IT and OT: How CISO's can best handle the dangers of integration

José María Labernia, CISO at LafargeHolcim IT EMEA, speaks to IT Pro 20/20 about the steps he is taking to protect one of the world's largest construction materials companies

A cartoon depiction of a smart factory floor to symbolise operational technology

The following article originally appeared in Issue 9 of IT Pro 20/20 as part of a new series that invites industry experts to give their take on some of the most pressing issues facing businesses today. To sign up to receive the latest issue of IT Pro 20/20 in your inbox every month, click here. For a list of previous issues, click here.

CISOs across the globe are faced with the daily reality that all IT systems are suffering attacks. Unfortunately, it’s difficult to predict when you’ll be targeted and how that attacker could move laterally to compromise your IT or even operational technology (OT).

One rising threat to IT infrastructure is the rapid integration of IT and OT. At LafargeHolcim, we are fairly OT dependent – cement plants are big sites with a lot of automated and low-level programming systems. It’s critical that we include this in our analysis so that we have a complete picture of the risks faced.

We provide each business unit with its own specific KPIs and risk assessments. This provides the intelligence they need so they’re armed with the necessary detail before taking any decision regarding the degree of risk they find acceptable and that which needs to be addressed.

Protecting even the most modern and efficient of infrastructures is not a passive task – my team’s job starts again every time the company takes on a new project or initiative, or deploys a new product. With uncertainty on all sides, there is a deep need for security and business needs to be better aligned. Ensuring the cyber team and business stakeholders understand each other’s priorities and speak the same ‘language’ is the only way to ensure that the organisation’s computing infrastructures are defended correctly.

For example, if a new IT procurement tool is to be put in place within our region, we make sure to work with the procurement team to identify any specific application-level risks. We also sense-check with people from the organisation who may have a completely different mindset – such as developers or programmers – to try and spot other less evident risks. When it comes to identifying risks to our infrastructure, it’s definitely the case that four sets of eyes can see much more than one.

This approach is how we successfully managed the infrastructure transition during the merger of Lafarge and Holcim a few years ago. While many assume the combination of two well-established IT systems would be a simple cherry-picking exercise, it was actually a full alignment from the ground up. We assessed, in detail, the whole IT security portfolio in order to understand what people, processes, and technology needed to be in place from the view of both companies. Working together with business stakeholders and the right partners made life so much easier, and led to successful projects in the vulnerability management, endpoint protection, and user awareness spaces just to mention a few.

Challenges to come

With a relentless stream of high-profile data breaches continuing to hit the headlines, protecting a company’s infrastructure is quickly moving out of just IT’s remit and fast becoming a business topic. The good news is, business leaders are paying more attention to IT systems, meaning they will hopefully get more attention and resources for protection. However, new technologies mean new attack vectors.

Related Resource

IT Pro 20/20: Meet the companies leaving the office for good

The 15th issue of IT Pro 20/20 looks at the nature of operating a business in 2021

IT Pro 20/20: Leaving the office for goodDOWNLOAD NOW

As we navigate the ongoing fallout of the COVID-19 pandemic, home working and remote IT support will test many organisations’ infrastructures. Many companies were completely unprepared for the overhaul – and as such, their employees may face cyber attacks from people purporting to be from their own helpdesk, just to mention one example, allowing them to jump internally into the rest of the organisation’s infrastructure.

When looking at the threats faced, it’s important security teams iterate and evolve in the same way that hackers do. We have several techniques to put ourselves in the mind of attackers to try and spot the different vectors of attack we present externally. Once security teams have the awareness of how to protect against potential threats, they will then need to work hand-in-hand with business stakeholders to clearly define these risks in business terms.

Only then can organisations prioritise the best security mechanisms to mitigate those risks to their infrastructure.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021
My journey from Mumbai to Mars
Careers & training

My journey from Mumbai to Mars

6 May 2021
IT Pro 20/20: Understanding our complicated relationship with AI
artificial intelligence (AI)

IT Pro 20/20: Understanding our complicated relationship with AI

4 May 2021
IT Pro 20/20: Meet the companies leaving the office for good
Business strategy

IT Pro 20/20: Meet the companies leaving the office for good

31 Mar 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
Qualcomm modem flaw puts millions of Android users at risk
Google Android

Qualcomm modem flaw puts millions of Android users at risk

6 May 2021