You Can’t Say You Can’t Play.
Lenny Levine was a great kindergarten teacher. And he ran his class by this one rule. It means that if another kid comes along, you need to include them in your game. That’s it.
This is timely given this week the RSA Conference draws 40K+ security professionals to San Francisco, and ICS has a small, but growing presence at the event. Plus the tribute at RSA to Mike Assante, who, along with also gone to soon Ernie Rackacsky, were great examples of welcoming people outside the ICS security community in to help.
As a whole, the ICS security community is a very friendly place when you are in it. I love the tribe. It sometimes though is not accepting to people who want to join in and help. If you are not an engineer. If you have not been in Operations for 10 years. If you don’t tow the line to long held conventional wisdom for OT and ICS security, and repeat the mantra’s … A-I-C not C-I-A, OT is different than IT, ICS have life cycles measured in decades … then you can’t play.
And this is at the same time that the community wails about the shortage of talent and the size and scope of the challenge to secure these control systems.
We need to be living by that kindergarten rule and welcome anyone who shows interest from any field. This includes IT, IT security, DevOps, cloud services, and even non-traditional fields such as economics, finance, and psychology. Sure they will need to learn about OT and ICS, and we can learn something from them. Just one example of many, the ICS community, with a few exceptions, has been terrible at calculating and describing risk in a way that makes sense to executive management (and in related issue getting budget). Putting more engineers and operations professionals on this is less likely to be effective than bringing people with this expertise into the ICS security community.
We need more new ideas, crazy ideas, and more experiments in trying them out. The traditional and safe ideas are only making slow, prodding progress as the threat and changes in OT race on at faster pace. These ideas can of course come from within the existing ICS security tribe, and they can come from people outside the tribe who aren’t burdened with decades of baggage, along with the useful decades of different experience.
Hopefully, RSA had hundreds of people considering securing ICS and helping with the fast changing OT world as a career move. And we should let them play.
The article above is about accepting diversity of work experience into the ICS security community. We also need to have the ‘everyone can play’ attitude with race, gender and any other factor that is part of what makes a person. Others are much better than I at writing about that. I have learned from some helpful friends that this diversity requires more than “an everyone can play” approach, and we continue to work on this for our S4 events.