By Gregory Hale
Middle managers may or may not be aware of the increased need for security, but they are an obstacle when it comes to implementing and promoting security within their realm.
While the thought may seem to not make sense at first, it makes perfect sense where a middle manager’s compensation and performance objectives — whether it is a process line, an entire plant or anything in between — focus on performance. With pure performance objectives strictly in mind, security will often go by the wayside.
One case in point is one CISO at an oil and gas major who told a group of about 50 ICS cyber security experts at an invitation only meeting to discuss cyber security in oil and gas that one of his objectives handed down from his chief executive is to go around and get middle managers to adopt and follow the security process, said John Cusimano, director of industrial cybersecurity at aeSolutions. The CISO’s mission is to make security part of the culture.
The CISO said his biggest problem is middle managers. Not the workers in the trenches, but middle managers.
“I have seen this with other clients where even higher-ups (e.g. VP’s) in Engineering, Operations or even IT may not be onboard with an OT cyber security program,” Cusimano said. “For such a program to be successful it requires support from all three. Not surprisingly, the battles are more about company politics than anything else.”
“One of my clients, a global chemical company, operates a very successful OT cyber security program,” Cusimano said. “However, they really struggled in the initial formation of the program due to internal politics. The program was chaired by someone from operations who started his career in engineering. He was able to easily get engineering onboard but really struggled with getting IT, and thus the whole team, rowing in the same direction.
“He brought my company in to help educate and establish a strategy for the team. Initially, you could see and feel the tension in the room as different groups literally faced-off on opposite sides of the table. This is where having a neutral third-party who understands both automation and IT and has experience working with complex organizations can really help.
“We were able to help them understand the risks to the company (not just their department) and identify areas of weakness (vulnerabilities) without pointing fingers. After a couple of months the team had developed a strategy and a plan to conduct several site vulnerability assessments on sample facilities in order to gather more detailed information.
“The most brilliant part of the plan was that the chairman of the committee brought the IT people into the field for a week long ‘tour’ of several facilities. It was the first time that most of them had ever been in a plant. It was very eye-opening for them to see a real chemical plant and to see the day-to-day challenges that operations faces and to see, first-hand, how their IT infrastructure interacted with the plant infrastructure. They loved it. After a couple of days the IT and OT people were working hand-in-hand to gather the information we needed and conversations every night at dinner were lively and constructive. Most notably, when we got back and had the next committee meeting everything had changed. Instead of tension there was camaraderie and the groups sat co-mingled around the table. This was one of the most rewarding projects I have worked on because I was able to witness and be a part of bringing IT and OT groups together to solve a common problem,” Cusimano said.
The idea of middle managers bottlenecking the security culture and program is a huge obstacle to overcome. As executives in the corner office and boards of directors are very aware of the issue as are those working on the day-to-day issues in the trenches. But those middle managers remain a problem, said Martin Smith MBE, chairman and founder of The Security Company, and of the Security Awareness Special Interest Group at the CBI Cyber Security Conference 2015 in central London last week.
In a world where middle managers end up measured, and rewarded, by performance, security will end as IT’s problem. “[They only want to] be measured by business performance and not cyber-security performance,” Smith said.
Smith said they have yet to accept the idea cyber security is no longer just a technology issue, but a business issue.
Often times people will say awareness is not necessary because people are aware. That actually is not true as true awareness and understanding occurs because the point continuously ends up hammered home to where it becomes second nature.