Nexus Podcast: Walter Risi on the CISO’s Journey from IT to OT

Chief information security officers are being tasked with securing operational technology as more enterprises embrace digital transformation and converge IT and OT security management. This journey has come home for many security leaders who must now not only understand new threats and technologies, but also where gaps may exist between IT and OT, and how to work toward resilience as an end goal. 

In this episode of the Nexus podcast, Walter Risi, the Global OT Lead and the Technology and Cyber Security Consulting leader at KPMG in Argentina, discusses the CISO’s journey from IT to OT and brings his extensive experience to the conversation. 

Subscribe and listen to the Nexus podcast on your favorite platform.

“As companies start to blur the differences between IT and OT … CISOs are getting to the need to be involved in OT cybersecurity,” Risi said. “As companies are connecting IT and OT and starting to think of this just as technology and not IT and OT as separate things, CISOs are starting to get their hands dirty. We have a lot of conversations with CISO’s starting the OT journey.”

Risi explains what's driving this convergence of security disciplines, and the challenges security leaders are facing across industries. He also explains why resilience should be the goal of enterprise security programs, the tools and experience necessary to successfully converge IT and OT security operations, and the importance of bringing cybersecurity awareness and experience to OT engineers and operators. 

The journey can begin in one of two ways, he said. Either by first understanding your organization’s maturity level and risks, and working toward a governance model that upgrades existing infrastructure, or by first building visibility, fixing outstanding issues, and implementing monitoring and response procedures. 

“Attackers are not going to wait until you finish your governance structures to attack your company,” Risi said. “You need to have both in parallel to build a sustainable OT cybersecurity program.”

The goal, meanwhile, should be building resilient systems that can withstand intrusions, resume operations quickly, and maintain critical OT mandates around safety and availability. Hoping to avoid incidents isn’t a viable strategy, he said.

“Attackers are always evolving, they move very fast, and they don’t have regulations or restrictions,” Risi said. “Despite how many things we have in place, we must assume the chance of being attacked is real and we must be ready to respond. The second part of resilience is recovery: how fast can you recover from an attack? You may contain the attack quickly but how fast can you get back to normal operations.”

Risi also discusses the improving maturity level of OT cybersecurity overall, but concedes that it still lags behind the decades-old maturity of IT security. 

“It wasn’t long ago that companies weren’t aware of the importance of cybersecurity and felt it was only an IT thing. We’ve been doing IT cybersecurity for decades, but I think [OT cybersecurity] is moving quickly, but we’re still lagging behind,” he said. 

Risi added that enterprises starting OT cybersecurity programs should begin with maturity assessments.

“While some companies may be reluctant to do this,” Risi said, “having a deeper understanding of maturity is valuable for several reasons. Often [your maturity] is not zero; often you have many things in place. On the other hand, doing a maturity assessment also helps raise awareness as a side effect. Executives can look at the results [compared to industry benchmarks] and see they may have a risky situation.”