CS4CA USA Summit 2024 panel explores holistic approach to risk management, risk reduction strategies

A panel discussion at the ongoing CS4CA USA Summit 2024 in Houston addressed achieving risk reduction through a holistic approach to security risk management. The discussion was led by Jonathan Homer – CSO & VP of Integrated Security, CPS Energy; with members including Bemi Anjous, CISO at Noble Drilling; Nikolai Zlatarev, CISO at Castleton Commodities International; Jon Taylor, vice president of solution engineering at Fortress Information Security; and Ken Dohan, senior director for OT Cyber / MSSP Americas at Cybolt. 

The panelists explore the essence of a holistic approach to security risk management, emphasizing the three key risk reduction enablers – design, management systems, and culture. They delve into evaluating risk reduction about operational impacts, transitioning to a continuous risk assessment process, quantifying risk acceptance in monetary terms, and strategies for achieving this transformation.

Taking off on the use of the buzz phrase about a risk-based approach to cybersecurity, Homer said “We’ve all uttered those words, I find that there’s a big gap between the words we use and an actual plan and program to implement such and so leading that into our conversation and really talking about how do we make risk an integral part of our programs.” 

Addressing what a mature, holistic risk program looks like, Zlatarev said “First, you have to understand what risk is, and it has three components – assets, threats, vulnerabilities. Second, of all, you have to understand what are the risks for your business, which means you have to understand your business. And this is not a trivial task. And then the third step is, that once you run a risk assessment, you have to learn how to translate the analysis results into body language, which is like learning a foreign language. So the ecosystem means you have to look at all components of all stacks.” 

He added that beginning with people, processes, and technologies, “you have to look into the technological stuff, you have to look into the people, into their preparedness, into their mindset. You shouldn’t get hung up on technology review only. And then you have, of course, to review processes.”

“So that’s a great representation of the vertical risk, everything that we’ve got in one category. I also think we need to look at it from an east-west perspective,” Taylor said. “When we talk about holistic security, it’s very apparent in OT or in our specific vertical, what our risk is for that part. But understanding that risk starts in a different business unit, might be different in our engineering units, and then completely different when we put it in operations.” 

He added that understanding “what we’re looking at from the same companies, the same providers, over the entire lifecycle of that same idea, but just the opposite direction for it, or I guess, opposite access for it. But I think it’s really important to not only understand our focus for the business but understand how we can change that risk or mitigate that risk before it gets to us or after it leaves us.”

“In OT, it’s a little bit clearer for us, I think, because we have this wonderful thing called legacy equipment, which means that you can throw all the wonderful new technology in the world at it, but it doesn’t necessarily reduce your risk,” according to Dohan. “So every time I think I’ve got my fingers wrapped around it’s like trying to hang on to a wet watermelon. It just squeezes out. So I’m not trying to take a middle-of-the-road approach, but my concerns are to make sure that there are no blind spots as best you can and decide what is acceptable versus not.”

Anjous said that for him the question that the directors have asked all the time is that there’s operational risk and there’s a business risk. “Generally your operational risk will impact your business risk, which is what you’re willing to accept as a company. But to get to that point, you have to understand how you determine, how you initiate your operational risk, which means by means of identifying the asset.” 

Today, he added that most companies, “by a lot of us, are struggling to identify the asset. If I have 1000 assets, you can recognize ten assets, you’re wasting your time. And when you know those assets, being able to also classify those assets in terms of priorities goes a long way. And that’s where you now in check.”

“In terms of what I call passive assessment and active assessment activity, where you have tools in place that constantly run scans, vulnerabilities, tell you what is out there,” Anjous mentioned. “And passive, when you do that assessment against different frameworks against controls, the outcome of all those will give you eventually what your risk of an environment is, the IT or OT, which eventually results in your erm score as well as a company.”

Homer highlighted the recent emphasis, particularly from the federal government, on topics like SBOM and HBOM, signaling a shift towards standardized documentation within the industry. While not entirely uniform, there has been significant progress compared to five years ago. As someone representing a vendor, he asked the panel about observations they have made regarding risk documentation and its role in standardizing comparisons within the industry. 

Taylor said that when CISA came out last week and said, “Okay, well, we’re now going to do the self-assessment, well, where are we going to store it? Well, that’s not what we’re here for. We just said we’re going to do it. Okay, well, we’ve got to provide a solution for it. We don’t have that standardized approach to it, right? We don’t have a good place where we can all look at a repository. So all of us are going to be doing this work. All the vendors, the OEMs are going to be doing hundreds, the providers are going to be storing hundreds of them, and we’re replicating work that’s not going to reduce risk. How do we operationalize it?”

“And that really looks at being a centralized approach to being able to protect our information when we put it in a central location, but also make sure that it’s available without,” according to Taylor. “One of the interesting new programs we’ve got is with LSU and we’re looking at a lot of the SBOMs and HBOMs, even coming from INL, Idaho, from student populations, from other companies.” 

Addressing how can we get that consolidated approach to it, Taylor said “We’ve been looking at commercially for a couple of years and take really a preponderance of everybody, enough with everybody having to make it an easier process and actually allow it to succeed, rather than just putting up the requirement without much of a solution behind it.”

“I think that was great, actually. I find it is in communicating to the board, that bridges go both ways a lot of times. Reducing the complexity of the mean, that’s one way for me and the service provider side of things, I have to build that bridge between business and automation,” Dohan said. “Quite often it’s even more pronounced when it gets to a board level, I would think. And you said two really big words at the top of your start, and it’s risk register. We still run into places that go what the heck is, and understandably so. I mean, in many cases, those organizations don’t also know what data classification is.”

On Tuesday, the opening panel at the CS4CA USA 2024 event shared insights on mitigating, responding to, and recovering from cyberattacks. Reflecting on the impact of the Colonial Pipeline incident, they discussed the lessons learned and implemented within their organizations. The panelists also exchanged mitigation strategies with their peers, detailed their recovery and restoration plans for a post-cyber attack, and highlighted their approaches to event reporting, log review, event analysis, and incident handling and response.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.