Battling Distributed Decision Making in IT, OT and Critical Infrastructure

The culture of security self-assessments has given CEOs the opportunity to talk about what their priorities are and see how it aligns with senior leadership in risk and security. This allows for a complete holistic view and a demand signal on how to solve very specific challenges.

Read the Transcript Below

David White (Axio) –  In establishing a culture and focusing on cultural elements, that’s probably the only way to really engender the right kind of cyber judgment across an organization. And as you well know, many of those cyber security and security decisions that are made across organizations with respect to OT systems are made in compartments or departments that are different than the central cybersecurity program. So for me, it seems like this is a critical value that the culture of security program brings to your members. Would you agree with that?

Scott Aaronson (EEI) – I do. There is so much from a… Look, if you’ve got a million priorities, you have none. And so, anything we can do to help limit the number of priorities, make this elephant that we have to eat digestible, doing it incrementally, but with urgency and a focus on the right things, the culture of security, the self-assessments, that opportunity for CEOs to talk about what their priorities are, but then to hear from their senior leadership team who are going to have different equities across different departments and different challenges, and then bring that all together in a way that, again, allows us to prioritize, allows us to look at the right things, and then gives us some demand signal on the best way to solve for each of those discreet challenges. That’s the magic that we’re trying to have here. If you just look at the cybersecurity landscape all at once, and you look at the energy grid all at once, you’re feeling, you just throw your hands up and say, “Oh, we can’t solve this problem. We’re all doomed.” If, instead, you look at it and say, “All right, I’ve got this pyramid. And the top of it is the most critical stuff I can solve for this most critical stuff. Let’s do that.” then you start to get momentum. Then you start to see how we can solve some of these problems. Then some of the things that you do to solve at the apex, you also apply as you go a little bit further down. And again, I don’t want to be dismissive of the fact that all these things are interdependent and interrelated. We can’t completely ignore IT. We can’t completely ignore the lower priorities, but the more we can do to address high priority assets, the more we can do to address high priority threats, we are already making progress to be more secure, and that momentum is only going to help us as we go further down the chain.