When it comes to cybersecurity measures, calculating the return on investment has always been difficult. As with any risk mitigation method, how much is enough? And even if the disaster you fear never happens, did you spend the right amount? Too much? Or too little and just luck?
When it comes to ensuring cybersecurity for industrial OT environments, Honeywell Process Solutions has developed a better way based on more than 30 years of experience helping protect the assets of approximately 10,000 customers, according to Jazeem Mohammed, director of global industrial cybersecurity at Honeywell, a leader in industrial automation systems for critical infrastructure.
The traditional way of investing in cybersecurity starts with a transactional, customer-defined engagement that may or may not achieve the organization’s true goals. “This is an outdated execution model that subsequently loses sight of the value of the services delivered and places full responsibility for risk management on the customer,” explained Mohammed during a presentation at the Honeywell Users Group (HUG) conference in Madrid this week.
In contrast, outcome-based services are a strategic contract agreed to by both parties: Cybersecurity is treated as an ongoing effort, clients pay for intelligent outcomes, and the two parties partner to create a common roadmap for the future. “You’re buying outcomes, not solutions,” he said. Outcomes mean that OT technologists have had enough time to develop standards and regulations that describe the quality of cybersecurity systems.
“And compliance with standards relevant to your organization is a key outcome we can help you achieve,” he said. Beyond compliance with industry standards, quantifiable outcomes can be addressed, including risk mitigation, operational safety, workforce development, resiliency and business continuity.
The program is modeled after one the company developed 12 years ago, and is designed to work with industrial customers to deliver specific outcomes for users of Experion PKS control systems. A key difference is that with OT cybersecurity, nearly every factory and every company has already started, and they may have a variety of systems in place beyond Honeywell. “Instead of changing platforms, it’s about how we can help them continue the work they’re already doing,” Mohammed says.
Honeywell’s methodology begins with a deeper understanding of a client’s current position on the Cybersecurity Maturity Index, then maps out a path toward an agreed-upon state, often compliance with a relevant industry standard. A range of quantitative Key Performance Indicators and Key Risk Indicators (KPIs and KRIs) create a “posture score” and document progress along the way.
“This program provides clear visibility into the investments we need to make to improve cyber outcomes in a timely manner,” Mohammed said. “We focus on outcomes, we focus on where we are and where we want to go.”
