Building a cybersecurity program part 1 : Getting executive commitment

by Paul Rostick

There are three significant challenges when building a cybersecurity program. They are 1) getting executive commitment, 2) building a security culture, and 3) understanding the relationship between resiliency vs. security. Let’s look at the first in more detail in this blog.

Getting executive commitment

From an executive perspective, there are two primary obstacles. The first is that management needs help in understanding the true nature of the risk. The focus is not on IT and the stealing of personal information (which most people are already well aware of). The focus is on operation technology (OT). Process facilities are being targeted and thousands of plants are impacted each year. Power grids have been shut down. Safety instrumented systems have been compromised. Major companies have been shut down with losses totaling hundreds of millions of dollars. Life and safety are now being compromised.

In today’s digital ecosystem everything is essentially connected to everything. There is no way to build a proverbial wall or magic force field around your systems. Your corporate networks and assets are connected logically and physically to your customers, partners, suppliers, and even competitors. The implementation of the industrial internet of things (IIoT) and cloud computing means your data and connections are everywhere.

Your safety program manages safety risk, your environmental program manages environmental risk, but there really is no such thing as ‘cyber risk’. Cyber isn’t a thing that people are trying to steal. It’s a pathway, mechanism, or technique that can be exploited to put your entire company at risk (e.g., revenue, shareholder value, reputation, intellectual property, customers, supply chain, license to operate, and more). Cyber risk is an amplification of all the other risks that you already care about. Cybersecurity should not be viewed as a technology problem, it should be viewed as an enterprise risk management issue.

The second obstacle for executives is understanding the true nature of the difficulty of managing the issue. You can’t buy a product to solve the problem, and people can’t work part-time implementing the program. It’s difficult to see and understand the issue. After all, process facilities today look much the same as they did sixty years ago. Back then computers and software were not used. Yet computers and software today are now ubiquitous. As a result, things are exponentially more complicated and vulnerable now. Simply managing it all is challenging enough. Securing it all is even more difficult. It requires knowledge and commitment. Management needs to appreciate this in order to allocate the appropriate resources. Just as environment, health and safety (EHS) and IT competencies and departments were added in the 1970s and 80s due to changes in regulations and technology, cybersecurity will now also need to be a competency with the same level of priority and support.

See our aeCyber Solutions page for more information

Next week we’ll cover the challenges posed by building a security culture and understanding the relationship between resiliency vs. security.