Industrial cybersecurity workforce gaps are not all the same. Different kinds of organizations in different stages of their evolution need to look for different kinds of people to fill those gaps. Jason Rivera a Director at Security Risk Advisors joins us to look at workforce capability gaps and explores three different strategies that organizations need to use to fill those gaps.
Listen now or Download for later
THE INDUSTRIAL SECURITY PODCAST HOSTED BY ANDREW GINTER AND NATE NELSON AVAILABLE EVERYWHERE YOU LISTEN TO PODCASTS
Jason starts by looking at the big picture. In his experience, for example, the biggest cybersecurity workforce and policy challenge in the industrial security field isn’t the typical security controls and standards and programs or insurance – it is the strategy behind who manages an incident – who decides if a site must be shut down for containment of that incident. That kind of decision requires all of deep engineering, cybersecurity and even management knowledge.
Cybersecurity Workforce Strategies
Jason then steps back to look at industrial cybersecurity programs and what staffing strategies mean. A smaller organization just getting started with cybersecurity is very different from a larger organization getting started in the context of global operations spanning languages, regions and cultures, which again is very different from a large and mature organization with a lot of specialization. Jason digs into three staffing strategies for us:
- Role-based, where a handful of individuals, usually engineers, move into cybersecurity leadership roles, coordinating with IT experts and designing the industrial cybersecurity program for a smaller organization,
- Geographic, where language and cultural barriers make a “top down” industrial cybersecurity program impractical, and instead we need cybersecurity champions embedded in the company’s regions and management cultures to cooperate to produce, promote and implement a security program localized to the company’s regions, and
- Capabilities-based, where a mature security program needs OT incident response, OT intrusion detection or other specialist expertise added into the skills and specialization mix of the program.
Then It Gets Complicated
Having introduced the concepts, Jason takes us down a more complex example – one where he was working with an organization expanding their security operations center to take on responsibility for monitoring OT networks and escalating incidents there. In a large organization, there are elements of the geographic strategy there – a central security operations center (SOC) needs to interface with every geography, language and culture in the organization. There are also elements of the capabilities-based / specialization strategy here. OT incident response teams require a lot of both IT and OT knowledge to address OT intrusions effectively, and with minimal impact on or damage to physical operations.
In fact, Jason observes that this set of specialties – the detect / respond / recover pillars of the NIST Cybersecurity Framework – are the ones that industrial organizations outsource most frequently. In part this is because the required combination of very specialized skills is hard to find. In part this is because industrial cyber incidents don’t happen every day, and so if you hire an expert or six, it can be very difficult to keep these experts practiced in their field when they are not dealing with incidents all day long.
Cybersecurity Workforce Co-Sourcing
In the end though, these external experts are going to be generalists, not experts on any one organization’s industrial processes, automation systems and security systems. Jason observes that to make these specialists effective in a cyber emergency, they must have a proven path to cooperate and collaborate with in-house experts – something Jason calls not in-sourcing or out-sourcing, but co-sourcing. To maximize the effectiveness of external incident response or security analyst experts, we must have introduced personnel and worked out emergency cooperation, collaboration, division of responsibility and decision-making protocols long in advance.
The last thing you want in a cyber emergency is a lot of people standing around arguing about who should be making important decision and what the criteria should be for making important decisions – such as the decision to shut down a facility.