1. Turning Down The Demand Curve

A market has a supply curve and demand curve. Most OT security workforce shortage discussions focus on the lack of supply, the lack of the people in the field. This is to be expected for a new career category and with many companies starting with no OT security workforce. We need to build the supply, and we are seeing some success early in this decade. 

However this does not mean we should expect or accept the need for an ever increasing supply of OT security workers. Full credit to Ralph Langner for continually raising, most recently at the S4x23 Closing Panel, the point that we should be focusing on automation to reduce the demand for OT security workers. We should be reducing through automation the number of people it takes to create and maintain an asset inventory, perform patching and other cyber maintenance, detect cyber incidents, and track security and reliability posture. 

Automation will not only help reduce the workforce demand, but it will also eliminate some of the least enjoyable and challenging work … that leads to

2. Abandoning The OT Security Field

A number of people cycled through the OT security field in the first two decades, 2000 – 2020. It seems like a fascinating field as you join. Embedded systems and physical processes are very cool to a security pro that was used to a laptop or data center. Go out and see the automation on a factory floor or the physical environment on an oil platform. Good fun for a curious soul.

The problem is after you do this for a few years you see the same issues over and over again if you are a consultant. If you are technical there is a real concern your skills will atrophy if you stay longer. I lost a lot of talented technical consultants from 2005 – 2015 because of this, and I couldn’t tell them they were wrong to leave OT security.

If you are working OT Cybersecurity for an asset owner, there is a likelihood you have minimal budget, dealing with old technology, and are repeatedly told what won’t work. There are some early adopter asset owners who are past this, but it’s still the norm. If you have a cybersecurity background why not work in something hot, fast paced, with lots of new learning.

Consider this from Peter Drucker:

The first sign of decline of an industry is loss of appeal to qualified, able, and ambitious people. The American railroads, for instance, did not begin their decline after World War II — it only became obvious and irreversible then. The decline actually set in around the time of World War I. Before World War I, able graduates of American engineering schools looked for a railroad career. From the end of World War I on — for whatever reason — the railroads no longer appealed to young engineering graduates, or to any educated people. As a result, there was nobody in management capable and competent to cope with new problems when the railroads ran into heavy weather twenty years later. 

Management: Tasks, Responsibilities, Practices

OT security is in a growth phase right now. We need to build on this and attract and keep top notch people in this field. The OT detection startups and their meaty technical challenges have helped with this, and I expect SBOM/supply chain will as well. Some of this has resulted in these vendors pulling the best talent out of asset owners. To get the best into and remaining in asset owners will require removing the drudgery, even well paid drudgery. 

3. OT Cyber Risk Workforce

The final thought is we need to be growing the OT cyber risk workforce, of which the OT security workforce will be a component of decreasing importance. Today the two terms, the two workforces, are almost synonymous. This is due to the near exclusive focus on an ever growing set of security controls (cyber hygiene) as THE way to address OT Cyber Risk.

We need engineers, safety and sector process experts to address reducing the consequence side of the risk equation. This is envisioned in CCE and CIE, even those programs tend to emphasize cyber hygiene. The greatest workforce shortage today is OT Cyber Risk Engineers (or whatever we want to call this role). The paucity of those with both the skills and the interest is why cyber hygiene is carrying the day as the best way to address OT Cyber Risk. It shouldn’t be surprising when you ask a bunch of security professionals what is top priority they will answer more security controls.

We will need finance and risk management professionals to help translate the knowledge and information from our security pro’s and engineers into a structure or model that can lead to executive risk decisions. Unfortunately they are not needed right now because there is not much worthwhile information on likelihood (little or no metrics) or consequence (almost no OT Cyber Risk Engineers).

The approach that we will cross train enough mid level workers to be an expert in all three areas is likely to fail. Unicorns are rare, and in a way this makes light of the skills required for all three of these roles. The roles will need some overlap and the ability to communicate, and yet in most cases they will be different roles.