Awareness of the rapidly developing cybersecurity threat landscape is rising among North American corporate leaders, members of the management team at cybersecurity firm Dragos said in a webinar last week.
But the importance of protecting operational technology assets and industrial control systems (ICS) is still far behind where it should be, at least according to attendees’ anecdotal experiences.
“When I look at my services team, 90% of our engagements … in the manufacturing sector particularly, have weak or zero perimeter control from their corporate to their OT environments,” Ben Miller, vice president of services at Dragos, said in the OT Cybersecurity Strategies webinar. “That’s combined with [the fact that] 60% of shared credentials are used between corporate and OT [environments] … and nearly all of [our engagements] lack an OT-capable visibility into what is occurring within those environments.”
Miller said that, in his experience, company leadership and board members tend to see “data breach and data loss as the significant risk on the technology side,” while protection of OT systems is usually a lower priority. Dragos’ Chief Information Security Officer Steve Applegate, whose background includes advising on NERC’s Critical Infrastructure Protection standards, attributed this disparity to the typical background of management team members. He said that a large part of his goal when speaking to corporate clients is simply overcoming this divide between business-oriented and technology-oriented thought patterns.
“It seems like [for] the majority of boards … their skill set is going to be in business,” Applegate said. “You get attorneys, and you can get people that are very focused on government regulations and [other] things, that make up senior leadership teams. And then you come in, and it’s so important to learn their language and to figure out how to frame the risks in the language … that they’re aware of, and to be able to establish that credibility.”
Basic Presentation Skills Pay off
While the skills involved in speaking to boards of directors and leadership teams go beyond what Applegate referred to as “Toastmasters-type of stuff,” some of the same rules apply. One of the most basic guidelines is that public speakers of any stripe have to know their audience.
For cybersecurity professionals presenting on OT threats, this means understanding the type of personnel who are going to be attending the meeting: Are they C-suite executives, or middle management working closer to the front lines? Are their backgrounds in law or finance, or do they have a firsthand knowledge of cybersecurity?
In addition to learning about the people who will be attending, Applegate advised security advisers to learn about the organizations for which they work. This means understanding the type of business that they do, but also getting a sense of how the business functions internally, how the leadership teams work together and what managers prioritize.
“I don’t think it’s magic; it’s people; it’s learning people, but some [things] have helped me to kind of get the temperature of the group,” Applegate said. “I’ve read historical meeting minutes. I’ve gone back and looked at the projects that got accomplished, and which things succeeded, which ones didn’t. I’ve watched videos sometimes, if there [were] videos available of different board meetings or the leadership meetings.”
Keep it Simple
Additional successful communication strategies that Applegate shared include keeping presentations simple by holding deeper information back for Q&A periods, rather than burying audiences in technical jargon up front. Keeping the talk grounded, through the use of benchmarks and clear metrics, is also essential; while IT experts must sometimes make assumptions where hard data are unavailable, this must be avoided when possible and clearly labeled when unavoidable.
“Don’t use FUD — fear, uncertainty and doubt,” Applegate said. “That’ll blow up in your face. It hurts your credibility. It sounds like you’re crying wolf or complaining. Instead, a risk assessment with a penetration test, or whatever, to help quantify likelihood … prompts lasting action and helps to change the culture as opposed to just sounding like you’re afraid and throwing out fear as a tool.”
However, Applegate also warned that presenters must impress the urgency of the threat on corporate leadership. Ensuring that those in responsible positions understand why investments in cybersecurity are needed can protect those programs down the line when other priorities threaten to take away focus.
“I think it’s table stakes that a program is not going to succeed without executive buy-in,” Applegate said. “Eventually you’re going to need money; some business leaders’ … projects are going to be at stake and they’re going to try to put a foot on the brakes for some of the security program, and the only way to get over that stuff is having the right kind of governance, which starts at the senior leadership.”