Digital Transformation (DT) from an industry 4.0 perspective is not a project but rather a strategy or a journey. Similarly, defining IT & OT Cybersecurity strategy and achieving maturity is also a journey and not a project in itself.
While cybersecurity needs to be an integral part of the overall DT strategy as a whole, for any smart critical infrastructure and or manufacturing business, it is important to understand that its not limited to the DT strategy but is applicable to the entire business operations as a whole (beyond DT initiatives).
Any DT initiative ignoring the importance/need of cybersecurity, increases cyber risks to operations, and could potentially create major issues/hurdles for a long-term DT strategy and can turn out to be costly for the business. DT is one of key drivers for many businesses initiating their cybersecurity program.
Stakeholders from both the DT team (e.g., Chief Digital Officer (CDO) / Director) and Cybersecurity team (e.g., Chief Information Security Officer (CISO)) need to understand the key tenants of a typical strategy / journey, each team plans to embark on, and should have common understanding of key goals to meet business objectives.
The diagrams below represents, at a high-level, an example of the steps both teams may initiate, or draw parallels from, to support each other's strategic objectives—rather than being in conflict with each other. Both programs need to cover all areas of automation stack (per ISA 95—part 2).
Example Steps for DT Strategy and Cybersecurity Journey
More context on the above steps are in the chart below:
Example Steps for DT Strategy and Cybersecurity Journey Brief
If you are embarking on such a journey, whereby both teams are starting certain initiatives in these two areas, it is always good to work as a single virtually integrated business unit/team to avoid repetitive tasks (e.g., conducting discovery on business inventory) and save business time, effort and costs on any potentially overlapping activities.
Businesses that are planning expansion (e.g., green fields projects/implementation) are in a perfect position to define, align and execute both these strategies.
For businesses planning for (or going through) mergers & acquisitions within the industrial space— if the newly acquired business, presents higher cyber risk levels with lower maturity in these areas, the overall organizational maturity (and compliance) can be impacted and can potentially cause negative consequences to the business. It may also require a re-org of these two teams. Therefore, it's highly critical that the acquisition party, as part of due diligence process, considers reviewing the maturity around these two strategies to identify cyber risks, and also potentially presents an opportunity to leverage the findings, to better negotiate the right deal.
A version of these articles are originally published on my newsletter on LinkedIn.
