After a recent virtual keynote I was asked a perennial hopeful question:
How we can make cybersecurity a source of revenue rather than a cost?
The short answer for an OT asset owner is, you can’t.
The motivation is understandable. Businesses and their executives try to reduce costs in order to improve profitability. Even more so, they try to prevent the addition of new costs that will reduce expected profits.
Many asset owners have spent little on OT security, particularly in comparison to IT security, the cost of the plant/system/operations, and the critical role the production of the product or service plays to the company’s revenues. Most have also not seen profit or revenue affected by their current level of OT security spending. OT security spending would be a much easier sell if you could position your requested OT security spend as generating many times that in revenue.
Unfortunately it is a cost, like materials, capital equipment, labor, and overhead. Trying to pretend it is not a cost will cost you credibility.
You can and should make the case, if true, that this cost is necessary to reduce the risk of a loss due to a cyber incident. A loss that could be quite large. You should make this case in financial terms after working with finance to understand what level of loss gets their attention, and the best language and positioning to make your case for an OT security spend.
Getting OT security budget is often easier for new systems where profit expectations are not yet set in stone. Particularly in cases where a new technology that offers significant benefits is being introduced. This is the time to say yes, not no, this new technology is great but it may introduce some new risks and require some minor OT security spend to address the risk and capture those benefits.
A common example in the SCADA world was the move from VSAT and other satellite technology, and even leased lines, to cellular data. The cost savings were often $100+ per month per site. It was an easy case that spending three months of that year over year savings to secure the solution was warranted.
The benefits don’t always need to be this directly tied to money. Even the above example had much higher data rates as a second benefit. This allowed pipeline status to be updated more frequently and supported an IIoT vision with more data flowing back from the field. The large purported benefits from those buzzword projects (big data, cloud services, digital twin, IIoT) all will make getting an OT security spend as part of the project much easier if requested during the design and planning.
OT security is a cost. Often a completely necessary and wise expenditure, but still a cost.
You need to get better at explaining why the OT security costs are necessary as part of risk management, which executives also care deeply about.
Now to argue against my own article, the one way I can see security being a revenue generator is if you could get someone to pay for your security event logs. The US Government wants access to critical infrastructure event logs, but they are positioning this as part of a free service they will provide. A number of companies are offering threat intel services that might benefit from data sources.
This is unlikely to happen, and even if it does it is unlikely to be priced in a way to convert security from a cost to a revenue source.