Broaching IoT and OT security conversations could be a tough proposition at all times. Even in organizations that have experienced a cyberattack, board members and management teams often chose the middle path when it comes to preparing a roadmap to keep their businesses secure and risk-free. This path involves complying with basic regulations, ramping the cybersecurity up a few notches, and patching core systems. Building a culture of IoT and OT security is a different game plan altogether and even the most technically mature organizations often find it difficult to tread a pro-active path when it comes to securing their infrastructure.
So how can CISOs initiate a conversation on expanding their IoT and OT security investments in such a situation?
Understand organizational dynamics
Sometimes, CISOs may be part of an organizational hierarchy that places a layer of leadership between them and the board. Decision-making may be a diffused or concentrated affair and there may be levels of bureaucracy involved. To make IoT and OT security decisions more acceptable, CISOs need to have strong relationships across levels. They should also be good listeners and be receptive to ideas emerging from various corners of the organization. You never know from where your next idea might come from and if it is from within your larger organization, you have already got a champion who can work with you to realize the idea.
Data always helps
With more information on threats and breaches being available on the net, you can always quote these sources in your conversations to build a case for improving your facility and enterprise-level cybersecurity measures. Without data, any pitch will not develop legs and will therefore be restricted to the presentation deck it belonged to with the idea of never seeing the light of the day. Your pitch must be bold but wrapped in messaging that will resonate.
Gathering and presenting data on the possible level of disruption at various scales will also help. Threat and cyber risk modeling can help in this context.
Rope in competition
Many organizations do speak a lot about IoT and OT security as a priority item in their business agenda. If your competition is already talking about compliance, then you need to do so as well. Compliance is also a requirement for participation in many large projects and companies can be disqualified at the bid level itself if they do not comply with many cybersecurity mandates. This can be a powerful aid to help you push for a wider cybersecurity agenda.
Lead by compliance
Many IoT and OT security mandates are advisory in nature. However, this year many of those may turn compulsory as governments are increasingly asking businesses to improve their IoT and OT security measures. By taking a lead on compliance, you will be able to build more consensus around cybersecurity measures and improve awareness as well. NIST standards, IEC 62443, and several state and regional standards can be considered.
Don’t forget to download our compliance kits. These will help you jumpstart your compliance drive.
Don’t lose sight of the trees for the forest
People lie at the heart of every cybersecurity measure. While teams may come on board early, individuals may resist or show less inclination to adopt voluntary measures. It is therefore essential for you to keep all employees engaged through periodic advisories, one-on-one discussions, or through actual demos to get them to become more serious about IoT and OT security. As employees take the lead, they will help you build a context to push for more IoT and OT security investments.
Work with the board to set cybersecurity goals
This could include compliance measures and business measures to improve cybersecurity. Measures that could be considered as part of these goals include:
- Operating with the right threat intelligence for your IoT and OT deployments
- Compliance with the right set of cybersecurity standards
- Segmenting networks to improve visibility into network activity
- Keeping track of all connected assets at all times
- Establishing cyber decoys to deflect cyberattacks
- Identify and fix vulnerabilities
These tactics could be coupled or bundled together into a larger goal.
To learn more about IoT and OT cybersecurity measures, Reach out to us today