- Securing Things Newsletter
- Posts
- IT & OT Cybersecurity - Strategy, Program, Execution and Management
IT & OT Cybersecurity - Strategy, Program, Execution and Management
[Securing Things by M. Yousuf Faisal]
Disclaimer: All views presented here, in this newsletter, are my own.
Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.
Table of Contents
Hi Securing Things Community,
Are you struggling to get started with IT & OT Cybersecurity - Strategy, Program, Execution and Management?. Something that aligns with your business vision, objectives, growth plans, operations, and has the potential to get leadership attention / buy-in to be an integral part of the overall business mission. But not sure where to start?
If so, you’re definitely not alone.
Finding the right balance for a sustainable and actionable IT & OT Cybersecurity & Resilience strategy, program, execution and management, is one of the biggest challenges for aspiring or current CISOs or security leaders. CISOs for SMB to large manufacturers are being tasked with additional responsibility of cybersecurity for the OT/ICS side of the business as well.
But by the end of this issue, you’ll have a simple framework you can follow to uncover (one of the few) a reasonable approach to addressing this challenge.
Let’s dive in.
But before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks! Note: remember to validate your email address to ensure that you don’t miss any future newsletter editions.
IT & OT Cybersecurity & Resilience
Most organizations, starts with discovery and or proper assessment/reviews and directly jump into applying fixes, that may leads to unforeseen challenges and hinders executing program (especially activities on OT security program) - common mistake that falls short. A smarter approach (one example) is outlined below.
Strategy
If you fail to plan - you plan to fail.
📢Without a strategy - your strategy is to fail at managing cyber risks.📢
Unlike large enterprise (though you'll find some guilty of it), it's often common for an SMB/SME industrial or manufacturing organizations - not to have a documented IT & OT Cybersecurity Resilience strategy - which leads towards an ad-hoc approach to handling risks and incidents, and ultimately ending up with an unpredictable cost to the business.
-> How not to fail at building an IT & OT Cybersecurity Resilience strategy?
👉 3 steps from a state of "ad-hoc efforts / no defined strategy" ➡towards ➡ target state of documented 📖#IT & #OT #Cybersecurity #Strategy📖:
✅1 - Understand your business (vision, mission, growth plans, business workflows, inventory, input from stakeholders, assessments/reviews etc. and associated risks)
✅2 - Understand your technical architecture (IT/OT network data flows, assessments/reviews etc. and associated risks) & select a framework)
✅3 - Define and document ➡ goals, objectives and build list of select controls around secure business view, secure architects view & secure operations view ➡ get required approvals and execute.
-> how to📜document an 📖IT & OT Cybersecurity Resilience strategy📖?
👉 3 steps📜documenting the an IT & OT Cybersecurity Resilience strategy:
✅1 - Business needs (vision, mission & growth plans) derives drafting #cybersecurity #resilience #strategy (mission, vision, goals/objectives)
✅2 - A prioritized roadmap with a list of workstreams/initiatives mapped under specific "Goals" and "Objectives" drives - with a set of layered security controls (both administrative + technical) for a "defense-in-depth" approach.
✅3 - Rinse, Refine, Repeat - and update per changing business needs for an outcome towards an informed and manageable risk state.
Checkout details on previous posts:
Read a bit background on Digital Transformation & Cybersecurity Strategy - Premier.
For more details, checkout the following posts:
How to write an IT & OT Cybersecurity & Resilience Strategy
How to present an IT & OT Cybersecurity & Resilience Strategy.
Program, Roadmap & Execution
Checkout IT & OT Security Dozen framework by M. Yousuf Faisal for help you build a program and develop an execution plan across 3 phases of project lifecycle. Each of the 3 phases and elements within each phase is outlined below.
IT & OT Security Dozen - Framework by M. Yousuf Faisal
-Assess/Review ✅
- Strategy ✅ - Roadmap ✅
- Policy ✅
- Best Practices Standards Requirements ✅
- Checklists ✅
- Supporting Artefacts ✅
- Selection of IT/OT Security tools (OT IDS/Anomaly Detection) ✅
- Exercises and Security Testing requirements...
- and more....
👉 Assess, Define, Build and Execute an IT & OT Cybersecurity program.
👉 Planning such an initiative in 2024 for single/multi-site deployments❓
👉 Reach out to info[at]securingthings[dot].com
Let's not leave it to next year/later - start assessing, defining and executing your cybersecurity strategy of things in 2024 ;-).
Management
Program roadmap execution and later establishing IT & OT Cybersecurity Management System is a necessity and ensures continual monitoring and improvement of cybersecurity efforts within the organization.
Many are familiar with the concept of ISO 27001 based ISMS (information security management systems) concepts - so for the purpose of this post we’ll not be discussing about that. In case of any interests; do please let me know in comments and I’ll cover this in a future topic.
Similar concept as part of ISA/IEC 62443 standards exits for building and running an OT Cybersecurity Management System (OT-CSMS). Below is a short intro:
📖OT Cyber Security Management System (CSMS) 📚 as per ISA 62443-2-1 standards:
👉 Comprises of ➡Categories | Elements | Element Groups
👉 Categories include ➡(1) Risk Analysis | (2) Addressing Risk with the CSMS | (3) Monitoring & Improving the CSMS
👉 Element Include ➡Business Rationale and Risk Identification, Classification & Assessment (under # 1) + Compliance/Conformance & Review, Improve & maintain CSMS (under # 3)
👉 Element Groups Include ➡Security Policy, Organization, and Awareness | Selected Security Countermeasures | Implementation (under # 2)
Each of the above Elements Groups includes:
👉 Security Policy, Organization, and Awareness ➡CSMS scope, Organizational Security, Staff Training & Security Awareness, Business Continuity Plan, Security Policies & Procedures.
👉 Selected Security Countermeasures ➡Network Segmentation, Access Control (Administration, Authentication, Authorization), Personnel Security, Physical & Environmental Security.
👉 Implementation ➡Risk Management and Implementation, System Development and Maintenance, Information and Document Management, Incident Planning & Response
👉 Element Group Awareness Include ➡ Staff Training and Security Awareness ➡that's where IT & OT CySEAT comes in.
✅ OT CSMS process flows like this👉Initiate CSMS Program --> Initial High-level Risk Assessment --> Detailed Risk Assessment --> Establish Policy, Organization & Awareness -> Select and Implement Controls --> Maintain the OT CSMS.
There are opportunities and elements missing in the current standard for OT CSMS📋the upcoming version update hopefully will add these missing pieces, can you spot and list them📜in comments below⁉
📢Coming soon - on Securing Things Academy 📢
Securing Things Academy - Coming Soon!
Subscribe to Securing Things Newsletter here to get an additional 5% discount on top of the mega launch discount. Deadline for this is from June to 31st Aug 2024.
My Ask
I’d love to hear what challenges you as a Securing Things community / CISO’s / security leader are facing in your business. What can I write about to help you in your professional journey?
Reply back to this email / post and let me know.
Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer digital future. Thank you for your trust and continued support.
Here's to Securing Things in 2024! Take care and Best Regards,
M. Yousuf Faisal (Founder Securing Things).
It’s a Great Day to Start Securing Things for a Smart & Safer Society.
Instantly calculate the time you can save by automating compliance
Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.
Instantly calculate how much time you can save with Vanta.
The Newsletter Platform Built for Growth
When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.
Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.
The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.
Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.
If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.
Reply