Accountability for
risk management of operational technology vendors is often unclear, but IT
components imbedded in OT can potentially disrupt critical production
processes. CIOs must get involved to help mitigate the immature software life
cycles and security management processes of OT vendors.
Table of Contents
·
Analysis
o When Should a CIO
Consider Getting Involved in Managing OT Vendor Risk?
§ Key Intrusion Examples
·
Impacts and Recommendations
o OT vendors lack
experience in addressing software life cycle and security management processes,
and consequently introduce vulnerabilities to enterprises — CIOs are uniquely
positioned to help manage these vendor risks across the entire IT/OT spectrum
o Issues around
authority, organizational boundaries and lack of trust between CIOs and
operations/engineering team leaders prevent enterprises from adopting
standardized vendor risk management practices across the IT and OT vendor
ecosystem
o Due to a lack of
sharing, transparency and accountability among CIOs and operations/engineering
team leaders, many common OT vulnerabilities are unknown to the enterprise and
remain unmonitored — and could have potentially devastating consequences
o Many OT vendor risk
management programs are either nonexistent or too immature to enable CIOs to
adequately and effectively mitigate enterprise-class vendor risks
·
Gartner Recommended Reading
Comments