CISOs: The Expert Synergists
Thomas Leen, CISO, BHP, says, the IT/OT problem is actually a culture problem, as as much as it is a technical challenge
"Understanding the difference between the two and making sure that you get the actual outcome that is intended by liberating both environments," says Leen.
He considers language not only an important aspect for IT/OT integration, but also to be able to speak to the board and tell a story on what would impact business ambitions.
Bring two CISOs on the same table, and the guess what they’ll talk about. They will, most likely, start talking about integration of Information Technology (IT) with Operational Technology (OT). One can well understand why that is. Today, CISOs play an essential role in balancing the two, while also bridging the gap between technology, and the business side of things.
In a conversation with Vishal Salvi, CISO, Infosys, Thomas Leen, CISO, BHP, talks about how IT and OT within the same organization operate very differently. “The IT/OT problem is actually a culture problem. And as much as it is a technical challenge as well,” Leen points out.
According to Leen, one of the differences is language, and the other issue is the difference in pace. “You really have a two-speed environment,” says Leen talking about the IT environment where changes happen fast, while in the OT environment changes take time. He also notes that the integration aspect is really about bringing together these two teams that have two distinct skill sets, and two distinct best practices.
"That's the key when it comes to IT and OT, from a security person standpoint: Understanding the difference between the two and making sure that you get the actual outcome that is intended by liberating both environments," says Leen.
Not only on the technology front, but the CISOs play an essential role in bringing technology and business on the same page, notes Leen, who calls the CISO’s role a dual hatted one. He considers language not only an important aspect for IT/OT integration where it is essential to understand the risk associated with technology, but also to be able to speak to the board and tell a story on what would impact business ambitions.
"For the right audience, if you want to talk to a group of IT people, you need to be able to talk that language that they understand. (In) the same way, you go to a board, you want to talk to them about what matters to the board, and how the work that you're doing is protecting that outcome," says Leen.