Getting executive commitment for your ICS cybersecurity program

“If you think technology can solve your security problems, then you don’t understand the technology, and you don’t understand the problem.” – Bruce Schnier

Security is often understood as a technical problem to be solved, but it is primarily a cultural commitment to achieve an outcome. In industry, we’re used to the idea of programs based on culture: For example, we build safety cultures to prevent harm to our employees, and quality cultures to prevent defects in our products. No matter how many safety policies and procedures you write, or how many hardhats and gloves you buy, it won’t matter if people don’t follow them or use them. There’s always an excuse to take a shortcut: time, money, fatigue, training, it’s too complicated, it’s too much trouble, no one is looking, nothing bad ever happened before … the list goes on and on. At the end of the day, it’s not merely the hardhat that keeps you safe, it’s the cultural commitment to wear one. And where do cultural commitments come from? The Executives.

One major component when building a cybersecurity program is securing executive commitment. From an executive perspective, there are two primary obstacles. The first is that management needs help in understanding the true nature of the risk. The focus is not on IT and the stealing of personal information (which most people are already well aware of). The focus is on operation technology (OT). Process facilities are being targeted and thousands of plants are impacted each year. Power grids have been shut down. Safety instrumented systems have been compromised. Major companies have been shut down with losses totaling hundreds of millions of dollars. Life and safety are now being compromised.

In today’s digital ecosystem everything is essentially connected to everything. There is no way to build a proverbial wall or magic force field around your systems. Your corporate networks and assets are connected logically and physically to your customers, partners, suppliers, and even competitors. The implementation of the industrial internet of things (IIoT) and cloud computing means your data and connections are everywhere.

Your safety program manages safety risk, your environmental program manages environmental risk, but there really is no such thing as ‘cyber risk’. No one is after your ‘cyber’. Rather, cyber is a pathway, a technique that can be exploited to put your entire company at risk (e.g., revenue, shareholder value, reputation, intellectual property, customers, supply chain, license to operate, and more). Cyber risk is an amplification of all the other risks that you already care about. Cybersecurity should not be viewed as a technology problem; it should be viewed as an enterprise risk management issue.

The second obstacle for executives is understanding the true nature of the difficulty of managing the issue. You can’t buy a product to solve the problem, and people can’t work part-time implementing the program. It’s difficult to see and understand the issue. After all, process facilities today look much the same as they did sixty years ago. Back then computers and software were not used. Yet computers and software today are now ubiquitous. As a result, things are exponentially more complicated and vulnerable now. Simply managing it all is challenging enough. Securing it all is even more difficult. It requires knowledge and commitment. Management needs to appreciate this in order to allocate the appropriate resources. Just as environment, health and safety (EHS) and IT competencies and departments were added in the 1970s and 80s due to changes in regulations and technology, cybersecurity will now also need to be a competency with the same level of priority and support.

Using our proven Five Pillars of Cybersecurity methodology, aeSolutions can help you justify, design, document and implement your Industrial Cybersecurity Program.

Learn more at:

by Paul Rostick

aeSolutions CISO & Senior Principal Cybersecurity Advisor