Middle managers can be cyber security threats

Middle managers sometimes are an obstacle when it comes to implementing and promoting security within their realm. The idea of middle managers bottlenecking the security culture and program is a huge obstacle to overcome.

10/04/2015


Middle managers may or may not be aware of the increased need for security, but they are an obstacle when it comes to implementing and promoting security within their realm. While the thought may seem to not make sense at first, it makes perfect sense where a middle manager's compensation and performance objectives—whether it is a process line, an entire plant or anything in between—focus on performance. With pure performance objectives strictly in mind, security will often go by the wayside.

One case in point is one chief information security officer (CISO) at an oil and gas major who told a group of about 50 ICS cyber security experts at an invitation only meeting to discuss cyber security in oil and gas that one of his objectives handed down from his chief executive is to go around and get middle managers to adopt and follow the security process, said John Cusimano, director of industrial cybersecurity at aeSolutions. The CISO's mission is to make security part of the culture.

The CISO said his biggest problem is middle managers. Not the workers in the trenches, but middle managers.

"I have seen this with other clients where even higher-ups (e.g. VP's) in Engineering, Operations or even IT may not be onboard with an OT cyber security program," Cusimano said. "For such a program to be successful it requires support from all three. Not surprisingly, the battles are more about company politics than anything else."

"One of my clients, a global chemical company, operates a very successful OT cyber security program," Cusimano said. "However, they really struggled in the initial formation of the program due to internal politics. The program was chaired by someone from operations who started his career in engineering. He was able to easily get engineering onboard but really struggled with getting IT, and thus the whole team, rowing in the same direction.

"He brought my company in to help educate and establish a strategy for the team. Initially, you could see and feel the tension in the room as different groups literally faced-off on opposite sides of the table. This is where having a neutral third-party who understands both automation and IT and has experience working with complex organizations can really help.

"We were able to help them understand the risks to the company (not just their department) and identify areas of weakness (vulnerabilities) without pointing fingers. After a couple of months the team had developed a strategy and a plan to conduct several site vulnerability assessments on sample facilities in order to gather more detailed information.

"The most brilliant part of the plan was that the chairman of the committee brought the IT people into the field for a week long 'tour' of several facilities. It was the first time that most of them had ever been in a plant. It was very eye-opening for them to see a real chemical plant and to see the day-to-day challenges that operations faces and to see, first-hand, how their IT infrastructure interacted with the plant infrastructure. They loved it. After a couple of days the IT and OT people were working hand-in-hand to gather the information we needed and conversations every night at dinner were lively and constructive. Most notably, when we got back and had the next committee meeting everything had changed. Instead of tension there was camaraderie and the groups sat co-mingled around the table. This was one of the most rewarding projects I have worked on because I was able to witness and be a part of bringing IT and OT groups together to solve a common problem," Cusimano said.

The idea of middle managers bottlenecking the security culture and program is a huge obstacle to overcome. As executives in the corner office and boards of directors are very aware of the issue as are those working on the day-to-day issues in the trenches. But those middle managers remain a problem, said Martin Smith MBE, chairman and founder of The Security Company, and of the Security Awareness Special Interest Group at the CBI Cyber Security Conference 2015 in central London last week.

In a world where middle managers end up measured, and rewarded, by performance, security will end as IT's problem. "[They only want to] be measured by business performance and not cyber-security performance," Smith said. Smith said they have yet to accept the idea cyber security is no longer just a technology issue, but a business issue.

Often times people will say awareness is not necessary because people are aware. That actually is not true as true awareness and understanding occurs because the point continuously ends up hammered home to where it becomes second nature.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource. Edited by Joy Chang, Digital Project Manager, CFE Media, jchang@cfemedia.com.



JOSE LUIS , Non-US/Not Applicable, Mexico, 10/08/15 11:36 AM:

Hi. Excelent and eye-opening article. Today, the wrong and limited idea that security is network segmentation and firewalls is spreading, by this way generating weak and vulnerable companies. It is very important to have a 360 grades vision... a BUSINESS vision, not a technical one.
Thank you.
Jose
jl_aparicio@aol.com
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Big Data and IIoT value; Monitoring Big Data; Robotics safety standards and programming; Learning about PID
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me