3 Considerations When Aligning Organizational Structure with IT/OT Governance

Over the past few years, the majority of large enterprises have come a long way in defining their operational technology (OT) governance strategies and making significant strides in reducing risk. Aside from technological innovations, the key success factors I have observed are how governance programs are structured and executed. Most important is the guiding principle that organizational structure dictates strategy.

What do I mean by that?

In organizations with a large cyber-physical systems (CPS) footprint (e.g., manufacturing, oil & gas, and pharmaceutical), CISOs and their security teams should collaborate with OT engineering teams to define and execute strategy TO. And while most organizations have centralized governance and responsibility for OT cybersecurity under the CISO, the devil is in the details when it comes to how they define and implement it.

Implementation details and organizational structure fall on a spectrum from less to more “control” for the security team. I’ve seen several variations work well and I think the key is to have a clear understanding of each team’s boundaries and responsibilities. There are at least three main aspects to consider when redesigning the organization or simply working with what you have inherited, to create a strategy that allows you to effectively reduce risk. These include budget, implementation and ongoing reporting.

Budget. Many companies are moving to centralized budget allocation for OT cybersecurity projects, but what that means in practice can vary widely. You’d be surprised how many answers you can get to the following questions:

• Who owns the budget?

• How easily can you allocate it?

At one end of the spectrum, the budget for OT cybersecurity projects might just be a cost center line item in the security team budget. The risk here is that the project rollout is dependent on OT approval and implementation, and the budget might not be allocated in a timeframe that matches their availability. At the other extreme, each site has its own budget, which hampers global deployments and continuity on your attack surface, making it difficult to govern with consistent baselines. Whatever your budget process, make sure that, in practice, it supports your combined team’s decision-making structure and timelines.

Implementation. Given the growing maturity of OT cybersecurity, most organizations are at a stage where they know and agree on the categories of risk reduction they should implement. The challenges usually come from the actual deployment and implementation. Organizations should understand and align with the following:

• Who has access (remotely and physically) to the CPS and to the networks where the new technologies are deployed?

• Who is designing the deployment and how will the new technology feed into the rest of the company’s security tools?

Success ultimately depends on a very specific set of combined IT and OT skills, which is hard to come by. Some companies devote time and effort to cross-training their teams or try to hire from outside. Neither is a trivial task. But given the lack of OT cybersecurity talent, cross-training could be faster and more cost-effective. You need someone who understands the operational aspects of the technology and all the constraints to consider when deploying a new technology. Investing in existing staff provides an opportunity for professional development and creates the added benefit of building relationships across teams.

Current reports. This is probably the most important aspect. On an ongoing basis, you need to be able to monitor your CPS’s cyber posture, overlay that information with the rest of the organization’s cyber posture, and then investigate incidents. There are a few things to iron out when pursuing this path:

• Who consumes security telemetry from CPS and networks?

• Is this data then correlated with security telemetry and information from the rest of the networks?

• How is the data interpreted and who acts?

Part of the requirement is to orchestrate the flow of information and the other part is to have a level of SOC analysts with sufficient understanding of CPS who can triage alerts. When a deeper understanding of these systems and their normal patterns is required, analysts should also have access to OT engineers. Connectivity and collaboration are influenced by the organizational structure as well as the informal relationships that have been cultivated between teams.

The most common and effective organizational design I see is a small dedicated team within the security team that is assigned to partner directly with OT engineering and have varying degrees of authority in execution changes in CPS environments (most often indirectly with the help of the engineering team). The typical implementation of this is a “two in one box” model – a security engineer and an OT engineer are jointly responsible for the implementation at each site. While the formal organizational structure drives the OT governance strategy and significant advancements in risk reduction, a key success factor is the informal relationship between IT and OT organizations. It takes trust and trust takes time, so don’t delay.

Learn more about industrial cybersecurity at SecurityWeek’s ICS Cybersecurity Conference

Galina Antova is Co-Founder and Director of Business Development at Claroty. Previously, she was Global Head of Industrial Security Services at Siemens, overseeing the development of its services that protect industrial customers against cyberattacks. She was also responsible for leading its cybersecurity practice and cybersecurity operations center, which provided managed security services to industrial control system operators. Previously, Ms. Antova worked at IBM Canada, where she held positions in the procurement and cloud solutions businesses. She holds a bachelor’s degree in computer science from York University in Toronto and an MBA from the International Institute of Management and Development (IMD) in Lausanne, Switzerland.

Previous columns by Galina Antova:
Key words: