How CISOs can overcome industrial cybersecurity talent, resource shortages

The industrial cybersecurity sector is grappling with a severe shortage of skilled professionals, and CISOs have to bridge this gap and the IT/OT divide.

By Dino Busalachi and Craig Duckworth November 22, 2024
Management visits an industrial environment, emphasizing the importance of bridging gaps between different organizational levels and areas of expertise for effective operations and security. Courtesy: Velta Technology

Cybersecurity insights

  • Chief industrial security officers (CISOs) in industrial sectors are overwhelmed by the complexity of securing operational technology (OT) systems, which often lack centralized management, exacerbating visibility and control issues.
  • The growing disconnect between information technology (IT) and OT teams, compounded by a severe talent shortage, leaves industrial organizations vulnerable to cyber threats, operational disruptions and compliance challenges.

The industrial cybersecurity landscape is facing a crippling talent crisis, as evidenced by hiring challenges and the “great resignation” of chief information security officers (CISOs) as a fallout of escalating cyber events.

CISOs responsible for the security of critical infrastructure and manufacturing organizations are grappling with immense challenges leading many to quit their roles or transition out to other areas of responsibility.

The core issue is the sheer complexity and scale of securing industrial control systems (ICS) and operational technology (OT) environments.

Unlike traditional IT networks, OT systems powering manufacturing facilities and critical infrastructure are often decades-old, decentralized and not centrally managed by the CISO’s team. This makes it difficult for CISOs to gain comprehensive visibility and control over these mission-critical assets.

Adding to the problem is the rapid growth of Internet of Things (IoT) devices on the network edge, as well as the increasing sophistication of cyber threats targeting industrial operations. CISOs are overwhelmed by the scale and complexity of securing these hybrid IT/OT environments.

A major contributing factor to the security challenges is the disconnect between information technology (IT) and OT teams. While IT professionals focus on securing enterprise networks and systems, they often lack the specialized knowledge and understanding of the OT environment and its unique vulnerabilities.

However, OT personnel responsible for industrial equipment and control systems may not have the cybersecurity expertise to properly assess and mitigate risks.

This lack of communication and shared understanding between IT and OT can lead to critical blind spots as each group assumes the other is responsible for securing the overall industrial ecosystem.

Without a cohesive, collaborative approach, industrial organizations remain vulnerable to cyber threats that can disrupt critical operations, damage equipment and even jeopardize worker safety.

“With the workload, the stress and responsibility without authority, you can’t easily make effective change within the environment. The easiest path is out the door,” said Craig Duckworth, a former CEO and co-founder at Velta Technology, highlighting the immense pressures facing CISOs tasked with bridging this IT/OT divide.

This challenging situation is compounded by a severe and worsening shortage of skilled industrial cybersecurity professionals. Securing OT environments requires a unique blend of IT, operational and domain-specific expertise — a combination that is hard to come by and takes years to develop.

“Once they recognize, or they may even know what the problem is, they’re just looking for a way to shield themselves from the things they can’t or don’t have the expertise to manage. Those things need to fall to somebody else,” said Dino Busalachi, CTO and co-founder at Velta Technology, highlighting the limited options CISOs have in the face of this cybersecurity expertise and talent crisis.

The talent crunch is acute at the plant level, where CISOs often lack the resources to have dedicated cybersecurity personnel on-site. This leaves plant managers — who are focused on operational metrics rather than cybersecurity — to handle security responsibilities they are ill-equipped to manage.

“Security gets in the way of progress,” Duckworth said, emphasizing the cultural and organizational challenges CISOs face in getting plant-level buy-in for security initiatives.

Eight issues stemming from the cybersecurity talent, skills shortage

Here are some of the key issues and risks associated with talent shortages and lack of experienced talent in industrial manufacturing and critical infrastructure cybersecurity:

1. Lack of visibility and control over OT/ICS assets. Without the right expertise, CISOs, plant management, and security teams struggle to gain comprehensive understanding and control over the sprawling, legacy OT systems in manufacturing plants and critical infrastructure. Blind spots in asset inventory, vulnerabilities and access management increase the attack surface.

2. Inability to implement effective security measures. Lack of skilled personnel makes it difficult to deploy, configure, and maintain robust cybersecurity controls like network segmentation, access management, threat monitoring, and incident response. Cybersecurity initiatives often get deprioritized in favor of operational priorities and production which has often been the plant floor management’s priority.

3. Greater susceptibility to cyber-attacks. Under protected OT/ICS environments are prime targets for sophisticated threat actors looking to disrupt critical operations, steal intellectual property, or conduct destructive attacks. Successful breaches can lead to safety incidents, environmental damage, financial losses, reputational harm and even loss of human life.

4. Compliance and regulatory challenges. Adhering to industry standards and government regulations around industrial cybersecurity requires specialized knowledge that is in short supply. Noncompliance can result in hefty fines, legal liabilities and even loss of business in extreme cases.

5. Inability to keep up with evolving threats. The changing industrial cybersecurity landscape with new vulnerabilities, attack vectors, and threat actor tactics requires continuous learning and adaptation. Lack of skilled personnel limits an organization’s ability to keep up with cybersecurity demands, let alone stay ahead of the curve.

6. Operational disruptions and downtime. Security incidents can impact the availability and reliability of industrial systems, leading to expensive production delays and operational disruptions. Recovering from cyber-attacks requires specialized expertise that may not be available and lead to greater risks and losses.

7. Ineffective incident response and recovery. Without experienced incident response teams, organizations struggle to contain the impact of breaches, conduct thorough investigations, and implement robust recovery plans. Delayed or improper response can exacerbate the damage and prolong downtime.

8. Vendor/supplier risk management challenges. Securing the broader industrial ecosystem, including third-party vendors and suppliers, requires specialized knowledge of OT/ICS environments, equipment, and processes. This lack of expertise makes it difficult to assess and mitigate risks introduced by interconnected systems and supply chain relationships.

Addressing these challenges requires a multi-pronged approach focused on building a strong pipeline of industrial cybersecurity talent, upskilling existing personnel, and fostering a culture of security within manufacturing and critical infrastructure organizations.

Bridging the IT/OT divide and aligning these traditionally siloed teams is essential to enable comprehensive industrial cybersecurity across manufacturing and critical infrastructure organizations.

Tackling the talent shortage, improving IT/OT collaboration and shifting the organizational mindset to collaboration will help industrial organizations overcome the immense cybersecurity challenges facing CISOs, operations, manufacturing teams and their organization as a whole.

Dino Busalachi is CTO and co-founder of Velta Technology; Craig Duckworth is a former CEO and co-founder of Velta Technology.

LEARNING OBJECTIVES

  1. Understand the causes and consequences of the industrial cybersecurity talent shortage.
  2. Explore strategies to bridge the talent gap, including upskilling existing personnel, building a pipeline of specialized professionals, and ways to leverage partners.
  3. Learn approaches to bridge the IT/OT divide, fostering collaboration between teams to enhance overall industrial cybersecurity protection.

Author Bio: Dino Busalachi is CTO and co-founder of Velta Technology; Craig Duckworth is a former CEO and co-founder of Velta Technology.