- Securing Things Newsletter
- Posts
- IT & OT/ICS Cybersecurity & Resilience Transformation Program
IT & OT/ICS Cybersecurity & Resilience Transformation Program
CISO, CIO, CTO, CXO's Guide to Cybersecurity & Resilience Transformation Program [Securing Things by M. Yousuf Faisal]
M. Yousuf Faisal
August 31, 2024
Disclaimer: All views presented here, in this newsletter, are my own.
Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.
Table of Contents
Hi Securing Things Community,
A common question that comes up often in conversations with CIO’s, CTO’s & IT Managers / team leads (that don’t have a CISO function within their environments) and or even by new CISOs is;
Where and how do I start with my IT & OT/ICS Cybersecurity & Resilience Transformation Program journey?
In this newsletter edition, I’ll be sharing an example approach, that CIOs, CTOs or CXOs (charged with cyber resilience) can take to start Securing Things for a resilient business environment, some of my previous guidance that CXO’s may find useful. In addition, many curated guidance for CxOs, my most viewed social media posts (in case you’ve missed), and my asks.
Ready to tackle the Cybersecurity & Resilience Transformation Program elephant in the room? Yes?
Let’s dive in.
Special Message:
Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!
Note: remember to validate your email address to ensure that you don’t miss any future newsletter editions.
Securing Things Academy: (coming soon)
IT & OT CySEAT (Cyber Security Education And Transformation) course is designed for IT and OT cybersecurity practitioners. Join the wait-list → here.
Checkout a brief overview below:
IT & OT/ICS Cybersecurity and Resilience
To define and build a High-Value IT & OT/ICS Cybersecurity & Resilience Strategy, it is important to build trust of stakeholders, deliver value and be able to showcase the value delivered.
Cyber Resilience can be defined as the readiness, visibility and measurement for defending, responding and recovering from an attack.
Other great definitions are:
IT Governance UK: Cyber resilience is the ability to prepare for, respond to and recover from cyber attacks. It helps an organisation protect against cyber risks, defend against and limit the severity of attacks, and ensure its continued survival despite an attack.
World Economic Forum: Cyber Resilience, as an additional dimension of cyber risk management , the ability of systems and organisations to develop and execute long-term strategy to withstand cyber events; particularly, it is measured by the combination of mean time to failure and mean time to recovery.
Building Blocks of Cyber Resilience Strategy
The foundational pillars are:
Readiness - Contextual situational awareness | strong protection |
robust detection | rapid response | effective recovery strategy
Knowing - Visibility | Risk Profiles | Measurement | Adapting to Change.
Stakeholder trust - Governance | transparency | engagement | clear and effective communications.
Accelerated Cyber Resilience Strategy
So why do we need an accelerated strategy?
Businesses in order to stay competitive and productive, with dynamic and fast changing business needs, are experiencing:
an accelerated pace of digital transformation based on technology driven innovation for highly connected environments.
an increased cyber threat landscape due to adversaries using sophisticated techniques
an ever expanding expectations by different stakeholders e.g.,
Boards & executives - asking more questions & engaged.
Regulators - putting stricter mandates, fines & penalties.
Customers - demanding high level of security for their information.
Almost every organisations that gives importance to Data as its primary commodity, essentially “Connect”, “Collect” → “Store” → “Process” → Analyse → drive insights and intelligence → for real-time analysis from board room to the shop / factory floor.
Here’s a list of Key elements of an accelerated Cybersecurity & Resilience Strategy that the CIOs or CTO;s or CISO's leadership team can adapt:
Understand the business needs.
Understand the requirements from internal and external stakeholders:
Internal = Board, CEO & executive management, IT & business management, finance, risk, audit & compliance, HR, or legal.
External = customers, regulators, suppliers & partners.
Factor in business strategy, Risks, legal / regulatory compliance, cost and or capability maturity to:
Assess Current state - Where are we now at present?
Define Target state - Where do we want to be in future?
Outline Strategy Execution - What’s the best / fastest way to reach the target state?
Figure out the roadmap & budget - How do we best do it?
Measure and track - on an on-going basis.
Use an agile approach to reach the target state by:
performing rapid assessment
building a prioritisation focus, flexible and adaptable strategy
take on tasks with an iterative rapid cycles to accelerate towards building cyber resilience.
Focus on foundational controls firsts - do we have all basics in place? e.g.:
Crown jewels assets identified across cloud, 3rd party & internal.
MFA for all critical assets and services
Visibility and control of privilege access
Attack Surface Management (all externally exposed apps / IP addresses)
No direct external connections to/from OT/ICS environments
Patching and Configuration Hardening (all critical assets)
Network Security Monitoring / OT Anomaly Detection / IDS
Vulnerability scans & Penetration Testing
Incident Response Plans
Engage business stakeholders to identify how cybersecurity can be an enabler for business growth (e.g., new markets, new customers, increasing sales, new products / services, M&As, safety & reliability etc.).
Understand and highlight key strategic value drivers for the business (e.g., increase revenue, reduce costs, reduce risks or reduce perception of risk):
Risk Management (assess, mitigate, transfer, accept) & measure risk reduction, ensure regulatory compliance.
Business & Security Transformation practices e.g. cost reduction via automation, outsourcing and or integrating security into new processes.
Stakeholder communications to reduce risk (e.g. meeting regulatory requirements and or investor risk expectations) to reduce perceived risk.
Measure value of Cyber resilience strategy, using risk reduction lens, choose highest value strategies, via the fastest route possible, by maturity curve, organisational synergies and speed.
Securing Things (Sponsor)
OT CBPRS (Cybersecurity Best Practices Requirements Specification) Toolkit!
The Solution (For Asset Owners Only) - Toolkit to get a head start for your OT/ICS Cybersecurity journey for SMB/SME industrial environment. Bonus - comes with limited complimentary seats for IT & OT CySEAT offering.
Below is a brief walkthrough on the OT-CBPRS toolkit:
(Note: Next iteration would include the ISA/IEC 62443-2-1 Security Program related requirements).
High-Value Strategies
Example of High-value strategies for both IT & OT/ICS are (but not limited to):
Crown jewels asset prioritisation
Reducing Attack surface
Develop high digital fluency for a cyber-savvy workforce
Securing digital transformation initiatives
Managing third-party risks
Embedding Cyber Resilience within Safety & Reliability efforts
Cyber insurance and more.
Continue Reading below about Risks to Cyber Resilience Program, Process of managing program risks, setting up the program for success & curated references! Its free!
Reply