Gaining organizational buy-in to execute a cyber roadmap requires executive sponsorship, a unified strategy, effective communication, and a collaborative approach with cross-functional teams. This convergence can be a challenge for many organizations, as this skilled effort demands a dedicated team and a wise use of resources.
Without adequate expertise and governance in place to achieve this convergence, organizations can prematurely introduce new processes and technology before understanding the complexities and critical processes of the organization. No matter how sophisticated the security technology, people are crucial to the success of OT security program. It is imperative to work with key stakeholders to ensure the cyber strategy aligns with the true needs of the business.
CISOs seeking to enhance enterprise-wide cybersecurity with critical OT security controls that enable industrial productivity can gain insights from what global manufacturing giant, Church & Dwight, has done. The Ewing, N.J. packaged goods manufacturer of brands including Arm & HammerTM, WaterPik® and OxiCleanTM, chose to partner with Rockwell Automation to implement capabilities that have improved OT security without sacrificing the efficiency of production/manufacturing operations.
To achieve this goal, Church & Dwight’s security leaders harnessed a people-centric strategy by:
- Building strong business relationships among the manufacturing, IT and OT teams, as well as the executive leadership team
- Driving strategy alignment between the business needs and the organization’s security initiative
- Consistently nurturing a strong, pervasive security culture that elevates everyone’s cyber awareness to help keep the organization’s operations safe.
Fostering Internal Buy-In
Church & Dwight’s key objective was to understand their cybersecurity risk posture, and gain visibility across IT and OT networks. The first step to increase visibility was to conduct manufacturing site assessments at all Church & Dwight facilities. The IT cybersecurity team needed to understand both the strengths and vulnerabilities that exist across the company’s OT networks, including privileged users, assets and other resources. “We visited each facility in person and built relationships with key stakeholders within each plant,” said Church & Dwight CISO, David Ortiz. “We wanted to make sure they understood our strategic goal to reduce cyber risks, while maintaining availability at the manufacturing sites.”
In partnership with Rockwell Automation, Church & Dwight conducted a series of workshops at its manufacturing sites based on the NIST Cybersecurity Framework. The assessments were laser-focused to avoid taking up too much of the plant operations team’s time. The security team’s priority became detection of anything potentially malicious. “The right approach was to not over-architect these assessments,” Ortiz said.
To minimize the impact on production from cybersecurity deployments, Ortiz and his team spent time at each manufacturing site to connect with stakeholders and understand how each site operates.
Corporate leaders are also important partners, and they need to know how cybersecurity risk translates into business risk. Buy-in from the board of directors and the C-suite is critical to prioritizing OT cybersecurity investments. The Church & Dwight cybersecurity team initially partnered with the company’s executive leaders to agree on specific goals and outcomes.
In addition, providing plant assessment findings in a digestible, easy-to-understand format using a risk-based framework made the information accessible to a range of stakeholders, tying cybersecurity recommendations to operational requirements such as safety, uptime, reputation and financial considerations.
Building Trust to Boost Security
Today, people are at the center of most cyberattacks as malicious actors use social engineering and AI to exploit weaknesses in human behavior. IBM Security researchers found that spear phishing, for instance, was the initial access vector among 38% of OT-related incidents.[i] Building a security-oriented culture is imperative for strengthening protection against attacks that exploit human factors.
At Church & Dwight, the relationships and trust built as part of the partnership between the IT and OT teams has further strengthened a culture of security. The collaborative effort continues through quarterly check-ins among IT, cybersecurity, and manufacturing teams. “The people at the sites need to be aware of what’s happening and why, to feel like they’re contributing to something that’s important to the organization,” Ortiz said.
Modernizing cybersecurity across IT and OT operations enables organizations to better prevent incidents, providing visibility and shielding critical assets from rising threats. For Church & Dwight, security initiative outcomes included a more efficient incident response process and a risk-based approach that enables the security team to identify and remediate the most critical risks quickly.
Ortiz emphasized that cybersecurity is a never-ending quest. “There’s always room for improvement, and there are always emerging threats to work through as a company,” he said.
CISOs with experience protecting IT operations must adapt and extend their scope to help protect OT operations from potential threats that could impact the availability of manufacturing. A holistic cybersecurity program requires a continuous evaluation of security gaps, vulnerability and exposure management, threat monitoring, and resilience readiness. Building good partnerships among production teams and business leadership will also help CISOs fine-tune and mature their strategies and prepare for what’s next.
To learn more, read the Church & Dwight case study, here.
[i] IBM Security, “X-Force Threat Intelligence Index 2023”
