Cyber resilience: Who is in charge?
In some companies, they see cybersecurity as a narrow responsibility of a digital department. This misconception will eventually lead to sad consequences, as tomorrow’s customers will be expecting reliable products, cyber-protected at all levels.
Meanwhile, the oil and gas industry’s true leaders realize that resilience to cyber threats requires building a culture instead of creating a set of rules. And this culture concerns not only IT but OP as well. As for the responsibility: in no way does it belong to digital departments only. It’s the board who is in charge of cascading cyberculture values and rules. Let’s figure out how it should work in practice.
Cyber-resilience principles to follow
As a corporate officer who understands the concept of cyber resilience, you are the right person to communicate its importance to the board. Such a step should be followed by initiating an integrated oil and gas strategy that will help to bring this concept to life. Here are the principles that will help you navigate your company through the changes and contribute to a sustainable low-carbon future.
Build a clear cybersecurity governance model
A governance model should be built with interoperability in mind. Since connectivity has transformed the oil and gas industry, it’s crucial to link IT, OT, and safety requirements into a coherent ecosystem, with security being a priority. This presupposes establishing a cyber risk-based program initiated by a board and appointing people to execute it.
According to Gartner, asset-intensive industries need a dedicated security specialist to manage cyber, physical, and supply chain security personnel. Moreover, in four years 50 percent of organizations will already have CSOs responsible for aligning IT and OT governance with cyber resilience principles. It’s up to the industry executives to ensure such specialists have enough expertise and resources to fulfill their duties.
With a clear authority and hierarchy, cyber resilience is achieved through personnel training, straightforward policies, and continuous evaluation of their effectiveness.
A CSO should report on security performance directly to the CEO based on pre-defined indicators (like cybersecurity educational programs completion rate). This will help oil and gas boards make well-considered strategic decisions and plan security budgets more efficiently.
Encourage resilience by design culture
Resilience by design means that cybersecurity becomes immanent to all your operations and infrastructure. It requires a company to prioritize managing, monitoring, and maintaining cyber-resilience governance across all aspects of the value chain. By design approach is focused on breach prevention. Therefore, spending on incident-response becomes less likely. Saved time and costs can be reinvested in resilience best practices.
To ensure resilience culture covers all business units, set specific metrics for each of them and measure the percentage of processes that integrate cyber-resilience practices.
Clear standards and principles communicated by the board allow each personnel member to contribute to the overall strategy. This enhances the cyber resilience culture and nurtures its cross-departmental nature.
Make cyber resilience a corporate responsibility
Companies will benefit if managers embrace the concept of cyber responsibility. Ensure they realize how cyber risk may impact the whole value chain and a company’s reputation within the oil and gas industry.
When they become self-motivated to explore new cyber-resilience principles and practices, natural and conscious cyberculture arises. And it is far more effective than an imposed one.
The practices existing within such a culture need regular confirmation. It’s advisable to implement cyberattack simulation programs that will keep all organization’s employees, including oil and gas officers, trained for potential malicious attacks.
Many executives find it challenging to reach a proper level of education and training among their managers. But as soon as more organizations start implementing these practices, the general level of cyberculture will become higher, and cyber literacy will become a skill expected by default.
Implement an integrated approach to risk-management
Organizations don’t operate in a vacuum; therefore, internal cyber resilience is not enough to secure business stability. While working with third parties, it makes sense to define mutual expectations from cyber tolerance. Embedding security clauses in contracts and security assessment of potential suppliers is a prerequisite of effective partnership within the oil and gas industry.
First, ensure that the policies your partners stick to are acceptable for your organization. Review the potential vulnerabilities and blind spots to address. Then, agree on risk-management actions and tools you’re going to implement into collaboration. This will build a solid foundation for joining forces in case of malicious attempts.
Collaborate on resilience across the oil and gas industry
As the oil and gas industry aspires to cyber resilience, organizations acquire new insights and experiences. Sharing them with peers, developing and adopting unified standards, frameworks, and tools sounds like common sense.
Being ecosystem-oriented also implies collaboration with communities and global organizations that oversee industry policies and standards. The idea behind such alliances is mutual support and endorsement that makes us, as an industry, stronger and more prepared for the challenges of a business landscape.
Start ecosystem-wide planning
The best practices you learn in collaboration with partners from the oil and gas industry should not remain just on paper. Bring them to life by strategically planning cyber-resilience activities across the ecosystem. Set up a schedule of regular exercises imitating cyberattacks and immediate responses, decide how you’re going to measure their effectiveness. It can be a percentage of units or systems that successfully passed the training, or the evaluated amount of money saved during a test cyberattack.
The same applies to all business units involved. The more you collaborate with them on these practices, the more prepared and conscious they become. Therefore, your total level of protection grows in direct ratio with the number of your allies.
The questions to ask yourself
To ensure the company is moving in the right direction, oil and gas officers should regularly ask themselves the following questions. This will help to evaluate a company’s progress, set new priorities, and reach the desired goals.
- Do we have a clear hierarchy of people with relevant expertise responsible for executing the cybersecurity strategy?
- Does our cybersecurity governance model cover all the aspects of our supply and value chain? How is cross-functional and cross-departmental collaboration ensured?
- Do we have a proper cyber resilience program that includes training on detection and response to potential cyberattacks? What are our plans for future activities?
- Is our management aware of all the cyber risks and their impact on the organization’s reputation? What steps and approaches do they initiate to prevent this scenario?
- What are the blind spots and vulnerabilities posed by the third parties? What measures are being taken to eliminate them?
- Are we engaged in peer mentorship and experience exchange with partners and other oil and gas boards? What can we do to join forces and increase the level of cyber resilience across the industry?
- What steps are we taking to ensure both internal and external parties are increasing their level of cyber hygiene and acquiring new cyber skills?
Closing thoughts
The oil and gas officers are predisposed to building long-term strategies and operating within the whole ecosystem. Meanwhile, it’s vital to keep in focus spreading these plans across the organization. At the end of the day, resilience to cyber threats is defined by how the management has communicated the strategy to the actual employees performing their everyday tasks. No matter how great the strategy is, it won’t protect you unless your personnel knows how to detect, prevent, and respond to cyberattacks. And their work routines are the answer to your question “Is my company prepared for potential threats?”