|In a sector where cyber risk is growing at an exponential rate, human capital concerns such as bolstering an organization’s cyber posture through the acquisition of qualified talent along with training and awareness throughout the employee base is critical.
Communication—bridging the gap between IT and C-suite
Organizational structures among manufacturers can be as diverse as the products they produce. In fact, according to executives interviewed as part of the study, manufacturing companies, especially larger ones, are moving to a dedicated CISO, while some smaller / middle market companies do not have a CISO. From a philosophical perspective, some companies believe addressing cyber risk should be the responsibility of the entire management team, if not the entire employee base. The most impactful structure may lie somewhere in between these two approaches. It should be everyone’s responsibility to understand how their actions can impact cybersecurity performance and the role they play. In addition, having a focused resource responsible such as a CISO may help to improve the maturity of the cyber risk program over the longer term.
There is also a very real communications gap between business leaders and cyber employees. To truly drive change, cyber leaders must articulate the “why?” behind key cyberthreats and initiatives, which is best done in terms of business risk to key investments, customers, operations, and cost.
Fragmented cyber responsibilities—The IT versus OT Divide
In order to ensure shop floor production operations strikes a balance between security and productivity, companies must create an ownership strategy among and between its employees that offers the greatest output while balancing risk at a tolerable level. A well-functioning internal cyber program has clear accountability established on multiple levels with special attention given to areas like responsibilities between IT and OT.
Employee awareness—the weakest link in the cyber chain
Now, more than ever, manufacturers are exposed to a growing number of potential cyber breach points, spanning legacy control systems, connected ICS, and interconnected supply chains to name just a few. However, manufacturers also have to deal with threats posed by their own employees. In a world of increasingly mobile workforces, ever more ingenious phishing schemes, and a general lack of awareness regarding the security of digital assets, some manufacturers find their staff to be the weakest link in the cyber risk chain with four out of the top ten threats attributable to employees.
Insider threats—Identifying and managing threats from within
With staff being exposed to greater risks, or creating such exposures themselves, manufacturers need solutions that help them keep abreast of the ever-changing risk landscape. This is often quite a challenge in an environment where manufacturers are finding it exceedingly difficult to identify, attract, train, and retain qualified cyber professionals. While unwitting exposures resulting from carelessness or error may present one type of threat, many businesses have fallen victim to those with more malicious intent as well.
Consider the following strategies to be purposeful in addressing talent-related challenges
- Leadership sets the tone at the top and promotes a security culture through proactive, organizational-wide engagement and builds incentives for the entire workforce to be responsible for the cybersecurity posture. The organization implements a measurable cybersecurity learning and awareness program to reshape the corporate culture and daily behaviors of their associates needed to protect the organization and its people from a pervasive security breach.
- Establish a dedicated cybersecurity function led by the CISO with skilled cybersecurity staff in place to protect the business sensitive assets, monitor security threats and operations, and be ready to respond to any security incidents. The organization should develop its cybersecurity workforce strategies by assessing workforce needs and skills gaps, recruiting skilled talent for well-defined cybersecurity management roles, providing specialized trainings as needed to further enhance their skillsets and creating a productive, results driven environment to retain talent.
- Establish a cross-functional team of key stakeholders in the cyber program, including IT, OT, R&D, Finance, and Risk. Identify and socialize the risk framework with this team to define key mitigation strategies and clearly identify ownership for implementation.
- Perform regular internal phishing tests as an assessment and awareness tool to help employees better identify these attacks when they occur.
- Ensure the organization regularly recognizes key cybersecurity risk behaviors, trends, and cyberthreats to the organization.
- Implement threat, behavior and audience-based, concise learning programs with active user engagement to maximize attention and retention.
- Provide proactive learning and awareness opportunities in the form of frequent, small bites of information while leveraging different delivery channels (such as digital, class room based, etc.).
- Simulate real life threat scenarios with a cross section of the executive leadership team to perform knowledge checks periodically and assess real threat management preparedness. Evaluate results of various simulation tests to gauge effectiveness, and incorporate lessons learned into iterative awareness and learning programs.
To get a more in-depth look of the findings, be sure to visit www.deloitte.com/us/cyber-risk-advanced-manufacturing where you can download the full report, executive summary and infographic. And, be on the lookout for an upcoming series of blog posts on the key themes identified in our study.
1Cyber risk in advanced manufacturing, Deloitte and MAPI, 2016