Beginning in March we shift for the rest of this book from a focus on your career to a focus on your company’s OT security and cyber risk management program.
A common mistake is to begin by selecting and deploying security controls. You find a standard or guideline or guru who has created a list of security controls that are recommended for OT. Almost all these controls have a rational, a purpose. They are not “wrong”.
However, they might not be what your company should be spending time and money on. We are not in a competition to see who can deploy and maintain the most security controls. Our job is to reduce OT cyber risk to an acceptable level for the company.
In March you will begin by understanding how your company defines and measures success, how your company performs risk management, the financial impact of Operations and OT outages, and the high consequence events in Operations and OT that your company needs to avoid.
There is nothing “cyber” in these March weekly tasks. It’s all about understanding what your company is trying to achieve and trying to avoid. Knowing this will help you develop an OT security program that addresses your company’s risk. It will also help you communicate better and more persuasively with executives, engineers, finance, and other departments.