There are at least three main aspects to consider when redesigning the organization, to create a strategy that allows organizations to reduce risk effectively.
The majority of large businesses have made significant strides in risk reduction over the past few years by defining their operational technology (OT) governance strategies. Aside from technological advancements, the governance programs’ organizational structure and operational efficiency are the key success factors. The fundamental idea that organizational structure determines strategy is the most important.
To define and carry out the OT strategy, CISOs and their security teams must work in tandem with OT engineering teams in organizations with a sizable footprint of cyber-physical systems (CPS). The devil is in the details when it comes to how they define and implement OT cybersecurity, even though most organizations have centralized governance and responsibility for it under the CISO.
Implementation specifics and organizational structure can range from having little to no “control” over the security team. Understanding each team’s boundaries and responsibilities clearly is crucial.
When redesigning the organization, there are at least three key factors to take into account in order to develop a strategy that will effectively reduce risk. Budget, implementation, and ongoing reporting are some of these.
For OT cybersecurity projects, many businesses are moving toward centralizing budget allocation, but the actual details of this can vary greatly. At one extreme, the budget for OT cybersecurity projects might only be a cost center line item within the budget for the security team. The risk in this situation is that because OT approval and implementation are necessary for project rollout, it’s possible that the budget won’t be allocated in a timely manner. On the other extreme, each site has its own budget, which makes it difficult to govern with uniform benchmarks and prevents global rollouts and continuity across the attack surface. Whatever the budgeting procedure, organizations should make sure that it actually supports the team’s combined timelines and decision-making structure.
The majority of organizations are at a point where they are aware of and in agreement with the categories of risk reduction they need to implement due to the growing maturity of OT cybersecurity. The actual rollout and implementation are usually where the difficulties arise. Organizations must comprehend and agree on issues like access (both physically and remotely) to the CPS and networks where new technologies are implemented.
The key to success is a very specific set of combined IT and OT skills, which are difficult to come by. Some businesses take the time and trouble to cross-train their teams or make an effort to hire from outside. Both are not simple tasks. However, given the lack of talent in OT cybersecurity, cross-training might be more time and money efficient. When deploying new technology, it is necessary to have someone who is knowledgeable about both the operational and practical aspects of the technology. Investing in current employees offers the chance for professional growth and has the added advantage of fostering relationships between teams.
This is most likely the most significant factor. On an ongoing basis firms need to be able to monitor the cyber posture of their CPS, overlay that information with the rest of the organization’s cyber posture, and then proceed to investigate incidents. Coordinating the flow of information is one aspect of the requirement, and having a tier of SOC analysts capable of triaging alerts and having a sufficient understanding of CPS is another. Analysts also need access to OT engineers when a deeper understanding of those systems and their typical patterns is needed. Both the organizational structure and the informally developed relationships between the teams have an impact on connectivity and collaboration.
The most typical, efficient organizational structure entails a small, devoted team within the security team that is tasked with collaborating closely with OT engineering and having varying degrees of authority in carrying out changes in the CPS environments (most often indirectly with the help of the engineering team). This is typically implemented using a “two in a box” model, where each site’s implementation is shared by an OT and security engineer.
Although OT governance strategy and significant advancements in risk reduction are driven by formal organizational structure, an important success factor is the informal relationship between IT and OT organizations.