SecurityGate.io CEO Ted Gutierrez and CISO Bill Lawrence recently presented at HOU.SEC.CON 2022, the Houston-area information security conference. In their presentation, titled “Assessments in Practiced Usage: The Top 5 Things You Should Know”, they discuss the importance of alignment and how to drive improvement in your cyber program long-term.
OT & IT Cyber Risk Management programs are struggling to improve because critical sector security disciplines are typically functionally siloed. Disconnected, subjective assessments across these siloes lead to misalignment. Gutierrez and Lawrence explain that critical sectors should converge resources around an asset-centric view.
Before jumping into the five things you should know to optimize your assessment program, Gutierrez and Lawrence share how understanding your team’s relative maturity helps prioritize security projects. Once you know where your cyber program stands globally and which challenges your organization has with its decentralized assets, you can begin prioritizing where to focus your efforts.
Read- Stages of a Successful Cybersecurity Program in Critical Infrastructure
The Top 5 Things You Should Know:
Common Language
- People assess the process and technology, so a standardized vocabulary is essential as SMEs may be scattered across the organization
- Assessments can ensure translation of security needs across departments (IT/OT) and to the C-Suite and Board
- Assessing risks and threats to find gaps and develop mitigations can explain the need for additional personnel training, process/policy modifications, and new technology
Budget
- Organizations must figure out and justify requirements/spends to reduce risk
- People, process and technology all require resourcing, so having your ‘ducks in a row’ with rationale for each can help make sense with your numbers
Schedules & Milestones
- Picking a ‘target date’ and backing up from it can ensure resource availability across departments and asset locations
- Keeps you focused/on track: assessment schedules and milestones can drive a project forward to completion
Validate Spend
- Thorough risk assessments can show where investments have borne fruit – or haven’t
- What can be learned that will scale across the organization?
- What didn’t work and why?
- Ensure you have a clear/concise way to visualize ROI to key stakeholders
Continuity
- Helps maintain continuity: repeated, regular use of a framework or standard allows for continuity despite regular or unexpected changes in SME or management rosters
- Comparing risk over time across many facilities/entities is powerful – especially if maturity/compliance is demonstrating gap closure and reduced risk
Watch the full presentation
About SecurityGate.io
Founded by former risk managers, SecurityGate.io is the fastest and easiest way for organizations to understand where their OT/ICS risks are and what to do about them. The SecurityGate.io platform has been adopted by over 60% of the top US energy producers such as Chevron, Modec, Westlake Chemical, and was recently named in Gartner’s Market Guide for Operational Technology for the second year in a row.
With SecurityGate.io’s critical infrastructure expertise, visual dashboard, and actionable insights, OT and IT security teams are empowered to collaborate and mature cyber-programs faster and easier than traditional manual methods.