argue you start at recover, because we know what it’s like. In large organizations, you have to get budget. You have to get people re-signed. It might be six months before you actually start to make some headway on something, and in those six months, you can still get compromised.
I like to say, really good backups that you test — the hygiene aspects that I talked about. Then, really, it’s taking a visibility tool that starts to tell you what you have, and then you want to bring on something like a security event incident management tool on top of that. That then gives you context.
So now you’re saying, “This bad thing has happened. How does it apply to our environment? What do we go and do first, in what order, and in what priority do we start to take action?” That’s a really nice place to be. And then the nirvana would be that you can start to automate some of that stuff, the volume stuff can be automated.
Ultimately, I think success, really, is your ability where you can handle anything that’s thrown at you, and you’re not bursting the seams when it comes to not having enough people or not having enough time. You’re effectively prepared, even though you don’t know what the day will unfold and give you. But whatever happens, you know if that crops up, we know what to go and do next. If this crops up, we know that we need to go and do that. That’s success for me.
The cliche is, you don’t have an attack, and you never have a problem. But that’s unrealistic, and it’s never going to happen. So you just need to be, for me, prepared for anything. You’ve pre-planned that, and you’ve thought it through. I think a lot of people still get caught out because they’ve not done that. Even tabletop exercises — it’s really simple to do, but what could happen to us over the next 12 months? So what happens if that happens? Whose responsibility is it?
I’ve had people around the table where it was like, “Well, I thought you would look after that.”
It’s like, “No, no, that’s your responsibility.” It would’ve fallen down a gap. And, obviously, gaps cost time, and time extends the outage, which extends the cost of the outage, and so on and so forth. So, for me, it’s about preparedness.
Linking it back to things that we want to do in the business that maybe we can accelerate — remote access, centralizing control rooms, predictive maintenance, analytics, those sorts of things — cyber enables all those things to happen, even though you can’t see it.
ICSP: People like to say, “Well, if I were on the Titanic, I would’ve done … .” But it’s hard to know what you will do when the systems break down, and there’s chaos around you. So having that plan in place makes a lot of sense.
Leipnik: It is really random. Obviously, on the Titanic, one of the things they would never have potentially modeled would’ve been running into an iceberg. We’ve got incidents of late where we wouldn’t have expected drones to be flown into a plant to cause damage. And then there’s the left-field threat. So you’ve got the normalized threats where you can come up with them, and then you have to start sort of war-gaming the outliers, but it’s a worthwhile activity.
ICSP: We’ll close this out by going back to buy-in. Most companies probably recognize at this point that there is a need for a cybersecurity budget. Are we now finally past the point where companies have to continue justifying the need for it and can just get down to the business of solving problems, or do you think we’re still in that early phase where the justification part is necessary?
Leipnik: It’s difficult because a lot of it’s tied to the size and maturity of the organization. I think there’s a lot less justification in an international oil company, for example, than there is in a small, single-state power generation company or something like that.
But with Colonial especially, everyone’s finally woken up and realized they’ve got to do something about it. I think the justification piece is still a big hurdle. But as I said at the start, linking it back to things that we want to do in the business that maybe we can accelerate — remote access, centralizing control rooms, predictive maintenance, analytics, those sorts of things — cyber enables all those things to happen, even though you can’t see it.
Positioning cyber as a business enabler is one way to tackle that justification battle. But, yeah, I still see it time and time again. We’re not quite moved past it. But every day, every new attack, we chip away at it little by little, and things are a lot better than, say, five years ago, where we weren’t even having conversations about it.
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.
