Trust, respect, understanding. These are all two-way relationships that must be earned over time. Whilst someone being hired in a senior position will likely already have a certain level of each, part of your job is to continuously cultivate all three of these elements with colleagues no matter your grade. When working within a cybersecurity practice, it is critically important to have this level of understanding across large swaths of the workforce, from the senior level to operations teams. This is due to cybersecurity’s ongoing evolution. Therefore, we always need to have an action plan or improvement roadmap for responding to required remediations.
Identify Your Organization’s Current Security State
Do you know what state of security your organization is in and how it aligns with others across the industry? That’s such a common question; cybersecurity maturity assessments (CMA) almost sell themselves. A CMA looks at the inherent risk of the organization and completes a risk assessment. The value here is you can see each and every level of maturity you need as well as where your current state is from a granular view. When working with an organization that has the added complexity of both Operational Technology (OT) and Information Technology (IT), this granular view can help enhance the approach and prioritize investments. On top of this, because of the variety of frameworks and regulations out there, many organizations that provide CMA services can map your responses to quickly identify gaps in the program. This leads us to another attractive trait of CMAs: the ability to give the improvement plan more depth and ultimately gain more resources and support. When being called into an organization that is struggling with cybersecurity improvement programs, my first question is to understand the communications channels between the technical/operations teams and senior leadership. What does a daily/weekly/monthly report look like? How do they choose the metrics to be measured? What was the last open discussion where both sides presented their views? Often, the response is less than perfect: both sides feel they have repeated the same things without a response from the other. My role in these situations is to bridge this communication gap by specifically assisting the discussion in the following areas:
- What does success look like? It is important for the technical team to not only clarify what it requires to feel successful but also clearly define what the business needs look like. Having these discussions and outlining the team’s goals can move the program forward.
- What metrics are needed? What exactly do the teams want to understand, change, improve? Without recording these needs within the metrics, you aren’t going to see change in any direction. You simply won’t know.
- What do you not understand? We all have pieces and actions we see others make, and we may feel confused as to what their purpose is. Why would they focus on X when Y is so disorganized and in your opinion in need of attention? The reality is that each ‘side’ will see this, as well; having an open and safe discussion to identify and often simply clarify can have a massively beneficial impact.
Your goal with these three focus areas is to identify remediation needs, direct the focus of your cybersecurity improvement program, and continuously build understanding and trust across the organization. Just as these improvement programs are constant, so too is maintaining that understanding and respect. When you’re looking to improve your Industrial Control Systems (ICS) environments and/or solutions, you need top-down support, not just your local team. To do this, you need to empower the senior leadership to understand these requirements and make educated decisions. This can be supported by the effective tailored monthly reports for senior leadership and further details within the operations updates.
Moving Your Program Forward
Once your cybersecurity improvement program direction has been decided, now you can break the overall program into structured phases. In order to stay on track, keep the scope consistent throughout so as to reduce the risk of failure. These shorter phases can individually be signed off at vital checkpoints, allowing for some flexibility whilst still achieving the desired outcome. Additionally, by clarifying each phase, you can gain the confidence from senior leadership and technical teams that this program will not only succeed but also enhance their working environment. What I mean by this is that in many programs on which I assisted following previous failures, the consistency across the previous attempts was little to no user experience, workflow analysis, or collaboration across the teams. This is vital for all parties to buy into the new solutions. As noted above, knowledge sharing is one of the most important pieces for cybersecurity experts in order to build secure solutions along with actually change the behavior of consumers. To maintain this level of understanding, acceptance, and collaboration within your organization’s improvement program, you can also host regular awareness sessions. Ultimately, an organization’s cybersecurity program needs to be customized around what assets exist, what the business and operations requirements and focus is, and finally, who is going to be maintaining the environment. Building trust, understanding, and respect across the teams will enhance communication and ultimately collaboration, which in turn will clarify and focus the priorities effectively. Check out Tripwire’s latest ebook Navigating Industrial Cybersecurity for a more detailed look at building effective improvement programs: https://www.tripwire.com/solutions/industrial-control-systems/guide-to-industrial-cybersecurity/
Further reading in this series by Zoë Rose: Navigating Industrial Cybersecurity: Knowing the Basics Navigating ICS Security: The Threat Landscape Navigating ICS Security: The Value of Frameworks Navigating ICS Security: Best Practices for ICS Decision-Makers
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.