IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

IT and OT: How CISOs can best handle the dangers of integration

José María Labernia, CISO at LafargeHolcim IT EMEA, speaks to IT Pro 20/20 about the steps he is taking to protect one of the world's largest construction materials companies

A cartoon depiction of a smart factory floor to symbolise operational technology

The following article originally appeared in Issue 10 of IT Pro 20/20 as part of a new series that invites industry experts to give their take on some of the most pressing issues facing businesses today. To sign up to receive the latest issue of IT Pro 20/20 in your inbox every month, click here. For a list of previous issues, click here.

CISOs across the globe are faced with the daily reality that all IT systems are suffering attacks. Unfortunately, it’s difficult to predict when you’ll be targeted and how that attacker could move laterally to compromise your IT or even operational technology (OT).

One rising threat to IT infrastructure is the rapid integration of IT and OT. At LafargeHolcim, we are fairly OT dependent – cement plants are big sites with a lot of automated and low-level programming systems. It’s critical that we include this in our analysis so that we have a complete picture of the risks faced.

We provide each business unit with its own specific KPIs and risk assessments. This provides the intelligence they need so they’re armed with the necessary detail before taking any decision regarding the degree of risk they find acceptable and that which needs to be addressed.

Protecting even the most modern and efficient of infrastructures is not a passive task – my team’s job starts again every time the company takes on a new project or initiative, or deploys a new product. With uncertainty on all sides, there is a deep need for security and business needs to be better aligned. Ensuring the cyber team and business stakeholders understand each other’s priorities and speak the same ‘language’ is the only way to ensure that the organisation’s computing infrastructures are defended correctly.

For example, if a new IT procurement tool is to be put in place within our region, we make sure to work with the procurement team to identify any specific application-level risks. We also sense-check with people from the organisation who may have a completely different mindset – such as developers or programmers – to try and spot other less evident risks. When it comes to identifying risks to our infrastructure, it’s definitely the case that four sets of eyes can see much more than one.

This approach is how we successfully managed the infrastructure transition during the merger of Lafarge and Holcim a few years ago. While many assume the combination of two well-established IT systems would be a simple cherry-picking exercise, it was actually a full alignment from the ground up. We assessed, in detail, the whole IT security portfolio in order to understand what people, processes, and technology needed to be in place from the view of both companies. Working together with business stakeholders and the right partners made life so much easier, and led to successful projects in the vulnerability management, endpoint protection, and user awareness spaces just to mention a few.

Challenges to come

With a relentless stream of high-profile data breaches continuing to hit the headlines, protecting a company’s infrastructure is quickly moving out of just IT’s remit and fast becoming a business topic. The good news is, business leaders are paying more attention to IT systems, meaning they will hopefully get more attention and resources for protection. However, new technologies mean new attack vectors.

Related Resource

IT Pro 20/20: Meet the companies leaving the office for good

The 15th issue of IT Pro 20/20 looks at the nature of operating a business in 2021

IT Pro 20/20: Leaving the office for goodDOWNLOAD NOW

As we navigate the ongoing fallout of the COVID-19 pandemic, home working and remote IT support will test many organisations’ infrastructures. Many companies were completely unprepared for the overhaul – and as such, their employees may face cyber attacks from people purporting to be from their own helpdesk, just to mention one example, allowing them to jump internally into the rest of the organisation’s infrastructure.

When looking at the threats faced, it’s important security teams iterate and evolve in the same way that hackers do. We have several techniques to put ourselves in the mind of attackers to try and spot the different vectors of attack we present externally. Once security teams have the awareness of how to protect against potential threats, they will then need to work hand-in-hand with business stakeholders to clearly define these risks in business terms.

Only then can organisations prioritise the best security mechanisms to mitigate those risks to their infrastructure.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

IT Pro 20/20: Disrupting cyber security
cyber security

IT Pro 20/20: Disrupting cyber security

8 Jun 2022
IT Pro 20/20: The quest to humanise AI
artificial intelligence (AI)

IT Pro 20/20: The quest to humanise AI

5 May 2022
IT Pro 20/20: The ugly side of gamification
Business strategy

IT Pro 20/20: The ugly side of gamification

1 Apr 2022
IT Pro 20/20: Is it time to ditch broadband?
5G

IT Pro 20/20: Is it time to ditch broadband?

24 Mar 2022

Most Popular

FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022