Intelligent CISO Issue 45 | Page 43

EXPERT OPINION occurred . Those insights are things that we can codify and bring to our customers .
Second , we ' ve hired the best of the best . We don ' t just operate as a technology company , we have a services team and an intel team , and we want to have really smart individuals who are used to being in these environments . We do many ancillary things that aren ' t business lines for us , like training or learning management systems with classes . Still , these things are helpful in that partnership discussion and making sure that people can be successful .
Third , through being a Dragos customer , you get that partnership feel from the moment the PO is signed . Most of our focus and the way that we ' ve built our sales , customer success and professional services teams is to understand the risk that a customer ’ s taking and the work ahead of them so that when they take that leap of faith to try and do right by their community , we are with them every step of the way to ensure they can be successful .
How can organisations implement simple but effective security policies and procedures to lower their cyber-risk ?
It ' s a very daunting thing to be a CISO or a CEO looking at this problem for two reasons . One , it ' s not been done before , and now there ' s a significant focus on it – you ' ve got to walk a very delicate balance of helping to inform on the risk without coming off with fear , uncertainty and doubt .
Second , there are many security controls , products and services in enterprise IT . It can seem overwhelming that you might now need to copy that into the other side of the business , which is larger and more complex . But you don ' t need to copy and paste what you have in IT . Instead , we need to look at a couple of critical controls and figure out the OT-specific nature of them and apply those well and consistently .
• Step one : Figure out a defensible architecture
• Step two : Get the visibility and monitoring in place to understand what ' s going on and what needs to be protected
• Step three : Have Multi-Factor Authentication ( MFA ) wherever you can put it in terms of remote access
• Step four : Ensure you have a vulnerability management programme – don ' t try to fix every vulnerability out there
• Step five : Have an ICS-specific incident response plan
If you were to do those five controls well across your operations environment , you ' d have a world-leading OT security programme . u www . intelligentciso . com