Organizational Design: Is OT Cybersecurity Still a Team Sport?

Organizational Design: Is OT Cybersecurity Still a Team Sport?

Organizational theory seeks to analyze the dynamics of a successful business, including the productivity and performance of employees and teams. The recent lawsuit brought by the U.S. Security and Exchange Committee to SolarWinds and its CISO citing fraud places organizational design, chain of command, and chain of custody for cybersecurity due diligence at top of mind.

The SEC lawsuit alleges that SolarWinds and former CISO Timothy Brown “defrauded investors from ‘at least’ October 2018 to Jan 12, 2021 by not disclosing gaps in their security practices, the agency’s latest attempt to force publicly traded companies to improve their security practices.” This unprecedented move begs the question, are executives ready to own operational cybersecurity risk – any situation which could cause a loss of view or loss of control to connected processes and functions?

Organizational design addresses how these teams and stakeholder groups collaborate, and who bears responsibility for various aspects of the OT cybersecurity program. This includes defining roles and responsibilities, decision-making authority and veto power, and processes for communication and coordination. The org design should establish clear channels of communication – regular meetings, reporting structures, incident response procedures – to facilitate efficient information sharing and decision-making.

Models include:

  • Centralized vs. Decentralized: Organizations must decide whether to centralize OT security responsibilities, under a dedicated security team or MSSP, or distribute them across relevant teams and departments. A centralized model may streamline decision-making and resource allocation, while a decentralized approach can leverage departmental expertise – such as engineering and technician skills – to align with operational needs.
  • Cross-Functional Teams: In many cases, organizations opt for cross-functional teams that bring together representatives from information security, network management, OT systems engineering, and governance, risk, and compliance to jointly manage OT security. This approach fosters collaboration and aligns OT security mechanisms with operational requirements, governance frameworks, standards, and compliance across IT and OT.
  • Fully Outsourced: In the context of smaller organizations, IT, OT, network infrastructure management, and GRC may be less mature, non-existent, or fully outsourced. Irrespective of size, many organizations increasingly rely on external providers to fulfill many of these security capabilities, making these partners a crucial stakeholder group that requires considerable oversight, verification, and validation by internal stakeholders.

Who Are the OT Security Stakeholders?

According to the NIST 800-82 revision 3 Guide to Operational Technology, “the most successful method for securing OT systems is to gather industry-recommended practices and engage in a proactive, collaborative effort between management, the OT engineers and operators, the IT organization, and a trusted OT advisor. This team should draw upon the wealth of information available from the ongoing Federal Government, industry group, vendor, and standards activities.”

Stakeholder groups involved in the OT security program may include network management teams, information security, OT system operators, and the governance, risk management, and the full GRC team. However, each have distinct operational functions:

  • Network management teams: Network management is critical to maintaining a robust and reliable IT and OT network. Network teams ensure seamless connectivity, optimize network performance, facilitate infrastructure demands and handle capacity planning. Their budget should encompass tools, personnel, and strategies to ensure network resilience while adhering to security requirements.
  • Information security teams: These professionals are the vanguards of cybersecurity. They specialize in threat intelligence, detection, incident response, and operational risk mitigation. Their role is to safeguard critical systems against external and internal threats. Information security teams require autonomy and sufficient resources to carry out their responsibilities effectively.
  • OT system operators: These teams oversee the operation, maintenance, design and integrity of the industrial processes and control systems. Their focus is on ensuring that critical systems remain operational without disruption. OT systems teams need resources to manage security patches, updates, and vulnerability assessments without compromising daily operations. They share the operational risk mitigation responsibility.
  • Governance, Risk Management, and Compliance (GRC): Often the most diverse from org to org, the GRC team plays a crucial role in establishing and enforcing security policies, standards, and regulatory compliance within the business. They ensure that security measures align with industry standards and legal requirements, reducing the organization’s financial and operational risk exposure. Their budget should support the needs of all other teams to comply with their requisite mandates. I.e., risk assessments, compliance audits, policy enforcement, etc.

What Are Unique OT Challenges to Consider?

Gaining visibility into real-time OT operations to make security decisions is critical to building operational resilience. Implementing OT cybersecurity without a clear organizational structure will only add to the complex challenges that OT presents. To kickstart this process, IT and OT teams must initially construct a compelling business case to secure the required budget from the board or senior management, outlining the individual contributing stakeholders and required communications plans mentioned above. In addition, organizations might also consider:

  • OT security program maturity: Many organizations are in the early stages of developing OT security programming. Establishing effective practices, policies, and procedures can be challenging due to the relative immaturity and newness of OT security roles and responsibilities, often compounded by a lack of staff who have prior experience in this domain. Consider the CISA Cyber Performance Goals (CPGs), independent consultants, or assessment tools to baseline OT security.
  • OT security skills shortages: The shortage of professionals with expertise in OT security poses a significant challenge. Recruiting and retaining skilled OT security personnel can be difficult, impacting the effective execution of security programs and policies. Organizations must answer questions like, is it better to train staff, hire staff, or outsource requirements? Consider free and open-source educational opportunities, paid professional development courses, learning sessions with outside expertise, and awareness campaigns from government and industry organizations.
  • Resistance to change: Employees and teams sometimes resist changes to roles and responsibilities. Effective change management and communication are essential to overcome this challenge. For some organizations, IT and OT have existed as separate and siloed teams and functions. The evolution of IT/OT interoperability suggests that siloed operations ultimately hinder the business. Consider involving both IT and OT stakeholders in the organizational design, budget, and authority process. Invest in ways to collaborate between the two – in capabilities, skill sets, professional development, or leadership.
  • Resource allocation: Deciding how to allocate resources to different stakeholder groups and ensuring equitable distribution can be contentious. Finding the right org structure that balances stakeholder engagement and understanding of operational complexity requires thorough analysis and understanding of the organization's unique OT requirements – including business practices, continuity plans, specific industry regulations and compliance standards, and overall management structure.

Conclusion

If the best predictor of future behavior is past behavior, today is a decisive moment to capture and course correct on OT security practices. Conducting a baseline assessment of the current state of OT networks, roles and responsibilities, and security practices can assist in crafting a compelling business case for senior management or the board. These assessments can provide insights into stakeholder gaps, funding needs, active threats and vulnerabilities, architecture weaknesses, and GRC needs going forward.

Nozomi Networks enables earlier discovery of security events and incidents across the industrial attack surface, delivering real-time situational awareness via:

For more information, book a demo today.