Key actions to build cyber resilience
Arguably, no one should be expecting CISOs to be able to prevent all cyber attacks from happening. Companies should instead shift their focus toward building cyber resilience — that is, how can the organization maintain business continuity in the event of a cyber incident? To build cyber resilience, companies should focus on the following areas.
Cyber resilience strategy and governance framework
It is critical to establish board-level oversight on high-impact risks pertaining to IT, OT, physical security, environment, health and safety and the digital transformation strategy. Alignment between different business units and the enterprise-wide risk management framework is also crucial. Companies should adopt a “waterfall approach” for risk mitigation planning and control, which involves defining clear responsibilities for all risk owners and controllers.
Holistic and integrated enterprise-wide cyber risk management
Companies must identify and mitigate cyber risks across their businesses and operations by providing adequate mandates, funds and resources for cyber resilience programs. They should also conduct thorough analyses of risks and have a clear understanding of perceived values of different assets.
“Security by design” framework
Companies should establish a robust mechanism for managing cyber risks by exploring the organization’s risk environment and appetite. They should also evaluate the cascading impact of various residual risks for ongoing activities and new initiatives. Additionally, they need to engage the operations and engineering teams to encompass OT and the legacy technology into the overall cyber framework. This approach will help enable day-to-day resilience as well as proactive, pragmatic and strategic planning that considers risk and security from the outset.
Next-generation cybersecurity technologies
Companies should conduct an “as-is”’ and “to-be”’ analysis of their cyber environment to measure the effectiveness and efficiency of cybersecurity programs, across both IT and OT. This will act as a guide to identify key systems and operations that need to be upgraded or mitigate risks pertaining to legacy OT by adopting the latest cybersecurity technologies for effective risk management.
Robust incident response and emergency action plan
Even the most secure framework cannot be expected to result in zero cyber risk incidents. A detailed cybersecurity incident response plan based on established frameworks should be developed. The plan should clearly define the roles and responsibilities for responding to cyber incidents, incident categorization and protocols for information and intelligence sharing. Periodic simulation exercises with realistic scenarios should be conducted to stress test the company’s ability to respond in a crisis.
Culture and workforce
Fostering a risk-aware culture for effective cooperation among different business units and stakeholders instead of a siloed and fragmented approach to risk management is crucial. Companies should also develop a training and learning framework so that employees are aware of cyber policies and processes and updated on them.
As digital transformation continues to extend across oil and gas companies and the entire energy ecosystem, new vulnerabilities will enter and threaten an already fast-changing and volatile environment. The only way to keep moving forward with confidence is to invest in building the resilience now.