CISO Conversations: Engaging Leadership
Chief Information Security Officers and their CIO counterparts have varying levels of success getting corporate execs to support their security plans and policies. Here’s how to get buy in from the C-suite.
Industrial cybersecurity has gained attention in recent years following attacks like WannaCry and NotPetya. The increasingly connected nature of production has made companies more competitive while also creating cybersecurity risks that must be addressed. In the first of a four-part series, Dawn talks to Rockwell Automation Chairman and CEO Blake Moret about how to engage with CEOs and board members to help make cybersecurity a priority at the highest level of their organizations.
Cappelli: Are CEOs and board members today generally more aware of cybersecurity and its significance to their business?
Moret: There’s been a tremendous increase in awareness among CEOs of the importance of cybersecurity over the last few years. When I go to events like the Business Roundtable meetings in the U.S. it's a hot topic. We also see it reflected in the surge in requests our teams are getting for cybersecurity assessments and remediation.
Another piece that’s helping prompt the growing awareness is board competencies. Boards are recognizing not only that cybersecurity is a governance topic, but as boards change over, directors are coming onto those boards with more basic competency themselves and knowing what the key issues are.
Cappelli: What can be done to make more CEOs understand the importance of security?
Moret: The first thing they can do is hear from their peers that are facing the same problems. The private sector has to be able to share best practices to create an effective response against this. Second, they can assemble a good internal team that can get to the heart of the issues and cut through the generalizations to help them stay educated on the actual risks. And third, they can make risk assessment and the reduction of residual risk a regular part of their agenda. This can't just be something that gets on their calendar when there's a successful penetration. It's got to be an ongoing part of their regular review processes through auditing techniques and other ways to make sure that they stay on their toes, because it's a very dynamic landscape.
Cappelli: One of the hardest things to do in security is balance security and productivity. How do you prioritize?
Moret: It has to be a risk-based approach. This current crisis has taught us that in areas of supply chain and operations, you can't just look at the incremental costs of addressing risk. You need to find a way to enter big events like shutting down a plant or having your most important IP compromised into the analysis of what you actually spend money on.
Cappelli: A few years ago, you made some changes that led Rockwell Automation to adopt a holistic security strategy. What prompted you to look at what the company was doing and make changes?
Moret: It was really about continuing the theme of a defense-in-depth approach, because there are a lot of different ways you can be vulnerable. And increasingly, as a technology company, we became more aware that what we do on the inside really does show up on the outside with customers. We knew our IT framework was part of what we were selling to customers as we moved to a subscription world. So, it wasn't only about internal security, but also about safeguarding the intellectual property and the experience of our customers. We needed a holistic approach that brought everything together and recognized the human aspect as well as the technology.
Cappelli: What’s your view on working with customers, vendors and the supply chain to tackle this together?
Moret: The topic of supply chain resilience is uppermost in people's minds right now, and this is just one aspect of it. Increasingly, you're getting parts of your total offering from partners, and you need to make sure those parts are not a weak link. And (when) going into customers’ system with things like remote monitoring, where you have a persistent link into their technology… they need to trust you to be able to do that.
Cappelli: What is Rockwell Automation doing to advance its security journey?
Moret: In the current environment, we're protecting our investments in security, both for our own internal security and our offerings for customers. We just recently completed an acquisition of Avnet, a data security company that has a lot of ideas that are going to help our customers. But we're going to learn from them internally as well. Cybersecurity is a dynamic space, and all the best ideas about how we protect ourselves and our customers aren’t going to come from what's currently within our walls. We need to have a strong partner ecosystem and continue to bring in talent.
About the Author:
Dawn Cappelli is vice president of global security and CISO for Rockwell Automation. She is a member of the RSA Conference Advisory Board and RSA Conference Program Committee, and co-founder of the Open Source Insider Threat information sharing group.
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024