Three Themes in OT Security Governance
Organizations must understand their key cybersecurity challenges to build a robust OT security governance framework. These challenges reflect the realities of managing cybersecurity in operational technology, shaped by several key themes. Understanding these themes helps to grasp the nuances of the five guiding principles for effective governance.
Theme 1: There Is No One-Size-Fits-All Answer
Every organization's journey in cybersecurity is unique, shaped by its culture, operational model, and risk profile. This diversity demands a governance approach that is not one-size-fits-all but tailored to fit each organization's needs and context.
Theme 2: There is No Single Point of Authority and Accountability
In many organizations, cybersecurity's responsibility spans various departments and roles. This distribution of authority and accountability highlights the need for a coordinated, collaborative approach to governance, ensuring that all parts of the organization are aligned and working together towards common security goals.
Theme 3: Most Companies Need Help With Leadership Alignment
With the rise in cybersecurity threats and often limited resources, aligning the organization's leadership on security strategies becomes even more critical. This alignment is about agreement on strategy, commitment, and support for the necessary resources and changes.
Five Principles to Design the Right OT Security Governance Model
1. Start With Alignment at the Top
Achieving the right governance model requires clear alignment of the C-suite on the following:
- The real risk to operations
- The risk appetite of the senior team and board of directors
- Rough estimates of the cost to achieve the risk appetite of the senior team and board of directors
- Rough estimates of the cost to achieve different levels of security maturity
- How the senior team will make decisions on critical trade-offs in these areas
The natural leader for this exercise is the CISO. This is not to say that the CISO will have the authority to make all the decisions. In most successful exercises we have seen, the CISO plays an influencing role rather than a determinative role in bringing the senior team to alignment on the best path forward, considering the various trade-offs across the business.
Although specific governance models often focus on the definition of where authority and accountability reside, we have seen many RACI (responsible, accountable, consulted, and informed) charts become paper exercises unless there is a truly shared understanding of objectives and priorities at the top. Basing budgets, metrics, and resources on an agreed set of objectives maintains alignment.
Resources to Help the C-Suite Reach Alignment
Some industrial organizations find that engaging external OT security experts accelerates this alignment process. Not only do these professional services teams help organizations improve their cybersecurity posture—they also serve as facilitators who can translate technical vulnerabilities into business risk language that resonates with boards and executive teams. This external perspective can break through internal obstacles by providing data-driven insights that stakeholders can rally around.
Many organizations are far along in the OT security journey without realizing they have yet to achieve clear alignment at the top. In most cases, the best choice is to reset and ensure the team takes the time to establish this basis of understanding. Or future progress may slow. Professional managed services can provide the objective baseline needed for this reset, so stakeholders can start from a common understanding of the current state and future needs.
2. Go With the Flow of Current Organizational Style, Not Against It
One of the most successful OT security executions our team witnessed came from a utility holding company with a culture of business-unit independence and ownership of results. The company's former governance model used the classical distributed business-unit profit and loss ownership model made famous by many industrial companies over the years.
The Smart Play
Instead of forcing centralized security, leadership set clear accountabilities around the "what" (targets and objectives); in this case, it was the CSC top 18 controls. But this is the key part—they let each business unit decide how to get there.
How It Worked
- Leadership set the target and review process.
- The CISO shaped objectives, but didn’t dictate methods.
- Business units chose their own tools, controls, and approaches.
- Everyone met quarterly to track progress against shared metrics.
Why This Approach Succeeded
The organization did not have a culture of centralized experts or shared infrastructure. To create such a model would have meant going against the primary mode of operation for the organization.
Had the CISO tried to push in this direction, he most likely would have failed because it was not in the organization's DNA. He knew that no governance model was perfect, but he still adapted and used what he could in a way that worked for everyone.
The Lesson
Study your organization’s DNA first. If you’re decentralized, build a framework that preserves autonomy while ensuring accountability. If you’re highly centralized, use that structure to your advantage. Work with your culture’s grain and not against it. Then, address the gaps unique to your approach.
3. Follow the Money
One of the most challenging aspects of cybersecurity governance is ensuring budget alignment with accountability. In many organizations, cybersecurity-related spending is spread across multiple departments.
- Plants may be responsible for the budgets of their discrete time systems including updates, patching, and management.
- Corporate IT may manage the budgets of network gear and possibly segmentation.
- The CISO may manage to spend on security-specific initiatives such as anti-malware or monitoring logs for threat detection.
- HR may have the budget for training and awareness development.
- Facilities management may be responsible for the building systems such as warehousing, chillers, freezers, etc. which may be critical to operations.
In this kind of distributed environment, capturing current spending related to cybersecurity and prioritizing additional spending on new protective or detective measures is difficult.
We have seen clients adapt to this situation in different ways. Some have created a shadow accounting system aggregating spending from different business units into a holistic cybersecurity budget. Others have established clear objectives and asked business units to achieve them while managing their overall budgets in line with typical year-over-year increases—essentially making spending trade-offs on cybersecurity vs, other items. Still, others manage security compliance at a plant-by-plant level and ensure that the budgets for the plants take into account cybersecurity as one key element of its metrics.
Whether they use one of the models above or some alternative, organizations first need to gain visibility to total cybersecurity spend and second to align budget authority with security accountability to manage risk effectively.
4. Adopt Operations’ Use of Balanced Scorecards and KPIs
Successful operations organizations run on metrics, targets, detailed procedures, and tactical results monitored on an hourly, daily, and weekly basis. Cybersecurity objectives are often subtle or aspirational:
- Reduce vulnerabilities
- Identify potential malware
- Identify attackers
- Improve incident response by X%
Successful OT security approaches will work with the flow of operations management and transform these subtle objectives into very tactical targets and metrics that can be shown on simple red, yellow, and green charts.
Real-world example
One customer adopted the NIST CSF as their cybersecurity framework and went to the next step and implemented a set of measures that could be tracked weekly, monthly, and quarterly.
Each control area had a set of targets and metrics. This included the number of critical patches not deployed, number of machines without a backup in the past week, number of false-positive alerts, time spent by operational personnel responding to false alarms, and more. They treated the corporate security operations center (SOC) that was analyzing threat data as if it were an upstream supplier of material. They were held to targets relating to threat detection quality and timeliness.
This data was shared regularly between operations and the SOC to ensure the teams were accountable to one another. When items were not "in the green," remediation plans were put in place, as they would be if it were a product quality or throughput metric.
Operations are used to manage a balanced scorecard of KPIs beyond just production volume and cost. They already manage occupational safety, environmental quality, product quality, etc. in parallel to their operational metrics. By working with the flow and making cybersecurity an additional element of that balanced scorecard, organizations can align accountability with the authority to assign resources and take action.
