What's It Going to Cost You?

A constant issue with Industrial Automation Control Systems (IACS) is that the company's security personnel complain that there is not enough funding to properly implement an effective cyber security program.  So, as companies are beginning a new year, this is a good time to revisit your 2018 budgets to make last minute adjustments and ask if Cyber Security is adequately funded for the risks that you face?   Maintenance costs, marketing, and new accruals possibly will have more monies due to our familiarity with these important business structures.  Cyber security is an unknown and may show up in the budget only due to a security director's insistence.  And, how do we really know what to budget?

Cyber security is making the news and making the headlines which means that its getting closer to us every day.  And, what will be the outcome of the company it has just one incident....could it mean a catastrophic event that could harm individuals,  or costs us millions of dollars, or ruin the company's reputation?  Any one of these could devastate the company that has thoughtfully put together a meaningful budget with the intent to grow the business.   This could be the year that a cyber event occurs and are you ready?  And, do you know what it's going to cost you if it does occur?

Maybe, this year look beyond the normal spreadsheet and make sure that there are line items in your budget for cyber security that include:  

1. Cyber security compliance and appropriate security controls (costs to meet the company's existing security policies and practices)
2. Cyber security expertise (Cyber security is changing daily so plan to have audits and assessments of your business by 3rd party auditors to assure that you are secure).  An early audit could provide you an estimate of the required budgeted amount for your cyber security needs. 
3. Cyber security talent - It is imperative to have a good cyber team that includes: process controls engineers, security professionals, operators, maintenance personnel, and management.  At least 2 of these team members needs to be very proficient in regards to cyber security, process controls, and the policies and standards for your company's industry. Allow monies to assure you have the talent to protect your company.

Companies need to be proactive and plan for cyber security to make sure that the company is protected because just like the company needs fire extinguishers, smoke detectors, and sprinkler systems, etc. to protect against fire, the company also needs to plan accordingly for cyber security.  Recovery costs which are the expenses associated with a cyber event will be much lower if the above line items are included in your annual budget especially if the company has followed its own security policies and industry standards.  Being proactive in regards to cyber security and depending on the company's recovery plan from an event can not necessarily assure that including budgeted line items will definitely result in lower recovery costs but it will put your company in a better position to avoid cyber security recovery costs which can debilitate your company.

By Meredith Allen, PE, PMP, CEH