Many responsible for addressing OT cyber risk have difficulty getting budget for their efforts. There are a long list of reasons including:
- They have not experienced a loss due to an OT cyber incident.
- They are viewed as spreading FUD because they have not experienced a loss due to a cyber incident and many of the media stories and vendor hype that they raise are FUDalicious.
- They have a hard time explaining what the proposed expenditure will confidently accomplish. (Will we be secure after this? Well …) (How will we measure if this program is a success?)
- Many of the competing risk reduction expenditures are addressing actual previous losses (supply chain, weather events, Covid cancellations) and have definable risk reduction.
This list could go on, and feel free to add yours in the comments. It’s important to note that consequence reduction does not have some of these issues. You can give hard numbers on consequence reduction.
The OT security world has also suffered because we are not experienced in and not good at getting budget for OT or cybersecurity. Traditionally Operations has asked for infrequent capital expenditures that include some OT, and then wanted to be left alone for a couple of decades. This world is gone, but the budgeting hasn’t caught up. The team asking for OT security budget often thinks what they are asking for is a big number, when it is actually small compared to IT projects. If you are hesitant to ask for money, look at the IT budget, and what it is being spent on, and you are likely to be more brave.
Another reason: the family budget analogy I heard for the first time in an interview with Nozomi’s Edgard Capdevielle.
So simply stated and easily understood. If you have four children, and then you have a fifth, your salary doesn’t go up because you have another child. The same is true with the new and growing requirements for OT security expenditures. It has to come from someone else’s budget, another child’s food, clothes, lessons. The executives who approve budgets have already bought into the fact the previous year’s expenditures were needed.
Now in the family example, someone can try to earn more money. This doesn’t transfer to the company example because whatever the revenue is, additional expenses mean less profit.
The budget inertia and fixed sized budget pie makes it likely that OT security will see gradual, percentage increases rather than step increases in size. It is likely that the OT security budget percentage increase will exceed the IT security budget percentage increase. Starting from a small size, it will take years to reach the number most believe is needed. Prioritizing your actions by efficient OT cyber risk reduction is key.