What to Consider When Budgeting for 2023’s OT Cybersecurity Needs and Wants
January 2023 by Ilan Barda, CEO of Radiflow
Regardless of what the future holds for the economy in 2023, your organization, especially its financial commitment to supporting OT cybersecurity efforts, is being decided now.
At this critical juncture, we see that cyber-attacks, such as ransomware attacks, showed no sign of slowing down in 2022, impacting companies big and small across North America and Europe. What we see across industries, as a result, is that cybersecurity teams are tasked with balancing external threats with internal protocols and federal requirements— making it more crucial for them to have the resources they need to secure their connected devices operating in an OT environment.
In the public sector, much of the funding needed to secure critical infrastructure has already been allocated. However, in the private sector, funding is far from guaranteed. Here lies the big question, how do you maximize your efforts, considering the current economic uncertainty, and your need to protect assets?
Weighing your 2023 options
In the private sector, you have three options in how to proceed with obtaining the budget you need while still providing the vital support your connected OT equipment needs.
Here are 3 options to consider:
Option 1- Do nothing
If your organization has not yet begun its digital revolution, you may choose to continue as-is, relying on manual tasks or machines that have no internet connectivity.
From the board’s perspective, if 2023’s financial outlook seems uncertain, perhaps this is not the best time to invest in the costly modernization of the production lines and the related comprehensive cybersecurity solution.
In this scenario, it is still important to note that any connected device, from large machinery to small IoT devices, must be secured. One hacked network device provides access to all other devices that have trusted the same network. So, make sure that you review your existing architecture and verify that the required cybersecurity controls are in place.
Option 2- Full steam ahead
Will holding back the tide of your digital transformation actually cost your organization money? After all, the reason you digitized in the first place was to streamline processes, making more room for profit-generation operations, such as greater production or significantly lower operating and utility costs. For example, the ROI on deploying energy savings IoT solutions has become even clearer as energy prices dramatically increased.
To those that decide to proceed with the digital transformation plans, I recommend that you do so with caution. Consider:
1. Automation expands the cyber perimeter. Make sure that you deploy OT-specific cybersecurity tools that can allow you to protect your cyber perimeter and detect any anomalies in the internal OT network without impacting the operation.
2. Optimize cybersecurity
a. Run OT-BAS (Breach and Attack Simulations) to understand what has a higher priority to defend. This is ideal if you have the budget and can hire an in-house team.
b. Identify the business impact of each vulnerability and then prioritize your security controls according to the tolerable business risk.
Option 3- Make more with less
Across industries, we have witnessed large pressure from boards and C-level executives to reduce costs throughout their company, keeping only what is mission critical.
Whether you are operating some connected legacy device or in the midst of your organization’s digital revolution, consider if some parts of your digitization can be held off for the time being. Can the digital revolution be delayed, considering that:
1. Fewer connected devices and sensors mean a smaller perimeter to protect since there are simply fewer devices to hack.
2. Cybersecurity as a Service- Instead of purchasing OT cyber-security tools and struggling with their deployment and operation, outsource it as a service (MSSP). Here, the costs are less, and your commitment is relatively short. At the same time, you have to weigh that an internal team will be needed sooner than later and when a team is kept in-house, so is the knowledge.
Cybersecurity is no luxury
Ultimately, Cybersecurity is a non-optional investment. What was once a luxury is now a must-have, not only by your board but by multiple federal agencies as well.
Both your CEOs and the board know it’s needed, but that doesn’t mean you won’t be expected to justify your budget. Be prepared to answer what’s in your network, where the weaknesses are, and a clear roadmap on how to prioritize, fix, and secure your network. Make it painfully obvious. Be prepared to break it down piece by piece as it relates to business goals. Don’t assume they understand the task at hand or the urgency.
Ultimately, understanding your department’s critical needs and aligning them with your company’s roadmap is the only way for the board, C-level executives, and your team to be aligned. This alignment goes beyond the budget. You’ll be aligned on what it takes to actively protect the investment that has streamlined processes and allowed the digital revolution to pave a path to their thriving business.