The CIO & CISO’s Guide to Navigating Complexity in IT/OT Security

CIOs and CISOs today face a Gordian Knot of complexity when it comes to their organization's IT/OT security. This complexity is the source of many of their problems for reliability, usability, and security. 

Recently, at the France CIO and CISO Executive Summit, Christoph Schuhwerk, CISO in Residence — EMEA at Zscaler led a session on how two strategic paths for streamlining your security stack to a selection of highly versatile partners can help empower security teams and simplify architecture to better protect critical connected devices.

The session focused on how to consolidate your security stack to a few central platforms by leveraging the unique abilities of each, how to free application teams to take control over their entire value chain and delegate meaningful decisions on development speed and cybersecurity, and how modern platforms enable consolidation and a DevSecOps “shift-left” approach through revolutionary architecture.

Following the summit, Christoph is sharing insights and key takeaways on the topic and how CIOs and CISOs simplify and streamline their approach to IT/OT security.
 

What was the central theme of your session?

The central theme was that just as we secure users and cloud workloads, IoT/OT security should be based on the enforcement of business policies, rather than trying to establish and secure a network perimeter. Zero trust network access provides a framework for implementing this type of security.
 

What are some of the challenges IT and security executives face in this area?

As CISOs and CIOs know, IoT/OT devices present their own set of challenges when it comes to cybersecurity. Vulnerabilities are common since manufacturers often view security as an afterthought, updates often don’t adhere to an appropriate cadence, and many devices don’t support the installation of endpoint agents, which makes security difficult. 

On top of that, it’s often necessary to grant third-parties access to these devices for routine maintenance or troubleshooting. Securing such access is a challenge and failure to do so opens organizations up to compromise by bad actors.

According to Zscaler threat research, IoT/OT attacks are up 45% over the previous year.”

Why is it critical for the Evanta CIO and CISO communities to have this conversation now?

As IoT/OT devices proliferate and become increasingly essential to operations, the challenge of securing them requires an effective, standardized solution. These devices are often discoverable from the public internet, making them a vulnerable extension of organizations’ attack surfaces. Given their importance to many companies’ day-to-day operations, ransomware actors recognize them as attractive attack vectors for extorting targets.

But there are techniques that can reduce the chances of threat actors successfully compromising these devices. It starts with a reduced emphasis on perimeter-based defense in favor of a per-user, per-session implementation of well-crafted business policy enforcement. 

We also discussed the importance of creating a “security-first culture” – a company-wide “shift-left” – when it comes to defending operational technologies against attacks.
 

What were some of the takeaways from the session?

1. As the threat landscape evolves, classic IT architecture has failed to keep pace.
2. Modern zero trust architecture is a mature, widely-used, and stress-tested approach to securing users, workloads, and IoT/OT devices.
3. The creation and maintenance of sound cyber-business policies are essential to the proper functioning of any zero trust ecosystem.

Christoph is a senior enterprise architect, cloud, network, and cyber security expert with more than 20 years of experience across various industries, company sizes, and cultures. After almost a decade in global technology and strategy consulting, he led cloud and zero trust transformations at the E.ON group, one of the largest European energy grid operators. He is highly engaged in the field of sustainability and regularly shares his ideas in podcasts and event keynotes.

To learn more about IT/OT security and other key topics for CIOs and CISOs, join an Evanta community. If you are already a member, sign in to MyEvanta to explore opportunities to get together in person and exchange best practices with your IT and security peers.