Connect with us

Hi, what are you looking for?



Cybersecurity: An All-Encompassing Organizational Responsibility

Organizations Must Establish a Culture of Resilience With Strategies That Are Independent, Measurable and Usable

Organizations Must Establish a Culture of Resilience With Strategies That Are Independent, Measurable and Usable

Today, the digital world is propelling connectivity and data growth to new heights. While their associated capabilities and information can give organizations a competitive advantage, these ever-evolving technologies can also expose critical infrastructure sectors to new threats that require cybersecurity mitigation measures.

For more than a decade, regulatory requirements — such as North American Electric Reliability Corp. Critical Infrastructure Protection (NERC CIP) for the power industry — have established basic guidelines for criteria such as cybersecurity, reliability of operations and the like. However, the basic guidelines established through regulatory standards are just that: base guidelines, neither prescriptive nor comprehensive. For example, industrywide challenges resulting from the coronavirus pandemic were not taken into account when these baseline standards were originally developed years ago.

Base guidelines are a mere subset of what skilled risk managers consider adequate cyber resiliency and risk management. Undoubtedly, there is a gap between what is mandated from a regulatory perspective and what is required to meet minimal viable risk mitigation needs for an organization. 

Although perhaps too shallow, regulatory guidelines see that some level of risk mitigation is implemented. By comparison, nonregulated industries are frequently assessed to be in even worse shape. During the same time frame of roughly a decade, we’ve observed that in the absence of a regulatory baseline being established, organizations of nonregulated sectors frequently see cybersecurity purely as a cost or perhaps even a surcharge. Consequently, they often choose to forego investment into cybersecurity mitigations. This means these organizations have little to no cyber risk management in place to fend off cyber-related incidents or instill a level of resiliency. In an age when the threat landscape continues to rapidly expand, cyber resiliency represents a fundamental building block to businesses. A lack of cyber resiliency puts these businesses at risk like never before.

Companies must instill a culture of resilience in which security improvements are emphasized as a fundamental component of an organization’s individual corporate culture, and risk-based approaches become the norm. A culture of resilience can establish a set of values and a sense of responsibilities that contribute to protecting company assets and operations from security threats. 

ICS Cyber Security Conference

Perhaps more importantly, these values and responsibilities go above and beyond regulatory requirements, seeing that reasonable cyber resiliency is achieved. With a culture of resilience, cybersecurity becomes everyone’s responsibility.

Advertisement. Scroll to continue reading.

Meeting Baseline Regulatory Requirements Is No Longer Enough

Given the ever-expanding and intensifying threat landscape, organizations are confronted with an onslaught of threats to their success. Unlike in information technology environments, where the focus remains on data security, cyber incidents within operational technology environments tend to come at a significantly higher impact, cost and consequence — usually involving direct impacts to organizational operations or worker safety.

Even before the coronavirus pandemic, the current threat level to the North American energy sector was assessed as “high” and it is expected to remain at that level as the number of detected intrusions continues to rise. Successful intrusions can lead to integrated-system disruptions such as operational systems used for situational awareness and energy trading or can have a more localized impact such as loss of visibility, control, measurement, safety and mechanical or electrical systems. Organizations with zero security or minimal security are easy targets for would-be attackers.

Given the fiduciary requirements bestowed upon CEOs, CFOs and boards of directors for organizations, it is critical that regulated organizations recognize the importance of cyber resilience, and that they avoid settling with a compliance culture. In this context, a compliance culture is characterized by a workforce focused solely on meeting baseline regulatory requirements, nothing more. Organizations must do more than simply conduct compliance checks and file their safety and regulatory documents properly. It is the security professional’s responsibility to level with executive leadership and convey what is at stake, as well as what must be done to mitigate anticipated risks while simultaneously improving organizational resiliency.

Establishing a Culture of Resilience

A culture of resilience is attainable through the deployment of proactive strategies, including:

• Defining and implementing a minimum viable security standard.

• Investing in training and awareness programs.

• Establishing and tracking incentives for attainment.

• Implementing proper change management programs.

By establishing a culture of resilience, best practices are independent, measurable and usable. Cyber and organizational resiliency both become top priority for the organization. Stakeholders can sleep better at night knowing the organization remains vigilant in its focus to eliminate risks to its success.

Regulatory standards and compliance cultures may improve non-incident performance for companies, and that is not a bad thing. But in today’s environment, the only way to implement cyber resiliency is to improve incident preparedness and performance, whether the incident represents a cyber-related incident or otherwise. That is how we mind the gap, and it is the difference between performing well in good times and performing well regardless of external circumstances.

Minding the Gap 

There are recent market developments that may positively impact the gap between regulatory requirements and adequate risk management  On June 18, 2020, we learned the Federal Energy Regulatory Commission (FERC) is considering a shift in its strategy to incentivize utilities that are striving to close the proverbial gap. One of the top approaches FERC has noted would align with National Institute of Standards and Technology (NIST) standards as opposed to NERC standards. 

This would be a significantly positive development, giving utilities a much better understanding of security mitigation measures that matter most. Historically, these types of changes have not been taken lightly and typically take quite a long time to be ratified and implemented. As a result, asset owners, whether in regulated or non-regulated industries, should not wait for action to be taken by FERC. Instead, by taking risk management into their own hands, organizations can take the steps needed to protect the health and vitality of the business.

Learn More About ICS Security and Resilience at SecurityWeek’s 2020 ICS Cyber Security Conference: October 19-22, 2020

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.