Board of Directors Role in ICS Security with Thomas Parenty
Release Date: 03/31/2020
State Of NERC CIP, European Update and OT Security Community
Unsolicited Response Podcast
Patrick Miller has OT cybersecurity experience as an asset owner, PacificCorp. As a regulator and one of the first NERC CIP auditors with WECC. As a community organizer creating and leading EnergySec and the BeerISAC. And as an entrepreneur creating and leading a number of consulting practices. He is currently the Founder of Ampyx Cyber. In this episode Patrick and Dale discuss: Why Patrick changed the company name and selected Talinn as the location for the new European office. The major differences in approaches to OT cybersecurity and risk management between Europe and the US....
info_outline
Book Interview: Introduction To SBOM And VEX
Unsolicited Response Podcast
info_outline
S4x24 Closing Panel
Unsolicited Response Podcast
info_outline
Q1: ICS Security In Review
Unsolicited Response Podcast
Emma Stewart joins Dale to discuss the 3 big OT & ICS security stories from the first quarter. They end by giving their win, fail and prediction for Q1.
info_outline
S4x24 Preview
Unsolicited Response Podcast
info_outline
Predictions Analyzed
Unsolicited Response Podcast
In this solosode episode Dale reviews the status of his three predictions from the Q1, 2 and 3 quarter in review episodes and answers a listener question.
info_outline
Q4 ICS Security Quarter In Review
Unsolicited Response Podcast
info_outline
CISA Attack Surface Scanning Service
Unsolicited Response Podcast
Dale is joined by Steve Pozza, CISA Section Chief of Operational Resilience, and Tom Millar, CISA Branch Chief of Resilience, to discuss some of CISA's security services for asset owners. They discuss: The Internet accessible attack surface enumeration and vulnerability scanning surface. Asset owners can buy products or services to do this. Why is the government doing this? What CISA is doing with this attack surface data? How is CISA measuring the success of this service offering? Other broadly available services and tools, the cybersecurity performance goals (CPG assessment) ~500 done in...
info_outline
Engineering-Grade OT Security with Andrew Ginter
Unsolicited Response Podcast
Andrew Ginter published his third book this year: . Dale interviews Andrew on the book including: Who was the target reader that Andrew wrote the book for? Do (should) professional engineers lose their licenses for poor and dangerous cybersecurity design and deployments? The use of the term engineering grade, and how he defines it. Unhackable protection and safety controls as a major part of engineering grade. Unidirectional (one-way) network devices as the only security control listed as engineering grade. Is one-way from the enterprise network to the OT network engineering grade? Given the...
info_outline
Asset Inventory, Lawyers, and AI
Unsolicited Response Podcast
This week is a Dale Peterson solosode. Updates and Announcements Dale provides updates about S4x24 ticket sales and announces the Women In ICS Security program and sponsor package. Main Topics Asset Inventory in Cybersecurity: Dale challenges the common security mantra "You can't protect what you don't know," using examples from both physical and cyber domains. He notes many of the comments on this week's article missed the main point, and he gives hints on the next two asset inventory articles. Legal and Regulatory Issues in Cybersecurity: Dale emphasizes the importance of domain expertise...
info_outlineA big challenge facing any team trying to deal with OT and ICS cyber risk is getting executive leadership and the Board of Directors support and leadership on this issue. The problems that arise tend to be related to communication styles, understanding of what is truly important to the company, and reducing business risk as determined by the executives and Board.
In this podcast I talk with Thomas Parenty of the Archefact Group about the Board of Directors' responsibility in business risk management. Thomas works with Boards for a living and has written the book, A Leaders Guide To Cybersecurity.
This podcast includes discussions on:
- Key Item - Approach the Board with a Business Risk approach rather than a technical approach. (with how to know Business Risk, examples and discussion on how to do this)
- Board addressing risk of reputation damage due to a cyber attack.
- How much cybersecurity expertise does the Board need? Should there be a "Cybersecurity Director"?
- What level of detail does the Board need related to cyber security controls?
- How does one deal with the Board Member who has locked in to a specific control, product or solution that didn't make sense for the company?
- Could the SEC requiring specific cybersecurity disclosures create regulatory risk that would force the companies subject to these disclosures to take action?
- How is and should a Board of Directors act to deal with COVID-19?
I do chime in with my views more often than a typical podcast as dealing with Executive Management and Boards is something I've been doing quite a bit the last five years.
My favorite quote from Thomas:
It is so easy to do good things, but there not the most important things. Or there not the most effective things. Or the money is being spent, but not on reducing the most material risks in the business.
Links
Thomas Parenty's book: A Leaders Guide To Cybersecurity
Thomas Parenty's session video from S4x19