What's the role of people in IT/OT security?
To enable a smoother, more secure IT/OT convergence, get wise to the potential conflicts between IT and OT historical priorities and traditional work cultures.
Thanks to IoT, today's enterprise computing architectures are being characterized by more distributed and interconnected structures that include many devices with low power or processing capabilities, and which transmit data to, from and across IT and operational technology (OT) systems.
While a fruitful endeavor in the end, most organizations struggle to adapt to this new hybrid architecture and mistakenly view OT security as a parallel universe relative to IT, resulting in disparate approaches and heightened vulnerabilities.
These "separate realities" threaten the potential value of IT and OT interconnectedness and fail to recognize common security needs across IT and OT. While there is much ado over business model and technical implications of IT/OT convergence, what is often overlooked is the role people play -- particularly as it relates to IT/OT security.
People define joint governance
Historically, IT and OT teams each had different priorities, some of which may conflict with one another. For example, data security and confidentiality are paramount in IT environments, whereas OT environments must place safety of employees, customers, machines and equipment foremost. While software helps execute, people define the priorities and procedures for shared governance:
- Reconcile risk vs. cost evaluation across complex business environments -- for example, information protection vs. production losses vs. employee safety vs. noncompliance vs. reputation loss.
- Align efforts against priorities, define joint responsibilities, joint pilots, cross-train across functions, extend knowledge where it is needed.
- Define new workflows, collaboration models, training modules and modalities, shared metrics and incentives.
People spearhead culture and training
From ransomware to network hacks, email malware to third-party vendor breaches, the weakest link is often not the technology, but the human. Research shows a significant percentage of threats come from within an organization, involving employees, ex-employees and third parties. This situation requires a cultural shift that infuses security into employee training, operating procedures, incentives and, most importantly, mindset. With damage related to cybercrime projected to reach $6 trillion by 2021, according to research from Cybersecurity Ventures, companies must permeate this cultural shift into existing digital transformation efforts.
One success story is Finning International Inc., a dealer of Caterpillar equipment, engines and parts for various industries, including construction, agriculture and mining. It employs more than 13,000 people worldwide. As a company both supporting the digitization of its customers and digitally transforming itself, CISO Suzie Smibert led a dedicated companywide effort to instill a culture of security across employees.
Smibert helped Finning institute an IT/OT security-focused approach in three main ways:
- Through team- and trust-building. The security team worked alongside product, engineering and other teams to make sure security-by-design approaches wouldn't delay product launches or cramp innovation. Instead, they explained how such approaches help thwart recalls, preserve data privacy and exceed current industry standards. Security team members also now act as service providers to DevOps teams.
- By making engagement specialized and localized. Finning hired psychologists to better understand how people learn about security in relatable ways and offered various training modalities to support different learning styles, using gamification, short videos and face-to-face discussions. The communications team also tailored content for employees across different geographies and languages.
- By articulating the value proposition for employees. This includes incentives for salespeople; ease of one (vs. multiple) policies for employees working across multiple countries; opportunities to learn new skills; productivity enhancements and the like.
People identify diverse operating environments
Given the diversity of IoT devices and the contexts in which they are deployed, security products must be tailored to different usage environments and multiple dynamics, applications and compliance standards. This isn't merely a technical integration exercise; it requires a multiplicity of stakeholders to coordinate.
For instance, there must be domain expertise across multiple environments. To cite one example, a remote construction site has IT/OT security implications on the ground via mobile devices, as well as in applications used in the field or in vehicles, that potentially span across multiple facilities and jurisdictions or regulatory environments. Also critical are related skill sets across chips, devices, applications, data and network infrastructure. Few individuals are specialists in all areas, and bridging these gaps is critical. Finally, oversight and accountability across systems is needed. Duplication and overlap is common, given the proliferation of so many new business assets and systems. Large enterprises can have more than 50 platforms, all with various security capabilities and vendor relationships.
Businesses must see beyond the technical evaluation of IT/OT convergence and define the new era of human collaboration it demands. Digitally securing physical infrastructure requires a multidisciplinary approach, one of cross-functional training, teamwork and shared objectives and metrics. In short, it takes a village.