Time For Action, We Have Plenty Of Advice
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
Seth Godin manages to put a lot of wisdom in his short daily blogs. This one hit me last week (key excerpt below).
Generally, the advice isn’t really the hard part. There’s endless good advice just a click away. ... We might not need better advice. We might simply need to do the work of being able to work with the good advice we already have.
Jen Easterly and the team at CISA has put out a lot of (mostly) good, 101-level advice the last four years. As have the Department of Energy, foreign government agencies, industry groups, standards organizations, and even consultants / pundits. Most of it isn't new or noteworthy. It's conventional wisdom and good practice that has been documented for years or even decades.
The latest Secure By Design and Secure By Deployment program documents are great examples. They aren't wrong, and they aren't new. The companies that signed the pledge didn't think, "now CISA has told us how to do to Secure By Design and we can start do this". Their teams are filled with smart people who knew all that was published and more.
One of the creators and authors of Microsoft's Security Development Lifecycle (SDL), Steve Lipner, gave the keynote at S4 in 2008. You could call this an early version of Secure By Design. The advice captured in that book was important. More important was the fact that Microsoft took action to implement the SDL and dramatically improved the security of their products.
After S4x08 I know of a few ICS vendors who embraced the SDL, took action, and improved their products' security. Even with the knowledge, it wasn't a straightforward path. But they wouldn't have experienced and learned from the mistakes if they didn't take action.
OT security professionals and the companies they work for don't need more high-level advice. The lack of 101-level advice on what to do isn't slowing people down. There is too much advice. It exceeds what any asset owner, vendor, or regulator can take in and do.
The challenges for OT security professionals, where we need their experience and talent, are to determine:
OT Digitalization Evangelist at Remuscon Oy / Domain Specialist for Cybersort
1 个月Appreciate your work and comments Dale Peterson. Anyway there should be some common guidance in this market also. Somebody just wrote that it is not the security professionals that take the hit, it is their customers.
Insightful article, Dale! We couldn’t agree more about the importance of moving from advice to action in OT cybersecurity. As you highlight, the challenge often lies in bridging the gap between strategy and execution. That’s why solutions need to align with operational realities, empowering teams to make informed decisions quickly and effectively.
figure it out isiahjones.com
1 个月Pay us to do the actual work. The end. It’s not rocket science. Not talk about it at conferences or on zoom meetings or another publication or layoffs so you can buy another cool product and golf with investors etc. until then security is a dead profession. It’s been hijacked by people managers. If they still need advice after 20 years then they’re not experienced enough to even be involved in the first place. Start there. Stop spending all of the money on bloatware aka products and management etc. this is what happens when you downsize individual workers in exchange for everything else. Work stops getting done.
Converging IT/OT
1 个月???? I think this is a central theme of the human condition. This article could be about getting healthier or finally starting that business. Let’s get moving!