April 24, 2020 The COO and Cybersecurity: Challenges and Best Practices

When it comes to securing operational technology infrastructure, chief operating officers face a unique set of challenges.

Production floor efficiencies are the primary success metric for many top-tier COOs.

By Rick Peters, CISO for Operational Technology, North America, Fortinet

When it comes to securing operational technology infrastructure, chief operating officers (COOs) face a unique set of challenges. For one thing, while the responsibility for operational technology (OT) security is usually shared by the chief information security officer (CISO) or other executive, the COOs directly influence OT security as their teams are often responsible for managing and purchasing the equipment and security tools deployed on the production line.

A second challenge is the present industry trend is to converge OT and IT infrastructures. While convergence benefits the organization in many ways, it also expands the threat landscape and increases complexity. At Fortinet, we recently examined these challenges in The COO and Operational Technology Cybersecurity: A Report on Current Priorities and Challenges. Key pain points and best practices drawn from the report are discussed below.

Challenges for the Modern COO

Our report revealed that three current pain points for COOs are dealing with the unprecedented level of change, struggling with risk management challenges, and keeping pace with the evolving cybersecurity landscape.

The combination of OT/IT convergence, higher expectations of business executives, and an increasing level of involvement of the CISO in OT cybersecurity, present the COO with an unprecedented level of change. OT network environments are more complex just in terms of the sheer numbers of devices present across an operational environment. In the survey, 87% of respondents said they managed at least 100 devices, while 41% exceed250 devices under management purview. This growth in the number of devices contributes to complexity, especially in terms of updates and maintenance. Nearly one-third (32%) of respondents said that the complexity of managing their cybersecurity systems has increased their workload—and consequently, their stress level.

Far more than any other aspect of their jobs, COOs wrestle with risk management challenges. Cyber risk is now the top concern among businesses of all sizes. For COOs, risk management is the biggest factor – due to the advanced threat landscape, the expanded attack surface, and increased complexity. This finding is consistent with the earlier finding that the OT security posture influences the organization’s overall risk assessment.

A third COO challenge/ key pain point is the difficulty keeping pace with changes due to the advanced threat landscape. In addition to risk management, 61% of COOs report that and expanded and technically advanced threat landscape makes it difficult to keep pace with change. This finding can be well explained as many OT organizations are connecting the formerly isolated or air-gapped OT infrastructure to the outside world.

As a result, OT infrastructure is suddenly bombarded by malware payloads that target legacy software and hardware. These legacy exploits often pose little threat to the IT infrastructure but can wreak havoc in targeted areas of an OT system that lack signature-based protection. Thus, it comes as no surprise that COOs have trouble keeping up with this new set of challenges.

Best Practices

The number of intrusions that survey respondents experienced led to the creation of two subsets: the “top- tier” and “bottom-tier” groups. A comparison of these groups identified a number of best practices that top-tier COOs were more likely to use:

1. Focusing on compliance: The top tier COOs were more than 168% more likely to cite regulatory changes as one of the three biggest issues impacting professional success. In a related finding, top-tier COOs are 45% more likely to conduct regular security compliance reviews, a likely indicator that these COOs are responding to regulatory challenges in a proactive way.
2. C-level responsibility: COOs in the top tier are 124% more likely to work in organizations where a C-level executive has the ultimate responsibility for cybersecurity. Given the increased organizational awareness of the importance of OT security discussed earlier, it is not surprising that high-level responsibility correlates to fewer intrusions. Likewise, since many organizations are moving OT cybersecurity responsibility to the CISO, this should pay dividends in the form of fewer intrusions.
3. Operational success: Production floor efficiencies are the primary success metric for many top-tier COOs. COOs constantly balance their traditional focus on operations with growing expectations for securing the OT infrastructure. Top-tier COOs find ways to meet their security obligations while continuing to focus on operational efficiency.
4. Using the multi-factor option: Multi-factor authentication enforcement is a proven strategy to boost an organization’s security posture. Top-tier COOs are 49% more likely to use multi-factor authentication. The most successful COOs are adopting this cybersecurity best practice and increasing their threat defense posture.
5. Connecting productivity and cybersecurity: Top-tier COOs are 34% more likely to track productivity gains as a cybersecurity metric. COOs are measured based on productivity, and it makes sense that they would connect security programs with operational efficiencies—whether completing tasks faster or simply avoiding manual workflows through automation. Top-tier COOs are 49% more likely to track financial implications as a cybersecurity metric.

   It comes as no surprise that top-tier COOs extend their budget-tracking process to include cybersecurity responsibilities since organizations routinely grade their COOs on overall financial performance.

6. Reporting pen-testing: cybersecurity leaders place great importance on testing as a means to accurately assess risk. Top-tier COOs are 34% more likely to report the results of penetration and intrusion tests to the leadership responsible for cybersecurity. Testing proactively pinpoints vulnerabilities and provides actionable areas for remediation. The fact that top-tier COOs have time to devote to testing suggests that they have additional staff who can handle the day-to-day security tasks.

Follow the Leaders

The numbers are clear: in 2020 organizations expect COOs to be deeply involved in OT cybersecurity. It is also clear that OT cybersecurity is a significant challenge to COOs as both the integration of IT and OT and the expansion of the threat landscape collide. These executives must not only fulfill their operational mandates but simultaneously secure their new network landscape. The six areas of excellence noted above will enable COOs to improve their security performance in an increasingly complex industrial environment.

Rick Peters

About the author
Rick Peters is the CISO for Operational Technology, North America for Fortinet Inc. delivering cybersecurity defense solutions and insights for the OT/ICS/SCADA critical infrastructure environments. He is charged with overseeing growth of Fortinet’s penetration into the largest global operational technology (OT) marketspace. That charge entails identifying and partnering to gain traction on existing OT business campaigns as well as targeting emerging customer opportunities. He previously served at the director of operational technology global enablement for Fortinet. Prior to joining Fortinet, he served the U.S. intelligence community for more than 37 years imparting cybersecurity and global partnering experience across foreign, domestic, and commercial industry sectors at the National Security Agency (NSA). He led development of cyber capability against Endpoint, Infrastructure, and Industrial Control System technologies at the agency.

Subscribe to Industry Today