IT/OT/OMG/GRC

IT and Cyber RiskDetours
Written By Jonathan Prewitt

68 degrees. A slight breeze off Lake Michigan. The skyline doing its usual evening flex.

Then my watch buzzed.

9pm Teams invite. War room. The kind of notification a risk manager never wants to see.

I opened the laptop. There it was. A ransom note. A demand for a cryptocurrency I had never heard of. One facility hit. Cost of downtime: roughly $1,500 a minute.

That number is the whole story of manufacturing security in one line.

Manufacturers run on razor thin margins and total technology dependence. Securing IT and OT is not a single problem with a single budget. It is two problems competing for the same dollars, and one of them always loses.

So teams make a choice. They protect the highest likelihood event, the corporate network getting hacked through email or a bad attachment, because that happens constantly and it is visible. The highest impact event, the line going down completely, gets the leftover budget and a prayer.

This is not a competence problem. I want to be clear about that. The teams I have sat across from in these war rooms are sharp, exhausted, and doing the best they can with a budget that was never built for the threat they actually face.

The result is a pattern I see across the sector: security by obscurity. Pour the real investment into IT, the ERP, email, chat, the places where a careless click is most likely to start the fire. Then try to "hide" the OT environment behind segmentation and VLANs and hope nobody finds the seam.

Hope is not a control.

Wherever there is a way for an employee to undo the work of the security and risk team, someone eventually will. Not out of malice. Out of normal human behavior colliding with a network design built on the assumption that nobody would look too hard.

If your OT risk strategy depends on attackers not finding the door, you do not have an OT risk strategy. You have a countdown.

What does your organization weight more heavily right now, likelihood or impact? I would genuinely like to know where other GRC and OT security people are landing on this.

If you are staring at this exact tradeoff and want a second set of eyes on your OT risk posture, reach out. Happy to talk through it.

#GRC #OTSecurity #ManufacturingSecurity #Ransomware #RiskManagement #ICSSecurity #CyberRisk #ITOTConvergence

Jonathan Prewitt
Next

When Hyperscalers Sneeze, Your Vendors Catch a Cold