The proliferation of digital technology has thrust businesses around the world into unchartered waters. The lines emanating from all the things ONLINE have weaved together a mural that is marvelous to look at, exciting to talk about, and appears a bit scary upon quiet reflection. With all the possibilities that digital has come to inspire, there is the dreaded evolution of the threat landscape that involves everything that begins with the word “critical”.
In the Operational Technology domain, which houses everything that is critical, the response to this evolution had remained lukewarm at best; an oversight that resulted in some of the most outrageous OT cybersecurity breaches affecting millions of people and costing billions of dollars. While these incidents have certainly prompted a response in terms of a renewed understanding of the gravity of this new generation of OT Cybersecurity threats, there are several challenges that need to be addressed on the organizational and top leadership levels. Essentially, these challenges are a microcosm of the perennial discussion among organizational leaders who are facing a major cultural or technological shift, that has a direct bearing on how the organization conducts its business.
Recognizing the reluctance
The first step in solving any problem is recognizing that there is one AND building a consensus about the way everyone understands the problem. It is not sufficient to recognize the existence of the problem alone. Here is why: According to a recent survey by World Economic Forum in collaboration with Accenture, 85 percent of cyber leaders (an umbrella term for security executives and business executives) agree that cyber resilience is a priority for their organization, but one of the foremost challenges is getting decision makers’ support when prioritizing cyber risks. This highlights the fact, which the survey points out as well, that while highlighting cybersecurity is necessary, it remains insufficient if it lacks action-oriented support from top leadership.
Reluctance towards such an undertaking is, quite understandably, a ubiquitous phenomenon because such an enterprise entails a lot of questions ranging from costs, returns, and human capabilities. It has, essentially, all the ingredients of a change management process that are specific to people, processes, and technology.
Speaking THEIR language
The biggest pitfall in bringing top leadership on the same page could be getting so technical in the discussion about the feasibility of implementing an OT Cybersecurity program that it gets beyond their understanding and the effort to eliminate reluctance simply gets lost in translation. Therefore, it always helps to speak in a language that they understand well.
Consider this: The average cost of an OT Cybersecurity incident, as outlined here, amounts to between USD 3 and 4 million. The time that it takes to recover from one incident is between 180 and 280 days. Our webinar delves into detail about establishing an OT Cybersecurity context and should be helpful in translating OT Cybersecurity risks into easily understandable facts & figures for your top leadership.
One of the foremost concerns for top leadership should be share price impacts. Here is why: According to an analysis by Comparitech, “14 market days after a breach becomes public, the average share price bottoms out and underperforms the NASDAQ by -3.5%. After six months, the average share price performance falls -3.0% against NASDAQ performance. In the long term, breached companies underperform the market. After 1 year, the share price fell -8.6% on average, and underperformed the NASDAQ by -8.6%. After 2 years, the average share price fell -11.3%, and underperformed the NASDAQ by -11.9%. And after three years, the average share price is down by -15.6% and down against the NASDAQ by -15.6%”
On top of it all, the negative media coverage around a cyber breach, particularly an OT Cybersecurity breach that involves threats to human lives, critical infrastructure, and the environment, is not only damaging for the company in the short term but can have a lasting impact on a company’s business reputation.
Hopefully, the cost-benefit concern gets addressed here for the top management because it is evident that the benefits outweigh the costs by far. The biggest lesson from the emerging threat landscape in OT cybersecurity is that it is not a question of “if” but “when”. The conversation has moved beyond the balance of probabilities so there is no room for inaction, specifically because of the costs involved.
Pushing OT Cybersecurity out of the footnotes in strategy meetings
OT Cybersecurity, if at all a part of a strategy presentation, is often featured in the broader discussion about IT issues, as outlined in a McKinsey & Company report on transforming cybersecurity. This inevitably leads to a comparative lack of knowledge, awareness, and even interest in OT Cybersecurity as compared to other key areas of corporate strategy. The same report shows that only 25 percent of companies present security updates to the board more than once a year, and up to 35 percent of companies report this information only on demand.
Making OT Cybersecurity an essential part of corporate communications, therefore, becomes even more necessary and goes a long way in getting the buy-in of top leadership. The security leaders need to be the origin of such communications, instead of relying on help from other functions like Marketing or HR. More importantly, they need to go out of their way and initiate meaningful conversations about OT Cybersecurity across various corporate functions. In due course, such networking creates champions for the cause within the corporate leadership, paving the way for convincing top management to integrate OT Cybersecurity into the business strategy.
Mapping out what OT Cybersecurity will mean at every level of the business value chain
Security and business leaders might not be adequately equipped to understand the full meaning of integrating OT Cybersecurity with business strategy and defining the impact that it will have on different levels of a business value chain. They will need each other’s support to understand that. Fostering cross-functional relationships and initiating meaningful conversations, as outlined in the previous section, will enable security and business leaders to educate each other and understand the incentives that the integration of OT Cybersecurity with the overall business model hold for them. Once that understanding is realized, it becomes relatively convenient to map out the impact and translate it in a language that the top leadership understands.
The evaluation of the impact will differ from industry to industry. Commonly, the positive impacts include insurance savings, prolonged asset life, improved productivity due to improved visibility, and protection against third-party system vulnerabilities; basically, covering all areas from finance to operations and supply chain management.
As you can see, we have attempted to cover and discuss some of the foremost challenges, ranging from top leadership buy-in to cross-functional consensus, that are normally in the way of investment in OT Cybersecurity. The most important lesson that, we believe, can be learned from this discussion is that OT Cybersecurity is no longer the exclusive concern of an organization’s IT department. It needs to be discussed along with all the essential elements of corporate strategy in a language that the top leadership understands. For that, security and business leaders will have to step out of their siloes, meet halfway, educate each other, and develop an understanding of the need for integrating OT Cybersecurity with the corporate strategy and business model. OT cybersecurity has become everyone’s business and therefore needs to be the business of the C-Suite. It can no longer be confined to a footnote, even to a bullet point in a subheading about IT budgets.