Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Digital Transformation and Cybersecurity Strategy

Digital Transformation (DT) from an industry 4.0 perspective is not a project but rather a strategy or a journey. Similarly, defining IT & OT Cybersecurity strategy and achieving maturity is also a journey and not a project in itself.

While cybersecurity needs to be an integral part of the overall DT strategy as a whole, for any smart critical infrastructure and or manufacturing business, it is important to understand that its not limited to the DT strategy but is applicable to the entire business operations as a whole (beyond DT initiatives).

Any DT initiative ignoring the importance/need of cybersecurity, increases cyber risks to operations, and could potentially create major issues/hurdles for a long-term DT strategy and can turn out to be costly for the business. DT is one of key drivers for many businesses initiating their cybersecurity program.

Stakeholders from both the DT team (e.g., Chief Digital Officer (CDO) / Director) and Cybersecurity team (e.g., Chief Information Security Officer (CISO)) need to understand the key tenants of a typical strategy / journey, each team plans to embark on, and should have common understanding of key goals to meet business objectives.

The diagrams below represents, at a high-level, an example of the steps both teams may initiate, or draw parallels from, to support each other's strategic objectivesrather than being in conflict with each other. Both programs need to cover all areas of automation stack (per ISA 95part 2).

No alt text provided for this imageExample Steps for DT Strategy and Cybersecurity Journey

More context on the above steps are in the chart below:

No alt text provided for this imageExample Steps for DT Strategy and Cybersecurity Journey Brief

If you are embarking on such a journey, whereby both teams are starting certain initiatives in these two areas, it is always good to work as a single virtually integrated business unit/team to avoid repetitive tasks (e.g., conducting discovery on business inventory) and save business time, effort and costs on any potentially overlapping activities.

Businesses that are planning expansion (e.g., green fields projects/implementation) are in a perfect position to define, align and execute both these strategies.

For businesses planning for (or going through) mergers & acquisitions within the industrial space if the newly acquired business, presents higher cyber risk levels with lower maturity in these areas, the overall organizational maturity (and compliance) can be impacted and can potentially cause negative consequences to the business. It may also require a re-org of these two teams. Therefore, it's highly critical that the acquisition party, as part of due diligence process, considers reviewing the maturity around these two strategies to identify cyber risks, and also potentially presents an opportunity to leverage the findings, to better negotiate the right deal.

A version of these articles are originally published on my newsletter on LinkedIn.

Muhammad Yousuf Faisal
Muhammad Yousuf Faisal
M. Yousuf Faisal (EMBA, GICSP, ISO 27001 LA, CISSP, CISM, CISA) has more than two decades of industry experience in technology and cybersecurity, helping organization across multiple industry sectors worldwide, secure their digital transformation journey. As founder of “Securing Things," currently offering Cybersecurity Advisory and Consulting services, training, and solutions, both IT & OT/ICS/IOT environments. He holds a B.E. Electrical and an Executive MBA degree.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM