EE Times Europe – Shorter OT sales cycles for cybersecurity are a sign of greater concerns

There is a trend in the operational technology (OT) cybersecurity market today where sales cycles are dropping 75% from 18-24 months to just six months.

This trend clearly stems from the growing risk that industrial companies are facing in the context of global cybersecurity and the economic uncertainty that many decision makers are beginning to worry about. Let’s take a look at two recent titles to understand where this sentiment is coming from.

First, is Toyota facing any further setbacks from supply chain issues in 2021? In late February, one of the world’s largest automakers announced it would halt production across Japan due to a cybersecurity attack on one of its plastics suppliers. It also coincidentally happened almost immediately after the automaker announced it would pull its operations out of Russia in response to hostilities in Ukraine.

In March, an FBI bulletin said “evolving intelligence” showed an increased threat to the US energy sector from what appeared to be Russian-based hackers. The bulletin goes on to explain the abnormally high scanning activity of more than 100 suspicious IP addresses and asks companies to remain vigilant.

Although the risk of these specific IP addresses remains to be determined, it is clear that American companies are a very popular target, with a 82% increase in ransomware attacks between 2019 and 2021, according to the FBI. Specifically, 40,000 cybersecurity attacks have been reported to the agency since 2018, resulting in hackers reaping $150 million in payouts.

These shortened sales cycles therefore come from companies that understand that it is no longer enough to appease regulators. They need to secure their facilities now, without impacting productivity.

It is up to CISOs to dive into the details and understand what the unique needs of their OT installations are. This can only be achieved by cataloging each piece of equipment in the company’s OT network and its characteristics. Only then can the key questions be answered:

  • Are they still supported by the manufacturer’s cybersecurity patches?
  • What are their main vulnerabilities and what steps can be taken to mitigate them?
  • How crucial is this machine? What will happen if it breaks down?
  • Will hackers be able to access other network features if a device is breached?
  • Ultimately, what will be the financial impact on the business in the event of a cyberattack?

Only by conducting this in-depth risk assessment using mapping tools combined with breach attack simulation will CISOs begin to speak the same language as executives, whose buy-in is essential for implementation.

CISOs should further take this opportunity to explain to their leadership team that the cost of losing full or even partial operational capabilities due to a cybersecurity attack is not an option. It’s up to them to explain that hundreds of thousands of dollars in lost revenue, business interruption and tarnished reputations are entirely preventable.

To make matters more complex, this growing need for OT cybersecurity is happening at the same time as concerns about the global economic downturn are being raised.

The CISO must respond to these two contradictory trends of optimizing their budget while ensuring the security of assets. Only the development of a clear OT security plan when presenting to the board will allow a strategy to be properly thought out and executed.

This means correlating security breaches to business impact and prioritizing accordingly. During the presentation, cybersecurity leaders should show projected risk reduction figures once these projects are implemented and use tools that optimize the use of expert manpower. Once this goal is achieved, only then can full buy-in and support be expected.

Shorter sales cycles are welcome, but proper implementation and buy-in are even more important.


Security padlock.

Mary I. Bruner