IT and OT: How CISOs can best handle the dangers of integration

A cartoon depiction of a smart factory floor to symbolise operational technology
(Image credit: Shutterstock)

The following article originally appeared in Issue 10 of IT Pro 20/20 as part of a new series that invites industry experts to give their take on some of the most pressing issues facing businesses today. To sign up to receive the latest issue of IT Pro 20/20 in your inbox every month, click here. For a list of previous issues, click here.

CISOs across the globe are faced with the daily reality that all IT systems are suffering attacks. Unfortunately, it’s difficult to predict when you’ll be targeted and how that attacker could move laterally to compromise your IT or even operational technology (OT).

One rising threat to IT infrastructure is the rapid integration of IT and OT. At LafargeHolcim, we are fairly OT dependent – cement plants are big sites with a lot of automated and low-level programming systems. It’s critical that we include this in our analysis so that we have a complete picture of the risks faced.

We provide each business unit with its own specific KPIs and risk assessments. This provides the intelligence they need so they’re armed with the necessary detail before taking any decision regarding the degree of risk they find acceptable and that which needs to be addressed.

Protecting even the most modern and efficient of infrastructures is not a passive task – my team’s job starts again every time the company takes on a new project or initiative, or deploys a new product. With uncertainty on all sides, there is a deep need for security and business needs to be better aligned. Ensuring the cyber team and business stakeholders understand each other’s priorities and speak the same ‘language’ is the only way to ensure that the organisation’s computing infrastructures are defended correctly.

For example, if a new IT procurement tool is to be put in place within our region, we make sure to work with the procurement team to identify any specific application-level risks. We also sense-check with people from the organisation who may have a completely different mindset – such as developers or programmers – to try and spot other less evident risks. When it comes to identifying risks to our infrastructure, it’s definitely the case that four sets of eyes can see much more than one.

This approach is how we successfully managed the infrastructure transition during the merger of Lafarge and Holcim a few years ago. While many assume the combination of two well-established IT systems would be a simple cherry-picking exercise, it was actually a full alignment from the ground up. We assessed, in detail, the whole IT security portfolio in order to understand what people, processes, and technology needed to be in place from the view of both companies. Working together with business stakeholders and the right partners made life so much easier, and led to successful projects in the vulnerability management, endpoint protection, and user awareness spaces just to mention a few.

Challenges to come

With a relentless stream of high-profile data breaches continuing to hit the headlines, protecting a company’s infrastructure is quickly moving out of just IT’s remit and fast becoming a business topic. The good news is, business leaders are paying more attention to IT systems, meaning they will hopefully get more attention and resources for protection. However, new technologies mean new attack vectors.


IT Pro 20/20: Meet the companies leaving the office for good

The 15th issue of IT Pro 20/20 looks at the nature of operating a business in 2021


As we navigate the ongoing fallout of the COVID-19 pandemic, home working and remote IT support will test many organisations’ infrastructures. Many companies were completely unprepared for the overhaul – and as such, their employees may face cyber attacks from people purporting to be from their own helpdesk, just to mention one example, allowing them to jump internally into the rest of the organisation’s infrastructure.

When looking at the threats faced, it’s important security teams iterate and evolve in the same way that hackers do. We have several techniques to put ourselves in the mind of attackers to try and spot the different vectors of attack we present externally. Once security teams have the awareness of how to protect against potential threats, they will then need to work hand-in-hand with business stakeholders to clearly define these risks in business terms.

Only then can organisations prioritise the best security mechanisms to mitigate those risks to their infrastructure.

CISO at LafargeHolcim IT EMEA