Bolstering OT Cybersecurity:

Questions Board Members and

C-Suite Executives Should Be Asking

As the prevalence of cyber threats continues to grow, board members and C-suite executives must proactively bolster their organization’s security measures. This means asking tough questions and making necessary improvements to ensure the safety of industrial operations and critical infrastructure.

According to studies conducted by Deloitte Center for Industry Insights and ThoughtLab Group, many executives are ill-equipped to handle cyber threats from external sources. Shockingly, 29 percent of CEOs and CISOs, along with 40 percent of chief security officers, have confessed to feeling unprepared for the rapidly evolving nature of cyber threats. Gartner’s alarming prediction that 75 percent of CEOs will be held personally accountable for any cyber-security breaches by 2024 serves as a warning to prioritize digital safety to avoid any liability. No longer can we turn a blind eye or be indifferent to the issue of OT cybersecurity.

The same survey done by the Thought Lab Group revealed that we can expect more social engineering and ransomware attacks as nation-states and cybercriminals become more active. These attacks will likely exploit vulnerabilities caused by software misconfigurations, human error, poor maintenance, and unaccounted assets. Considering the global cost of cybercrime
has reached $8 trillion, it’s essential for corporate executives to take proactive, preventative action.

Given the findings of these studies, it’s important to discuss cybersecurity in the presence of both IT and OT departments. According to the Deloitte study, the top ten questions that board members and C-suite executives should be asking are as follows:

  1. How do we demonstrate due diligence, ownership, and effective cyber risk management? Are risk maps developed to show the current risk profile, as well as timely identifying emerging risks we should get ahead of?
  2. Do we have the right leadership and organizational talent? Beyond enterprise systems, who is leading key cyber initiatives related to ICS and connected products?
  3. Have we established an appropriate cyber risk escalation framework that includes the level of risk we are willing to accept and a threshold for reporting risk?
  4. Are we focused on and investing in the right things? And, if so, how do we evaluate and measure the results of our decisions?
  5. How do our cyber risk programs and capabilities align with industry standards and peer organizations?
  6. How do our awareness programs create cyber-focused mindsets and cyber-conscious culture organization-wide? Are awareness programs tailored to address special considerations for high-risk employee groups handling sensitive intellectual property, ICS, or connected technology?
  7. What have we done to protect the organization against third-party cyber risks?
  8. Can we rapidly contain damages and mobilize response resources when a cyber incident occurs? How is our cyber incident response plan tailored to address the unique risks in ICS and connected products?
  9. How do we evaluate the effectiveness of our organization’s cyber risk program?
  10. Are we a strong and secure link within the highly connected ecosystems we help operate?

Answering these questions provides a deeper understanding of which specific security measures are needed to better inform decision-making about next steps. By prioritizing and investing in digital security, CEOs who take measurable action now can be ahead of the curve in terms of preparedness and be proactive rather than reactive.

Acting now also creates ROI opportunities. With cyber-insurance costs skyrocketing, showing that your company is actively working on security by performing regular maintenance, updating legacy industrial technology, and establishing preventative security plans, can help
influence insurance costs.

For those seeking to bolster their digital safety, Velta Technology provides valuable solutions like the Tabletop Exercise and CDV Index as starting points toward greater measures of safety. Through the Tabletop Exercise, stakeholders can gain actionable recommendations to prevent cyberattacks and open dialogue about IT/OT security ownership for industrial assets.

The CDV Index quantifies an industrial facility’s preparedness, resiliency, risks and progress in addressing digital incidents, threats and compromises. All of these can negatively impact production, operations, the environment, and even human lives. These offerings enable leaders and key stakeholders to obtain valuable insights into their security posture and responsibilities.