In partnership with

Table of Contents

• CIO’s / CTO’s Guide to IT & OT/ICS Cyber Resilienc …

• Building Blocks of Cyber Resilience Strategy

  • Accelerated Cyber Resilience Strategy

    • High-Value Strategies

    • Risks to Cyber Resilience Program

      • Process to Managing Cyber Resilience Program Risks …

  • Setting Up for Program Success:

    • Successful Cybersecurity & Resilience transformati …

• Ways in which I can help?

• Curated References as additional Guidance

• My Recent Most Viewed Posts:

• My Asks

Hi Securing Things Community,

A common question that comes up often in conversations with CIO’s, CTO’s & IT Managers / team leads (that don’t have a CISO function within their environments) and or even by new CISOs is;

Where and how do I start with my IT & OT/ICS Cybersecurity & Resilience Transformation Program journey? 

In this newsletter edition, I’ll be sharing an example approach, that CIOs, CTOs or CXOs (charged with cyber resilience) can take to start Securing Things for a resilient business environment, some of my previous guidance that CXO’s may find useful. In addition, many curated guidance for CxOs, my most viewed social media posts (in case you’ve missed), and my asks.

Ready to tackle the Cybersecurity & Resilience Transformation Program elephant in the room? Yes?

Let’s dive in.

The Daily Newsletter for Intellectually Curious Readers

• We scour 100+ sources daily

• Read by CEOs, scientists, business owners and more

• 3.5 million subscribers

Sign up today!

CIO’s / CTO’s Guide to IT & OT/ICS Cyber Resilience

To define and build a High-Value IT & OT/ICS Cybersecurity & Resilience Strategy, it is important to build trust of stakeholders, deliver value and be able to showcase the value delivered.

Cyber Resilience can be defined as the readiness, visibility and measurement for defending, responding and recovering from an attack.

Other great definitions are:

• IT Governance UK: Cyber resilience is the ability to prepare for, respond to and recover from cyber attacks. It helps an organisation protect against cyber risks, defend against and limit the severity of attacks, and ensure its continued survival despite an attack.

• World Economic Forum: Cyber Resilience, as an additional dimension of cyber risk management , the ability of systems and organisations to develop and execute long-term strategy to withstand cyber events; particularly, it is measured by the combination of mean time to failure and mean time to recovery.

Building Blocks of Cyber Resilience Strategy

The foundational pillars are:

• Readiness - Contextual situational awareness | strong protection |

  robust detection | rapid response | effective recovery strategy

• Knowing - Visibility | Risk Profiles | Measurement | Adapting to Change.

• Stakeholder trust - Governance | transparency | engagement | clear and effective communications.

Accelerated Cyber Resilience Strategy

So why do we need an accelerated strategy?

Businesses in order to stay competitive and productive, with dynamic and fast changing business needs, are experiencing:

• an accelerated pace of digital transformation based on technology driven innovation for highly connected environments.

• an increased cyber threat landscape due to adversaries using sophisticated techniques

• an ever expanding expectations by different stakeholders e.g.,

  • Boards & executives - asking more questions & engaged.

  • Regulators - putting stricter mandates, fines & penalties.

  • Customers - demanding high level of security for their information.

Almost every organisations that gives importance to Data as its primary commodity, essentially “Connect”, “Collect” → “Store” → “Process” → Analyse → drive insights and intelligence → for real-time analysis from board room to the shop / factory floor.

Here’s a list of Key elements of an accelerated Cybersecurity & Resilience Strategy that the CIOs or CTO;s or CISO's leadership team can adapt:

1. Understand the business needs.

2. Understand the requirements from internal and external stakeholders:

   • Internal = Board, CEO & executive management, IT & business management, finance, risk, audit & compliance, HR, or legal.

   • External = customers, regulators, suppliers & partners.

3. Factor in business strategy, Risks, legal / regulatory compliance, cost and or capability maturity to:

   • Assess Current state - Where are we now at present?

   • Define Target state - Where do we want to be in future?

   • Outline Strategy Execution - What’s the best / fastest way to reach the target state?

   • Figure out the roadmap & budget - How do we best do it?

   • Measure and track - on an on-going basis.

4. Use an agile approach to reach the target state by:

   • performing rapid assessment

   • building a prioritisation focus, flexible and adaptable strategy

   • take on tasks with an iterative rapid cycles to accelerate towards building cyber resilience.

5. Focus on foundational controls firsts - do we have all basics in place? e.g.:

   • Crown jewels assets identified across cloud, 3rd party & internal.

   • MFA for all critical assets and services

   • Visibility and control of privilege access

   • Attack Surface Management (all externally exposed apps / IP addresses)

   • No direct external connections to/from OT/ICS environments

   • Patching and Configuration Hardening (all critical assets)

   • Network Security Monitoring / OT Anomaly Detection / IDS

   • Vulnerability scans & Penetration Testing

   • Incident Response Plans

6. Engage business stakeholders to identify how cybersecurity can be an enabler for business growth (e.g., new markets, new customers, increasing sales, new products / services, M&As, safety & reliability etc.).

7. Understand and highlight key strategic value drivers for the business (e.g., increase revenue, reduce costs, reduce risks or reduce perception of risk):

   • Risk Management (assess, mitigate, transfer, accept) & measure risk reduction, ensure regulatory compliance.

   • Business & Security Transformation practices e.g. cost reduction via automation, outsourcing and or integrating security into new processes.

   • Stakeholder communications to reduce risk (e.g. meeting regulatory requirements and or investor risk expectations) to reduce perceived risk.

8. Measure value of Cyber resilience strategy, using risk reduction lens, choose highest value strategies, via the fastest route possible, by maturity curve, organisational synergies and speed.

High-Value Strategies

Example of High-value strategies for both IT & OT/ICS are (but not limited to):

• Crown jewels asset prioritisation

• Reducing Attack surface

• Develop high digital fluency for a cyber-savvy workforce

• Securing digital transformation initiatives

• Managing third-party risks

• Embedding Cyber Resilience within Safety & Reliability efforts

• Cyber insurance and more.

Risks to Cyber Resilience Program 

Following is a list of potential risks (but not limited) to Cyber Resilience Program Delivery:

• Absence of a defined & documented Strategy and or a Roadmap.

• Absence and lack of focus on crown jewels / critical assets.

• Technology/solution based approach and budget overspend, in hopes that it’ll be sufficient to address all security gaps within the organisation.

• Fixation on building a silver bullet solution.

• Initiating intrusive activities that requires or causes downtime on the production side at the start of program.

• Underestimating effort required for integrating products into the current core infrastructure based on organisational complexity.

• Not factoring in changes that maybe needed to the business processes.

• Inability to demonstrate benefits realisation for risk reduction and progress over time due to inadequate measurement.

• Underestimating cost for remediation and also both for implementing and operating security solutions.

Process to Managing Cyber Resilience Program Risks:

A text book, traditional approach would be:

• Identify, Assess and Respond. A linear cycle, as to complete one step and move on to the next.

On the contrary, an Agile Program approach is recommended, which includes:

• Identifying top 5-10 riskiest assumptions, for IT & OT/ICS each, based on potential impact and on value to be delivered.

• Agree on validation and mitigation plan with stakeholders.

• Test / validate / mitigate → measure → Learn and adapt.

• Ensuring governance checkpoints in between each cycle.

Setting Up for Program Success:

Remember, there’s no magic silver bullet (we’ve to do the grunt work required), and we need to develop proven processes, make them suitable to work for the environment and lastly, getting all stakeholders on board (it’s a team sport so stronger together).

Following are essential steps to enabling yours and success of the program:

• Engagement with Key Stakeholders:

  • Identify requirements, needs and understand their perspective.

  • EII - Educate | Inform | Influence - Use the Automation Stack (all layers from Cloud to PLC)

  • Building trusts with on-going communications.

• Setup a governance committee/working group with representatives from:

  • IT

  • Key business units

  • OT/ICS engineering teams, Maintenance

  • Plant Managers

  • Finance

  • Risk - enterprise / operational risk

  • Audit & Compliance

  • Procurement

  • Quality Control

  • Legal

  • Key external stakeholders e.g. OEMs, SI responsible for ensuring production run time.

• Focus on Quick Wins first:

  • Actions delivering immediate risk reduction

  • Testing your defences (i.e. people, process & technology).

• Securing budget and Resources:

  • understand your budgeting process and cycles.

  • capex vs. opex

  • Governance Committees

  • know who are the key stakeholders and decision makers

  • resource approval processes

  • Decision process and criteria.

Successful Cybersecurity & Resilience transformation

Key success factors would include (but not limited to):

• Strategy aligned roadmap execution.

• Executive Management & board buy-in for a funded program

• Get an influential executive / c-suite to sponsor the program

• Focus on Prioritising for risk reduction

• Focus on crown jewels assets.

• Build a solid baseline. (use passive discovery approach initially on OT/ICS side)

• Agile delivery showing incremental value.

• Manage impact on change and people.

• Accept that things may change or go wrong, adapt and adjust accordingly.

• Target both cybersecurity and cyber resilience.

There’s definitely lots more to unpack and cover on the subject. More on this later in future posts.

Comment below to add anything critical that I have missed.  

Good luck with your strategy and program. 

Ways in which I can help?

Whenever you are ready - I can help you / your organizations’ or your customers’, with Cybersecurity & Resilience Strategy and Transformation Program journey via following services (A, B and C) for:

• Developing - in case if you don’t have one.

• Reviewing - in case you have an year + old one but haven’t revisited or got it independently reviewed.

• Update, Improve or mature - in case you feel that its either not working or don’t have a comprehensive one.

A - IT & OT Cybersecurity Advisory / Consulting services 

• vCISO / fractional CISO or CISO security advisor services, GRC, Assessments / Reviews / Gap Analysis, Advisory, Strategy, Security / AI Policy or standards development, ISO 27001, PCI DSS and other frameworks, architectural reviews, configuration hardening for IT & OT cybersecurity engagements.

B - IT & OT Cybersecurity Trainings & Education

• Security Awareness Training & Phishing Awareness Portal for general security awareness. Start your cybersecurity journey with a free cyber heath check / questionnaire based review that would help in building a cybersecurity roadmap and security awareness program.

• Securing Things Academy (STA) - Training, Coaching and digital downloads for IT & OT Practitioners - pre-launch coming soon.

C - Providing regular monthly insights on IT & OT Cybersecurity

• Securing Things Newsletter - providing insights and educational content on IT / OT / IOT / IIOT cyber-physical and AI security.

Reach out at info[at]securingthings[dot].com or DM me via LinkedIn.

Curated References as additional Guidance

Below is a sample list of curated free references available as further guidance:

Do subscribe to ensure that you don’t miss out future posts.

My Recent Most Viewed Posts:

In case you’ve missed - here are some of my recent most viewed social posts.

• CISO’s Guide to AI - 12 Steps, CISOs should take to address AI related cybersecurity risks.

• Defending OT with ATT&CK - provides a customized collection of MITRE ATT&CK® techniques tailored to the attack surface and threat model for OT environments.

• Assessment Slips to Discovery - 3rd in series - Chronicles of Cybersecurity Consulting.

• Use of AI in Cybersecurity - insights, guidance, news, certain cybersecurity tools and all. To be updated further in future.

• Poll on Crowdstrike / Microsoft BSOD incident causing widespread disruption to businesses worldwide on 19th July 2024.

• Getting started in IT & OT Cybersecurity - a blueprint / framework to 2x / 5x / 10x your cybersecurity career. Links in comments of the above post.

• Internal Audit and IT & OT Cybersecurity Program - suggested approach for an internal audit team towards building their knowledge / skill base and be able to ask relevant questions towards an IT & OT Cybersecurity / transformation programs activities.

My Asks

I invite #SecuringThings community to share their feedback.

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society. Thank you for your trust and continued support.

Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.

Thanks for reading - until next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal.

Follow: #securingthings on LinkedIn | @securingthings on X/Twitter & YouTube.