The CISO's Role in OT

Klaus Mochalski

Hello and welcome to a new episode of "OT Security Made Simple”. I'm Klaus Mochalski, founder of Rhebo. My guest today is Eileen Walther. Eileen is General Manager DACH at Northwave Cyber Security. Eileen, why don't you introduce yourself and tell us a bit about what you do at Northwave, what your responsibilities are and what your relationship to OT Security is?

Eileen Walther

Thank you very much. My name is Eileen Walther and I'm responsible for our activities in Germany, Austria and Switzerland. We help companies to protect themselves against cyber attacks by implementing holistic organizational, technical and human measures. And holistic doesn't just mean IT, but also OT. And if it does happen somewhere where we are not asked to help protect the company beforehand, we also have a Computer Emergency Response Team that comes into action when things really get tough. However, we would like to prevent this from happening in the first place.

Klaus

We talked beforehand about the current topics that are of concern to your customers. And not only is the topic of OT security increasingly on the agenda for you as a traditional IT security provider, but also the big questions regarding the organizational structures that I need to be able to address. Do I have my normal IT department there? Who is responsible for management? This is also a discussion that can be seen internationally at all levels. Especially for companies that are already taking steps towards “integrated IT & OT security” and that have restructured their organizations or are in the process of doing it. Often the Chief Information Security Officer (CISO) plays a central role here. We always have the feeling that here in Germany in particular, we are lagging a little behind when it comes to modern organizational structures. That this is more of an American-driven issue. And we wanted to discuss today how you see this, how you perceive it and what your recommendations are for the implementation of organizational structures and which role the CISO plays in this scenario. A very important topic for the end of the session is the question: Is it the CISO's fault if it doesn't work?  

Eileen

More and more organizations in Germany also have a CISO. However, one CISO is not in another. And he has just described the situation in the United States. There, CISOs often have a strategic role in a relatively mature security organization. And that, like the CISO role, is where you can ask the question: Is this CISO to blame if it fails to work holistically? In Germany, however, and especially in manufacturing companies, we can see that we are still a long way from this starting position, that there is still no help and no strategic CISO role. And then you can still talk a lot about how important it is to work top-down and bottom-up and to establish the link to production. But before you can talk about whether it's his fault or not and whether he's effective in this approach, I think you must look at how this CISO has been positioned and what are the actual competencies and ambitions of this person? And we often still see a mismatch here in Germany and this is a big issue in the manufacturing industry now.

Klaus

In other words, you realize that the position of CISO is still relatively rare. When it does exist, it tends to be a kind of fig leaf position where the strategic and perhaps also operational responsibility for the position is missing, and the position is simply not equipped accordingly. Why is it still a good idea to have a CISO? Or can you say that this is a form of organization that perhaps works in the USA due to the different legal circumstances, but here in Europe or Germany, it’s different because there is more regulation? Do we perhaps also need other roles that are responsible for security?

Eileen

Yes, the last one. We need different roles and above all, a changing role that is based on the needs, the security requirements and the maturity level of the security organizations. Because we are constantly coming up against this in practice. We have recently investigated to structure the current situation more clearly and therefore have more power to talk about it. Where are you right now and what do you need in this situation? Where do you want to go and what do you need in the next phase? And that is different and important to understand. Now, many companies in Germany, especially in production, still have CISOs who are more information security officers, e.g. responsible for guidelines, or rather IT security specialists who implement the IT security measures. If these people are then given the task of talking to the production manager about how OT security can be integrated well, then both of us have many examples how this conversation can be difficult because the production manager only has one goal: to produce. And if someone from an IT or compliance department has these conversations about what it takes, then they are often very far apart.  

If you want to work effectively, you should first identify: Where do I actually stand? If you're still mainly dealing with guidelines and IT security measures, then you're probably still close to the bottom of what we call the work expedition that you have with this role. And that asks something different in the base camp than  from the summit.

Klaus

So if I follow this bottom-up approach and bring in the IT security experts and let them talk to the production experts, there is always a clash. It's difficult to reconcile the different optimization goals. And that, I believe, is also the reason why the role of the CISO is so important. It's being upgraded because security, cybersecurity risks, whether in IT or OT are seen as a completely normal operational business risk. Like any other risk of a power outage, like a production error, all these topics can be a risk to the business. And I think it's very important to look at it that way. That should actually be a good argument for creating such a role for German manufacturing companies too. But they often don't exist. What would be your clear recommendation, perhaps also for smaller companies, i.g. manufacturing companies or SMEs. Perhaps they will say that it is often not justified to create a management position like this. Or what is the recommendation for precisely this customer segment?

Eileen

So in this particular customer segment I would say that the person who first brings this organization to Base Camp should perhaps not appoint a CISO. but simply state the relevant tasks. These tasks must also be implemented, but this can only be done effectively if you have support, especially from the board and the production managers. And then the person who is perhaps called a CISO is not the one who is in the lead to bring it all together completely, these strategic business objectives, these fundamental risks that you cannot accept, which the production manager himself also feels, because business continuity is precisely the production manager's goal, they have the same goal. But you can't expect them to turn a CISO into a strategic CISO. But if you only have the resources to have an information security officer implement the work, then you should definitely take responsibility for strategic security management and the discussions and the mandate that you need to reach certain decisions from the management and support them yourself.

Klaus

Who do you mean by yourself? Who should take over?

Eileen

Then you should make it clear that you don't actually have a CISO and that others in the management team should position themselves very clearly and take responsibility for security and security management. The same applies to other topics such as communication and operations in general, which is often a good place to first anchor responsibility in the management. Even if you say that we don't have someone at a strategic level separately, full-time from CISO, who takes on this responsibility, then it starts with the fact that you still say that we bear the responsibility. It is then a more honest task of the person who supports this journey and this person gets more support at a strategic level. However, we also see that this is often not successful if you say, okay, we'll theoretically take on the tasks, but it's still often not an issue where the management then personally takes it further into the organization, like e.g. production management. And that's why for many companies it's actually no longer appropriate for the risks to remain in this base camp, on this mountain expedition, but you have to go to high camp.

And that means you need a CISO who actually has different skills, a different profile, who is more into change management, who creates a cybersafe culture and is very strong in stakeholder management. So that you can really have a conversation at eye level, because they are able to immerse themselves in production and understand that OT is not IT and that responsibility for OT extends from maintenance to the electrician and that this is very different from what we are used to in IT. And that is still not this strategic sea-saw, because that would then be the next level for the summit in the mountain expedition, which really enables these business goals with security at the highest strategic level and really works completely in line with the business strategy. But you only need one level down with the risks that you actually have these days.

Klaus

I can hear from what you said that the role of CISO actually also exists in smaller companies, where it is often not a dedicated resource, i.e. not an entire position that I can fill with someone who takes care of the topic. But if the CISO is a full-time position, then someone from the management must strategically take on this area of responsibility to ensure that it is implemented at the lower levels in line with the corporate strategy. Which means - I can't get around it.

Eileen

There's no getting around it and you still need someone who has the profile to manage it accordingly, whether that's a dedicated, full-time internal person or whether you bring in external support that doesn't work full-time for the company, but in any case accompanies the journey, with support from the internal resources Sustainable System, ISB, IT Security Specialist and so on. This depends on the extent to which you are already in a position to set up a larger security organization yourself or not. Just as in IT, you also want to decide whether this is something that I can set up completely myself or whether I should outsource certain tasks in this area.

Klaus

I was just about to ask the same question. To what extent can I actually outsource this topic, i.g. the strategic part that the CISO takes on? To what extent can I get support from external companies if I don't have the resources internally? It may be a realistic assessment that I, as the management, say that there is no one here who can deal with this issue. We also don't see that we need a full-time CISO or have the budget for one. Can we simply buy in this service now? This purchasing is happening all the time via consulting services at the working levels. This means that a lot of IT services and OT services are outsourced. Can I do the same for this strategic part?

Eileen

It would be strange if I said not, because we also offer that. But yes, although I always say,"You can't transfer responsibility to us, because regardless of whether it's an internal CISO or an external CISO, the management bears the responsibility. It needs the mandate of the management, but the implementation of the strategy and especially the experience of what an effective strategy is for this company, that's something that, especially if you don't yet need a full-time CISO, a full-time strategic CISO, that can be an approach to move more quickly from base camp to high camp in which you can use the internal resources you have much more efficiency. This would allow you to use the internal resources that you have much more effectively and the stakeholder management that you are used to and to know more quickly what the pain points are in the various business processes and especially in production, so that you can set up this cycle more quickly and thus operate more effective security management. But that's different from the responsibility.

Klaus

Yes, of course - the management remains responsible. They can't buy their way out of it completely but they can buy in support. If a company decides to work with you and you offer this strategic consulting, what does that look like from the company's perspective? How long do you accompany these companies? Is this a one-off project that will be completed at some point? Or do you support these companies on an ongoing basis? What is the usual approach that you offer there?

Eileen

This is a very important question and it is also the first question that should be clarified. Especially with the management since these are strategic decisions at the end. Do you just want support to get to a certain level quickly and parallel support to build up your own security organization that can take on this task in the long term? Do we build and is it just temporary support? That is one option. But you can also decide that it's not worth it for us and we'll do it with the partner in the long term. But it is important to make these decisions very consciously, because what we often see is that at the moment, precisely because very compliance-driven security needs are emerging, especially among production companies. This also leads to the question often being asked: "How can you get us to ISO certification quickly?” And then we say getting ISO certification quickly or making NIS2 compliant and so on is not that difficult. We can do that relatively quickly and well. But the important question is: How do you stick to it? How do you stay at the level that you can achieve with the certification, because it's all about retaining the certification and it's all about really getting the risks under control.

And that has not yet been clarified. So even if I decide that I want to make a decision within a few months bears questions. I'll spend the same few months that I'm dealing with it considering the question of whether I can set up a security organization in parallel that can continue to work at this level? Or do I not see that and do I already have to think about how to organize it? Very rarely do customers tell me that the first CEO is focused on the strategic question: How do I actually protect our production against attacks?

Klaus

Yes, I think that's the important thing to understand, that all these certifications that are offered, the security frameworks that you have to implement there, that it's not an end in itself to get the stamp, but that it's about reducing the risk of cyberattacks. And that is an ongoing effort. And, of course, there is the initial effort to raise to the next higher security level. But even then, it's a permanent effort and I think that's very important to understand. And that's why I can only endorse what you said about this. Finally, we could now briefly clarify the question: Is the CISO to blame if his organization is not well positioned or, to put it more logistically, if something has been done and then the company becomes the target of a cyberattack and suffers damage as a result? Who is to blame?

Eileen

If it was a strategic CISO, then you should ask yourself whether this strategic CISO did a good job by failing to protect the organization. There is no such thing as 100% security, but then you can definitely ask the question. If a security officer or an IT security specialist within an IT department calls you a CISO, then you can't say afterwards that it's their fault that we failed to protect our strategic responsibility and our business against such risks and attacks. You have to ask yourself the question: Did we actually take our responsibility as management and are we therefore not to blame ourselves if the case did occurs.

Klaus

Yes, exactly. So a good call to the management. The management is always responsible. Either the CISO as a position is part of the management or the management takes over the strategy but you can't get rid of the responsibility. Eileen, thank you very much. That was a very interesting discussion. I was delighted that you were my guest today.

Eileen

Thanks a lot – Bye!

‍