Can you measure the outcome of your cybersecurity investments?

view original post

When it comes to cybersecurity measures, return on investment has always been difficult to calculate. As with other forms of risk reduction, how much is enough? And if the feared disaster doesn’t materialize, does that mean you spent the right amount? Too much? Or too little and you just got lucky?

In the case of ensuring the cybersecurity of industrial OT environments, Honeywell Process Solutions has developed a better way based on its more than three decades experience helping to secure the assets of some 10,000 customers, according to Jazeem Mohammed, global industrial cybersecurity director for the leader in industrial automation systems for critical infrastructure.  

The traditional method of cybersecurity investment starts with a transactional, customer-defined initiative that may or may not accomplish an organization’s true goals. “It’s an outdated execution model after which the value of the service provided is not visible, and the customer retains full responsibility for risk management,” Mohammed explained in a presentation at this week’s Honeywell Users Group (HUG) meeting in Madrid.

In contrast, outcome-based services are strategic agreements that both parties agree to. Cybersecurity is treated as an ongoing pursuit; the client pays for intelligent results; and the two parties partner to develop shared roadmaps for the future. “You are buying an outcome not a solution,” he said. And by an outcome, he meant that technologists in the OT realm have had sufficient time to develop standards and regulations that describe the qualities of cybersecure systems.

“And compliance with the standards relevant to your organization is a key outcome that we can help you achieve,” he said. Beyond compliance with industry standards, quantifiable outcomes that can also be addressed include risk reduction, operational safety, workforce development, resilience and business continuity.

The program is modelled on one that the company developed a dozen years ago to work with industrial clients to deliver specific outcomes for users of its Experion PKS control systems. A key difference is that in the case of OT cybersecurity, nearly every plant and every company is already on a journey and may have an array of non-Honeywell systems in place. “It’s not about changing your platform, but how can we help you continue the journey you’re already on,” Mohammed said.

Honeywell’s methodology begins with gaining a better understanding of where a client currently stands on a cybersecurity maturity index, then mapping a journey forward to an agreed upon state, often compliance with relevant industry standards. A range of quantitative key performance and key risk indicators (KPIs and KRIs) create a “posture score,” documenting progress along the way.

“The program will give clear visibility on the investment required to improve cyber outcomes in a timely manner,” Mohammed said. “We look at the outcome; we focus on where you are now, and a vision of where you want to go.”