What Maritime-based CISO should know

In today's world, every organization should already have a cybersecurity strategy in place. In those where the risk coming from digital systems is significant, or they simply are just medium or large, the position of CISO (Chief Information Security Officer) has been established to execute the strategy. The CISO as a senior-level executive in general for every organization has a responsibility for assets (data, information, Intellectual Property, technologies, systems, etc.) protection reducing IT, OT and other digital risks. What we have observed for some time is that, with the increase in threats and attacks in the maritime domain, some Maritime organizations have also created CISO positions within their structures, some prompted by an additional stimulus such as an incident. But the requirements for the role of maritime-based CISO are quite specific, so I would like to present several points that a Maritime CISO should know, address and take care of.

1. Understanding the Maritime Cyber Threat Landscape: A maritime-based CISO must be well-versed in the specific cyber threats that target the maritime industry, understanding the business he/she works for. They don't need to be experts in all kinds of cyber threats (that's why a team of experts, both internal and external, is assembled), but they must understand the business connections, processes specific to what they need to protect, and gather information about looming threats and assess their potential impact on the organization. Awareness of these threats will help in developing targeted defense strategies.
2. Regulatory Compliance and Standards: The maritime sector is regulated heavily by statutory compliance requirements so CISOs should ensure that their cybersecurity practices comply with international regulations. There are requirements such as the International Maritime Organization's (IMO) guidelines on maritime cyber risk management, as well as industry standards like the ISPS Code (International Ship and Port Facility Security), IACS UR E26/E27, NIST, NIS 2, ISA/IEC 62443-2-1 where applicable. These standards and compliance are not things to be applied thoughtlessly, but need to be arranged in relation to the business one conducts and in agreement with it. Hence, at this point, the role of the CISO is particularly equated to a bridge between business and secure technology so that cybersecurity is not treated as an obstacle to conducting maritime business or other activities, but as their essential and integrated support.
3. Securing Shipboard Systems and Port and Onshore Systems: All of below is "in one bag," but of course, each type of maritime business has its own requirements so shipboard systems, including navigation, propulsion, and communication systems, etc., are critical to maritime operations and must be secured. Cybersecurity measures must extend to onshore systems, including port management software, cargo handling, and logistics systems and so on. CISOs should work on securing the entire supply chain and consider the cybersecurity posture of third-party vendors. To properly protect the assets, third-party access, supply chain, CISOs must build and organize their team(s) as well as support business units to possess, maintain, and enhance cybersecurity skills. They must also decide where to go "broad" and where to go "deep" in building expertise.
4. Incident Response and Recovery Plans: CISOs should initiate building, develop, test and regularly update incident response plans to quickly address any cyber incidents, which nature is constantly changing. This includes establishing clear communication channels, roles, and responsibilities, as well as recovery procedures to minimize downtime and financial loss. These plans should be verified as frequently as possible together with the business, not only during table-top exercises but also in a form as close to real life as possible. A good test is also to regularly check what others know about us, what is exposed to the Internet or through public digital communication channels. Even if we are assured that everything is fine, from time to time acting within the TNO (Trust No One) actions gives a lot of surprising insights.
5. Training and Awareness Programs: All captains know that human error is a significant risk factor in maritime operations. The same, surprisingly, in cybersecurity. CISOs need to implement comprehensive training programs, role based, for all employees to recognize potential cyber threats, understand best practices, and respond appropriately to incidents. In particular, it is necessary to enhance the cybersecurity skills of those maritime positions which, until now, were perceived as distant from IT or OT, as digitization has come to them suddenly and unexpectedly and today they already use computer or digital tools directly or indirectly for most of the time.

I believe that Maritime Cybersecurity teams with their CISOs are essential in navigating the complex cyber threat landscape specific to the maritime industry, ensuring compliance with international regulations and securing both shipboard and/or onshore systems. They serve as a critical link between business and cybersecurity, fostering an environment where digital protection is seamlessly integrated and viewed as a supportive element rather than a barrier to maritime business activities.

*Chris - thank you for support