23 Nov 2023

Cyber risks are a matter for the boss: the responsibility of management and the board of directors in critical infrastructures

When working for the community, critical infrastructures  are particularly in the spotlight. On the one hand, in the eyes of the state and citizens, but also as a potential attack vector. It becomes particularly delicate when it comes to the security of operational technologies (OT) in critical infrastructures. The recent NZZ reports on targeted attacks on OT systems highlight the urgency of the issue. In this context, the involvement of management and the board of directors as key players is becoming increasingly important.

We provide an insight into how those responsible for security can work together profitably with these bodies.

Step 1: Teaching the basics

The mission of the MB and BoD is to ensure the ability to act, to act economically and to assess risks realistically. It is very important to impart basic knowledge about processes, technologies and their risk exposure. Without knowledge of cyber security, a realistic risk assessment is not possible. If good cyber skills are represented on the Board of Directors, it is nevertheless advisable to structure the mediation together with external skills and identify priorities.

The Board of Directors should understand the risks and threats to OT systems and be able to assess the potential impact of security incidents on the company and society. 

How do you assess your cyber security maturity level? 
Thanks to a well-founded analysis, we help you to understand where you stand and how you can further develop and expand your maturity.

Step 2: Risk assessment

A comprehensive risk assessment is essential. Management should be able to quantify and understand the risks to OT systems. It is important that the divisions are also provided with financial resources to minimize risk, especially during the times of year when budget allocation is debated at length. 

Some companies still assume that a central IT budget is sufficient. The findings from successful attacks show that this is not the case. 

Step 3: BCM, monitoring, emergency planning

The responsibility does not end with prevention and investment. The Board of Directors must understand how the company responds to security incidents and ensures the restoration of critical functions. 

A company can describe itself as "well prepared" if:

1)      ... the implementation of separate business continuity plans takes place
2)      ... there is a clean inventory.
3)      ... constant measurement and monitoring of the operation is ensured.
4)      ... emergency scenarios have been set up, planned and tested.

How do you translate insights from analysis, compliance requirements and frameworks such as NIST2, ISO & others into a successful cyber strategy? 
We activate companies and build strategies that combine technology, processes and people.

Step 4: Working with the human factor

A security strategy is only as successful as it can gain support and resources. In other words, in addition to a budget for cyber security, it also requires comprehensive integration into the company. What many companies in the field of operational technology (OT) know from their work in the area of "safety" also applies to cybersecurity:

  • Companies that develop a safety culture can count on greater resilience.
  • A safety culture requires attention to the topic (awareness), time for employees to adapt their behavior to safety measures, and training.
  • Successful safety cultures are committed across the board; there are no exceptions for management or the production site just to facilitate processes.
  • In turn, safety measures are designed in such a way that they anticipate human behavior and do not interfere with it as much as possible.

Step 5 : Transparency and collaboration

Transparent communication with management and stakeholders is essential. The regular exchange of safety reports enables the Board of Directors to build up expertise and take appropriate measures.

We are also experiencing a constant change in the vectors when considering the risk situation. These must therefore be continuously discussed, prioritized and operationalized.

Overall, the understanding and active involvement of the Board of Directors in OT security is essential. This ensures that realistic risk assessments are made and that legal requirements are met. Strong OT security not only contributes to the protection of critical infrastructures, but also ensures the well-being of society. The Board of Directors is therefore not only a steward of the company, but also a guardian of digital resilience.

Please read our latest blog entry

Article only available in German.

Schweizer Energie-Unternehmen setzen Sicherheitsstandards