The first question each new CISO must answer is, "What should I do on Monday morning?" My suggestion: Go back to basics. And these steps will help.
The inevitable digitalization of an industry can create strife within companies, especially between colleagues tasked with blending often old and idiosyncratic business-critical operational technology (OT) with information technology (IT).
One crucial source of confusion: Who is responsible for the all-important cybersecurity risk mitigation of OT systems as they become part of the Industrial Internet of Things? There's no universal answer yet. Some chief information security officers (CISOs) are drawn from OT, and some from IT.
Either way, the first question each new CISO must answer is, "What should I do on Monday morning?" My suggestion: Go back to basics.
What I've noticed working with industrial companies around the world is confusion among CISOs distracted by thousands of companies — new and old — offering shiny new tools to prevent and detect threats in exciting ways. As a result, there's a good chance new CISOs could overlook the basic, fundamental steps needed to build the broadest, strongest risk mitigation.
Here are the six steps all new CISOs should take to begin protecting their OT environments in the most effective way possible:
• Step 1: Asset inventory. A company's OT systems are its crown jewels, and the CISO's primary role is to protect them. First step: Explore, discover, and inventory every OT element in the organization to learn exactly what you're protecting — data, software, systems, etc. Without a complete and accurate asset inventory, the succeeding steps will fall short in minimizing cybersecurity risk.
• Step 2: Backup/test restore. The most effective way to protect OT systems from expensive to ruinous ransomware attacks, to cite just one risk, is to back up OT data and perform a test restore to make certain the backups are optimal. Backing up systems is crucial for multiple reasons, security among them.
(Tip: In case of ransomware attacks, don't forget the European police agency Europol's public/private No More Ransom site, which offers proven, valuable anti-ransomware tools free of charge.)
Yes, test restore can be challenging, but OT network backups are only as good as the test restore process that assures their effectiveness by protecting the network from data loss.
As we'll see in step 5, it's important to identify pertinent data for test restore on a continuous basis — often by asking users in the organization which data is most important for their work — but for the first backup/test restore, do it as widely and deeply as possible now to avoid data loss and other problems down the road.