Kyle: I actually see a lot of the challenge is in policy and organization. So, when I say policy, there are a lot of requirements and standards and certifications that, when you go into an operational technology network, that’s competing with a lot of your security best practices.
The best example that I have is — I'm going to jump to aircraft for a second here. You have FAA certification of making sure the plane can fly, and that your code is certified so that the plane can fly, and then you have security that wants you to be continuously patching every quarter. FAA certification takes longer than a quarter, so how do you balance those competing priorities?
Those types of policy challenges are some of the largest challenges to work through. And then, when you start talking organization, when I go back to talking about how, in the corporate network, it's well-understood, your CISO and your CIO, they are working together, they've had to work together, in a lot of cases, until recently, the CISO's been the CIO, that is a well-understood relationship. When you start talking with operations, there is a lot of, "I don't want security touching my operations network. What if it breaks?"
So, the way that you try to account for those challenges is, for one, you can't swing one direction or the other fully, right? You know, security can't come in and say, "Hey, do quarterly patches," because the response is just going to be "no." And then, on the flip side, operations can't say, "Hey, security, get out of my space. I'm just going to keep my network vulnerable."
And, so, working together to get tailored approaches, and then really starting to dive into what makes the most sense for the organization, and then being able to layer in the technologies as it makes sense, and start small.
So, this is more to the security side of the house; don't go straight to locking yourself out with a bunch of policies. Put in some monitoring, see what's on the network. Once you're comfortable with that, you can add in some additional insights. You can add in more detailed enforcements. And then you can start taking automated response and active protection, which is where, for you to properly secure a network like this, you need to be able to actively protect against a threat, because someone is going to attack you, at machine speed, you need to respond to it. You can't go straight to that. You need to start small and grow as you gain confidence in your security solution.