Industrial CISO Q&A: Ramón Serres – Industrial Cybersecurity and Risk Management

Ramón Serres is an industrial engineer and information security senior director (CISO) at Almirall, a Spanish pharmaceutical company leader in Medical Dermatology. He has achieved the transformation of the information security function, from strategy to operations, strengthening the link to the business and the C-level, and implementing a risk management culture, covering all aspects of IT and OT security. He has a background as an IT manager in various roles and as responsible for IT governance. He is also a regular contributor to ISACA, ManuSec, Thought Leader Global, and other specialized organizations. Ramón will be speaking at the upcoming ManuSec Europe Summit 2024.

Takpoint Research speaks to Ramón Serres, CISO @ Almirall

Ramon, from your experience, how is the role of information security transforming within industrial organizations?

Ramon Serres: The transformation is quite profound. We’re seeing a heightened awareness around the critical importance of cybersecurity, sparked by increased exposure of operational technology environments (OT) to the risks coming from information technologies infrastructures (IT), as a consequence of the growing integration between these two worlds. This technological integration also has a critical impact on people and processes.

Companies, in global terms, are enhancing their security posture. This comes as a consequence of clear risk awareness, or because they’ve unfortunately gone through an incident. But, either way, we can say that there is a growing belief amongst senior executives that businesses need a solid security foundation and therefore the resources necessary for bolstering our defenses.

On the other hand, going back to how the role of information security is transforming, the growing need to balance the traditional focus on protection to recovery capabilities also implies an extension of the traditional scope covered by former CISOs.

Can you share your insights on how the role of cybersecurity is evolving within industrial organizations?

Ramon Serres: We are certainly observing the evolution of the information security role within our organization and across the industry.

Firstly, there’s a first change when it comes to understanding the unique risks to the business in a manufacturing environment, which will be the first milestone after which we’ll have to reflect on the increasing complexity of the threat landscape and the strategic importance of cybersecurity to operational resilience, be able to effectively communicate these risks to senior management, and draw the necessary risk mitigation plans adapted to the particular context of the company and the business.

Secondly, the interconnectedness between IT and OT environments, what we know as ‘IT-OT convergence,’ normally triggered by security requirements, has consequences that imply technology, people, and processes. And information security has a say in all this, as operational models evolve, and security requirements must be met by the new models. This convergence has broadened the scope of information security, necessitating a more holistic approach to safeguarding industrial operations against cyber threats.

Thirdly, I foresee a necessary evolution in adopting a more proactive defense approach, leveraging advanced threat intelligence, predictive analytics, and AI to anticipate threats and mitigate risks before they materialize.

Moreover, upcoming regulations like NIS2 or standards like NIST Cybersecurity Framework or IEC62443 are playing a more significant role in shaping the responsibilities of information security leaders. With the enactment of stricter regulations and guidelines, CISOs must ensure that their organizations not only comply with these requirements but also maintain a posture that protects information and business processes proportionately to their value.

This evolution also emphasizes the importance of cybersecurity culture within industrial organizations. CISOs are spearheading initiatives to foster awareness, educate employees across all levels, and build a culture of security that recognizes the shared responsibility of protecting the business.

Finally, it is now well understood by business leaders that the CISO role now demands a stronger alignment with business objectives. CISOs are increasingly part of the executive leadership, contributing to decision-making processes that balance risk management with operational efficiency and innovation. This requires CISOs to understand the business, its security risks, and the implications of cybersecurity decisions. On top of that, communicating complex security concepts to non-technical stakeholders continues to be crucial.

How does the role of a CISO in an industrial setting differ from other enterprises?

Ramon Serres: In the industrial setting, the role of a CISO encompasses several distinct responsibilities that set it apart from traditional enterprise environments. To start with, as mentioned before, there’s a significant emphasis on the integration of IT and OT. The security strategies we deploy must bridge both areas seamlessly, ensuring that our operational processes remain uninterrupted while safeguarding against cyber threats. This requires a deep understanding of both domains, as the convergence of IT and OT introduces new challenges.

On the other hand, industrial environments and industrial control systems often rely on legacy systems that present unique security challenges. In our industry, these systems, essential for our operations, may not support modern security updates or protocols, making them vulnerable. Cybersecurity teams aim to find ways to reduce the risk exposure of these systems.

Another key difference is that a deep understanding of the particular risks affecting each production plant may drive us to point not only at the “classical” risks related to disruption of operations and information leakage but also to physical safety. This elevates the importance of our security measures and necessitates that the cybersecurity function has visibility and endorsement.

Lastly, the specialized skill set required for a CISO in an industrial environment is quite unique. It demands not just expertise in cybersecurity but also a solid understanding of industrial processes and the specific technologies used in OT environments. This blend of skills is crucial for addressing the nuanced threats we face and for communicating effectively with stakeholders across the organization.

Could you elaborate on the specific challenges faced in industrial cybersecurity?

Ramon Serres: Absolutely. In our industry, we face several distinct cybersecurity challenges that set us apart from more traditional IT-focused organizations. One of the foremost challenges is the fact that OT-IT convergence derives into challenges involving people and processes, apart from technology itself.

Another significant challenge is dealing with legacy systems. Critical operations may rely on outdated technology that cannot be easily updated or patched. This leaves certain systems vulnerable to certain types of attacks, requiring innovative solutions to protect these systems or at least reduce their exposure without disrupting production processes.

Regulatory compliance also adds complexity to our operations. We must adhere to stringent industry-specific regulations or standards, ensuring our cybersecurity measures comply with these standards while still effectively protecting against threats.

Furthermore, the skill gap presents a unique challenge. There’s a pressing need for professionals who not only understand cybersecurity principles but also possess a deep knowledge of industrial processes and OT particularities. Finding individuals with this combined expertise is absolutely challenging in today’s talent market.

How important is building trust in your task, and how did you go about it? Who did you focus on building trust with?

Ramon Serres: Trust is paramount in effectively managing cybersecurity within our industrial framework. It underpins our interactions and strategies across various organizational levels:

• For operational teams and factory personnel, establishing trust is key, and for that, you must be close to them. Being people-oriented becomes critical. They are the frontline users of the systems we aim to protect. My approach involved direct engagement between my team and them, striving to understand their operational realities and demonstrating the supportive nature of cybersecurity measures. At the end of the day, security is about people as well.
• Also at the senior leadership level, we must build trust, build risk understanding, and ultimately, get their buy-in to implement risk mitigation measures.
• Finally, working with vendors that in many cases liaise directly with our factory personnel required a meticulous selection process to make sure we chose the right partners for this journey.

Besides that, there are no tips and tricks for building trust, but things I reckon as enablers are the following:

1. Effective communication, ensuring that the rationale behind cybersecurity initiatives is understood across the company.
2. Demonstrating expertise and reliability by showcasing a thorough understanding of both IT and OT security realms.
3. Engaging in collaborative problem-solving with stakeholders in a very pragmatic way.

How important is selecting the right partner for cybersecurity initiatives, and do you have any tips on making the right choice?

Ramon Serres: Choosing the right cybersecurity partner is critical, especially in the industrial and OT security sphere. It’s not just about finding someone with the technical know-how; it’s about finding a partner that you can trust and who understands the unique challenges of your industrial environment and context.

Look for partners with a solid track record in industrial cybersecurity, with provable hands-on experience and clear references. They should bring a deep understanding of both IT and OT landscapes to the table. There aren’t so many in the market. It is worth investing time to get to know them, and analyzing their strengths and weaknesses, before engaging in a project that will be very complex.

How do you handle resistance to cybersecurity measures?

Ramon Serres: Handling resistance to cybersecurity measures requires a multifaceted approach that balances technical acumen with strategic communication and change management skills.

Firstly, it’s essential to understand the root causes of resistance, which often stem from a lack of understanding of risks and the perceived impact on operational efficiency (and ultimately, on business objectives). To address this, education and awareness are key. This can be tackled with training sessions and practical workshops to elucidate the critical nature of cybersecurity threats and their potential impact on the business.

Engagement is another crucial strategy. By involving stakeholders from the onset in the cybersecurity planning and decision-making process, we foster a sense of ownership and accountability. This participatory approach helps demystify cybersecurity initiatives and helps get people on board.

Communication is also paramount. Articulating the value of cybersecurity measures in terms that resonate with the audience, whether it’s the C-suite or shop-floor personnel, ensures a clearer understanding of the benefits.

Being pragmatic and being perceived as such also helps in getting the buy-in from the organization.

How do you manage the balance between enabling business through innovation and ensuring safety and security?

Ramon Serres: Balancing innovation with security is indeed a critical aspect of the information security role. In Almirall and in the pharmaceutical sector in general, innovation is the cornerstone of business sustainability. The primary goal is always to enable the business to innovate, obviously understanding the risks derived from that innovation, and to operate with higher productivity and reliability. However, both of them, innovation and operation, must be enabled in a way that keeps risks down to acceptable levels.

In this respect, being aligned with the business is key. It isn’t a matter of implementing security controls for the sake of it, but of implementing the security controls that actually make sense in your particular business, company, or context.

Information security risks are managed to keep the big picture in mind, knowing that these risks are part of a bigger map where other industry-specific risks apply. And decisions are therefore made with a holistic approach and fully aligned with the business strategy and priorities. 

Jonathon Gordon

With over 30 years of experience in cybersecurity, information systems, and telecoms, Jonathon provides focused research and actionable insights to industrial enterprises and those responsible for safeguarding them against cyber threats. Since joining TPR in 2018, he has published numerous reports and playbooks on various industrial cybersecurity topics, including secure remote access, network visibility, asset inventory, perimeter security and ransomware attack recovery. Jonathon is also known as the author of the annual buyers guide for industrial cybersecurity. Prior to joining TP Research, he held various technical, managerial, and senior executive positions with prominent technology companies.