Creating a Culture of Security by Design
Published on : Tuesday 09-02-2021
Organisations must ensure that their cybersecurity teams are as effective as possible, especially because cyber-attacks are becoming more sophisticated says Kris Lovejoy.
We have seen that cyber threats to safety integrated systems are not just a potential, but a reality. In 2008, an oil pipeline in Turkey that exploded is now believed to be due to a cyber-attack, where hackers were able to disable SIS before taking control over the oil transmission process and take it outside safety parameters. That was probably the first publicly announced attack of this type.
However, most recently we can witness the rise of safety-related incidents. In 2017, Triton malware – the first SIS dedicated malware, capable of modifying main functions without any notice to system engineers or operators – was identified. Rapid evolution of technology and constant changes in IT/OT integration increase the risk of cybersecurity incidents in critical infrastructures. Securing SIS became a crucial task, because the traditional approach of statistical analysis and testing are not sufficient to ensure expected reliability. As a result, functional safety experts need to incorporate cybersecurity approaches, including effective digital OT asset management into their methodologies, to ensure SIS are still effectively protecting facilities from malfunctions of industrial installations.
Moving forward, organisations must ensure that their cybersecurity teams are as effective as possible, especially because cyber-attacks are becoming more sophisticated, and new and disruptive technologies such as the Internet of Things (IoT) are rapidly increasing the level of connectedness across organisations, thus increasing the attack surface.
Despite the overall growth in cyber-attacks, only one-third of organisations say the cybersecurity function is involved at the planning stage of a new business initiative, according to the EY Global Information Security Survey (GISS).
This year’s EY GISS, which surveyed almost 1,300 cybersecurity leaders at organisations worldwide, showed that almost 60% of organisations have faced an increased number of disruptive attacks in the past 12 months. Even though the risk is increasing, only 36% of new, technology-enabled business initiatives include the security team from the beginning, according to the EY GISS.
The traditional model of cybersecurity as a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative, is not a sustainable model. Next-generation chief information security officers (CISOs) should look beyond the standard information security realm into OT’s cyber-physical systems, considering safety as well as emerging technologies threats that are related to IoT or cloud, just to mention two examples. To get ahead of those threats, companies must focus on creating a culture of security by design. This can only be accomplished if organisations successfully bridge the divide between the security function and the C-suite and enable the CISO to act as a consultant and business enabler instead of the stereotypical roadblock.
In the face of mounting cyber threats, instead of going on the defensive, as many organisations do, they should take advantage of the opportunity to gain a competitive edge by putting enhanced cybersecurity and privacy at the heart of their strategy.
World-renowned in cybersecurity, risk, compliance and governance, Kris Lovejoy leads EY Global Consulting Cybersecurity services. She regularly keynotes at RSA, InfoSec and Security World conferences as well as appearing in publications such as Forbes, Fortune, SC Magazine, InfoWorld and USA Today.
Prior to joining EY, Kris was CEO of an AI-driven network security company. Previously, she was also the general manager of a multinational information technology company’s security services division, charged with building end-to-end cybersecurity programs for clients worldwide.
