CIO / CTO's Guide to IT & OT/ICS Cyber Resilience & Transformation Program

[Securing Things by M. Yousuf Faisal]

In partnership with

Disclaimer: All views presented here, in this newsletter, are my own.

Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.

M. Yousuf Faisal

Table of Contents

Hi Securing Things Community,

A common question that comes up often in conversations with CIO’s, CTO’s & IT Managers / team leads (that don’t have a CISO function within their environments) and or even by new CISOs is;

Where and how do I start with my IT & OT/ICS Cybersecurity & Resilience Transformation Program journey? 

In this newsletter edition, I’ll be sharing an example approach, that CIOs, CTOs or CXOs (charged with cyber resilience) can take to start Securing Things for a resilient business environment, some of my previous guidance that CXO’s may find useful. In addition, many curated guidance for CxOs, my most viewed social media posts (in case you’ve missed), and my asks.

Ready to tackle the Cybersecurity & Resilience Transformation Program elephant in the room? Yes?

Let’s dive in.

Special Message:

Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!

Note: remember to validate your email address to ensure that you don’t miss any future newsletter editions.

The Daily Newsletter for Intellectually Curious Readers

  • We scour 100+ sources daily

  • Read by CEOs, scientists, business owners and more

  • 3.5 million subscribers

CIO’s / CTO’s Guide to IT & OT/ICS Cyber Resilience

To define and build a High-Value IT & OT/ICS Cybersecurity & Resilience Strategy, it is important to build trust of stakeholders, deliver value and be able to showcase the value delivered.

Cyber Resilience can be defined as the readiness, visibility and measurement for defending, responding and recovering from an attack.

Other great definitions are:

  • IT Governance UK: Cyber resilience is the ability to prepare for, respond to and recover from cyber attacks. It helps an organisation protect against cyber risks, defend against and limit the severity of attacks, and ensure its continued survival despite an attack.

  • World Economic Forum: Cyber Resilience, as an additional dimension of cyber risk management , the ability of systems and organisations to develop and execute long-term strategy to withstand cyber events; particularly, it is measured by the combination of mean time to failure and mean time to recovery.

Building Blocks of Cyber Resilience Strategy

The foundational pillars are:

  • Readiness - Contextual situational awareness | strong protection |

    robust detection | rapid response | effective recovery strategy

  • Knowing - Visibility | Risk Profiles | Measurement | Adapting to Change.

  • Stakeholder trust - Governance | transparency | engagement | clear and effective communications.

Accelerated Cyber Resilience Strategy

So why do we need an accelerated strategy?

Businesses in order to stay competitive and productive, with dynamic and fast changing business needs, are experiencing:

  • an accelerated pace of digital transformation based on technology driven innovation for highly connected environments.

  • an increased cyber threat landscape due to adversaries using sophisticated techniques

  • an ever expanding expectations by different stakeholders e.g.,

    • Boards & executives - asking more questions & engaged.

    • Regulators - putting stricter mandates, fines & penalties.

    • Customers - demanding high level of security for their information.

Almost every organisations that gives importance to Data as its primary commodity, essentially “Connect”, “Collect” → “Store” → “Process” → Analyse → drive insights and intelligence → for real-time analysis from board room to the shop / factory floor.

Here’s a list of Key elements of an accelerated Cybersecurity & Resilience Strategy that the CIOs or CTO;s or CISO's leadership team can adapt:

  1. Understand the business needs.

  2. Understand the requirements from internal and external stakeholders:

    • Internal = Board, CEO & executive management, IT & business management, finance, risk, audit & compliance, HR, or legal.

    • External = customers, regulators, suppliers & partners.

  3. Factor in business strategy, Risks, legal / regulatory compliance, cost and or capability maturity to:

    • Assess Current state - Where are we now at present?

    • Define Target state - Where do we want to be in future?

    • Outline Strategy Execution - What’s the best / fastest way to reach the target state?

    • Figure out the roadmap & budget - How do we best do it?

    • Measure and track - on an on-going basis.

  4. Use an agile approach to reach the target state by:

    • performing rapid assessment

    • building a prioritisation focus, flexible and adaptable strategy

    • take on tasks with an iterative rapid cycles to accelerate towards building cyber resilience.

  5. Focus on foundational controls firsts - do we have all basics in place? e.g.:

    • Crown jewels assets identified across cloud, 3rd party & internal.

    • MFA for all critical assets and services

    • Visibility and control of privilege access

    • Attack Surface Management (all externally exposed apps / IP addresses)

    • No direct external connections to/from OT/ICS environments

    • Patching and Configuration Hardening (all critical assets)

    • Network Security Monitoring / OT Anomaly Detection / IDS

    • Vulnerability scans & Penetration Testing

    • Incident Response Plans

  6. Engage business stakeholders to identify how cybersecurity can be an enabler for business growth (e.g., new markets, new customers, increasing sales, new products / services, M&As, safety & reliability etc.).

  7. Understand and highlight key strategic value drivers for the business (e.g., increase revenue, reduce costs, reduce risks or reduce perception of risk):

    • Risk Management (assess, mitigate, transfer, accept) & measure risk reduction, ensure regulatory compliance.

    • Business & Security Transformation practices e.g. cost reduction via automation, outsourcing and or integrating security into new processes.

    • Stakeholder communications to reduce risk (e.g. meeting regulatory requirements and or investor risk expectations) to reduce perceived risk.

  8. Measure value of Cyber resilience strategy, using risk reduction lens, choose highest value strategies, via the fastest route possible, by maturity curve, organisational synergies and speed.

High-Value Strategies

Example of High-value strategies for both IT & OT/ICS are (but not limited to):

  • Crown jewels asset prioritisation

  • Reducing Attack surface

  • Develop high digital fluency for a cyber-savvy workforce

  • Securing digital transformation initiatives

  • Managing third-party risks

  • Embedding Cyber Resilience within Safety & Reliability efforts

  • Cyber insurance and more.

Risks to Cyber Resilience Program 

Following is a list of potential risks (but not limited) to Cyber Resilience Program Delivery:

  • Absence of a defined & documented Strategy and or a Roadmap.

  • Absence and lack of focus on crown jewels / critical assets.

  • Technology/solution based approach and budget overspend, in hopes that it’ll be sufficient to address all security gaps within the organisation.

  • Fixation on building a silver bullet solution.

  • Initiating intrusive activities that requires or causes downtime on the production side at the start of program.

  • Underestimating effort required for integrating products into the current core infrastructure based on organisational complexity.

  • Not factoring in changes that maybe needed to the business processes.

  • Inability to demonstrate benefits realisation for risk reduction and progress over time due to inadequate measurement.

  • Underestimating cost for remediation and also both for implementing and operating security solutions.

Process to Managing Cyber Resilience Program Risks:

A text book, traditional approach would be:

  • Identify, Assess and Respond. A linear cycle, as to complete one step and move on to the next.

On the contrary, an Agile Program approach is recommended, which includes:

  • Identifying top 5-10 riskiest assumptions, for IT & OT/ICS each, based on potential impact and on value to be delivered.

  • Agree on validation and mitigation plan with stakeholders.

  • Test / validate / mitigate → measure → Learn and adapt.

  • Ensuring governance checkpoints in between each cycle.

Setting Up for Program Success:

Remember, there’s no magic silver bullet (we’ve to do the grunt work required), and we need to develop proven processes, make them suitable to work for the environment and lastly, getting all stakeholders on board (it’s a team sport so stronger together).

Following are essential steps to enabling yours and success of the program:

  • Engagement with Key Stakeholders:

    • Identify requirements, needs and understand their perspective.

    • EII - Educate | Inform | Influence - Use the Automation Stack (all layers from Cloud to PLC)

    • Building trusts with on-going communications.

  • Setup a governance committee/working group with representatives from:

    • IT

    • Key business units

    • OT/ICS engineering teams, Maintenance

    • Plant Managers

    • Finance

    • Risk - enterprise / operational risk

    • Audit & Compliance

    • Procurement

    • Quality Control

    • Legal

    • Key external stakeholders e.g. OEMs, SI responsible for ensuring production run time.

  • Focus on Quick Wins first:

    • Actions delivering immediate risk reduction

    • Testing your defences (i.e. people, process & technology).

  • Securing budget and Resources:

    • understand your budgeting process and cycles.

    • capex vs. opex

    • Governance Committees

    • know who are the key stakeholders and decision makers

    • resource approval processes

    • Decision process and criteria.

Successful Cybersecurity & Resilience transformation

Key success factors would include (but not limited to):

  • Strategy aligned roadmap execution.

  • Executive Management & board buy-in for a funded program

  • Get an influential executive / c-suite to sponsor the program

  • Focus on Prioritising for risk reduction

  • Focus on crown jewels assets.

  • Build a solid baseline. (use passive discovery approach initially on OT/ICS side)

  • Agile delivery showing incremental value.

  • Manage impact on change and people.

  • Accept that things may change or go wrong, adapt and adjust accordingly.

  • Target both cybersecurity and cyber resilience.

There’s definitely lots more to unpack and cover on the subject. More on this later in future posts.

Comment below to add anything critical that I have missed.  

Good luck with your strategy and program. 

Ways in which I can help?

Whenever you are ready - I can help you / your organizations’ or your customers’, with Cybersecurity & Resilience Strategy and Transformation Program journey via following services (A, B and C) for:

  • Developing - in case if you don’t have one.

  • Reviewing - in case you have an year + old one but haven’t revisited or got it independently reviewed.

  • Update, Improve or mature - in case you feel that its either not working or don’t have a comprehensive one.

  • vCISO / fractional CISO or CISO security advisor services, GRC, Assessments / Reviews / Gap Analysis, Advisory, Strategy, Security / AI Policy or standards development, ISO 27001, PCI DSS and other frameworks, architectural reviews, configuration hardening for IT & OT cybersecurity engagements.

B - IT & OT Cybersecurity Trainings & Education

C - Providing regular monthly insights on IT & OT Cybersecurity

Reach out at info[at]securingthings[dot].com or DM me via LinkedIn.

Curated References as additional Guidance

Below is a sample list of curated free references available as further guidance:

Curated List of Additional Guidance as Reference

Do subscribe to ensure that you don’t miss out future posts.

My Recent Most Viewed Posts:

In case you’ve missed - here are some of my recent most viewed social posts.

My Asks

I invite #SecuringThings community to share their feedback.

Rate the newsletter content

Did you find the content valuable?

Login or Subscribe to participate in polls.

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society. Thank you for your trust and continued support.

Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.

Thanks for reading - until next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal.

Follow: #securingthings on LinkedIn | @securingthings on X/Twitter & YouTube.

The Newsletter Platform Built for Growth

When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.

Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.

The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.

Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.

If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.

Reply

or to participate.