March: Know Your Company

1 Mar 2025 | A Year In OT Security

Beginning in March we shift for the rest of this book from a focus on your career to a focus on your company’s OT security and cyber risk management program.  A common mistake is to begin by selecting and deploying security controls. You find a standard or...

Week 9: Identify And Plan Your Career Growth Area

24 Feb 2025 | A Year In OT Security

One last, but not least, task to complete your S4 month is to plan what area you will focus your career growth on over the next year. Hopefully your S4x25 experience and the tasks over the past two weeks have given you some insight on what both will inspire you and...
Election 2024 – Simple Guidance For The Next Administration

Election 2024 – Simple Guidance For The Next Administration

4 Nov 2024 | 2024

The Cyberspace Solarium Commission, McCrary Institute, and others provide long lists of initiatives they recommend for the next administration. They tend to be bureaucratic. Stand up this new organization, draft this document, study this issue, … A lot of the...
Proposed Government Metric: Outage Pie Charts

Proposed Government Metric: Outage Pie Charts

25 Jun 2024 | 2024, Metrics

This is fourth in a series of suggested metrics governments could (should?) use to measure OT security posture, incidents, and risk … something desperately needed and consistently avoided. Metric 1: Impacted People Days Metric 2: Leading Indicator Metrics Metric...
Usually In My Top Ten … Set & Meet RTO

Usually In My Top Ten … Set & Meet RTO

18 Jun 2024 | 2024

Last week I wrote that creating an asset inventory typically isn’t in the early actions of an OT security program prioritized by efficient risk reduction. And I received a number of questions of what is on the short list. I’m not going to provide a list because it can...
Efficient Risk Reduction: Asset Inventory Often Not In My Top Ten

Efficient Risk Reduction: Asset Inventory Often Not In My Top Ten

11 Jun 2024 | 2024

I’m not anti-asset inventory. It’s a key part of asset management and maintenance without regard to reducing OT cyber risk. In fact I’d be more amenable to Operations prioritizing establishing and maintaining an asset inventory than OT Security. At the right point in...
SEC: Incentives and Outcomes

SEC: Incentives and Outcomes

4 Jun 2024 | 2024

Show me the incentive; I’ll show you the outcome. Charlie Munger The SEC requirement for US public companies to disclose, in an 8K form, any cyber attacks that will have a material impact on the business went into effect in November, 2023. Unsurprisingly this has led...
Proposed Government Metric – Internet Exposed OT

Proposed Government Metric – Internet Exposed OT

28 May 2024 | 2024, Metrics

This is third in a series of suggested metrics governments could use to measure OT security posture, incidents, and risk … something desperately needed and consistently avoided. Metric 1: Impacted People Days Metric 2: Leading Indicator Metrics Metric 3:...
Leading Indicator Metrics (Inspired by API RP 754)

Leading Indicator Metrics (Inspired by API RP 754)

21 May 2024 | 2024, Metrics

Part 1 of this article is from my S4x24 Keynote: Believe!. Part 2 is the suggested related metrics for the US and other governments. Are some of you having trouble with Total Recordable Incident Rate? Or the SEC material incident rate? Or these outage pie charts. I...