Cyber Senate Podcast

The Checks and Balances for Cybersecurity Readiness

James Nesbitt / Cyber Senate

Cyber Senate had the privilege of catching up with Willi Nelson, CISO, Operational Technologies, Fortinet to discuss their forthcoming presentation on Cyber Preparedness September 29-30th in Celebration Florida, for the 9th annual Control System Cybersecurity USA conference.  

Large or small, cyberattacks are making headlines and elevating executive attention toward cyber resiliency. Preparing for, responding to and recovering from cyberattacks should be a strategic part of any business continuity plan. As recent cyberattacks have demonstrated increased risk to both IT and operational technology (OT) environments, readiness equates to enforcement of rules and policies that provide the visibility, control and situational awareness to respond at the speed of business.  Cybercriminals are maximizing their opportunity by exploiting older vulnerabilities and an expanding attack surface. Strategic readiness should be underpinned with the notion that eventually an attack will happen, and when it occurs, you are proactively ready to respond. During this session, we will explore security considerations for developing cyber resilience covering security fundamentals and readiness planning to protect your IT and OT environments.


Willi joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in Information Security working across industry verticals such as Healthcare, Telecom, Financials, Manufacturing, and Life Sciences. Most recently with GlaxoSmithKline (GSK), he established and directed the Global OT Infrastructure Security team charged with monitoring and protecting the OT assets for GSK. Globally, the team deployed 43 additional controls across the OT landscape assessed against NIST CSF and aligned business units to embrace a unified model for security, incident response, and risk reporting. During Willi’s tenure, he also oversaw the creation of the Security Organization and the Global Cyber Defense team for GSK’s Consumer Health startup (now called Haleon). Beyond building and leading the OT and Consumer Health security teams, he led the security team responsible for Cloud transformation for both IT and OT. Willi relies on a pragmatic and systematic approach to achieve company goals while also maturing the organizations and teams he leads.

 

Willi is a graduate of Rockhurst University in Kansas City, MO, USA and holds a CISSP (Certified Information Security Professional) certification in good standing. Willi lives in NW Arkansas with his family. He’s an avid outdoorsman, cyclist, woodworker, and veteran.

Good morning or afternoon depending on where you might do in the world today. warm welcome from the CyberSenate. My name is James Nesbitt. I'm the founder and director of the CyberSenate. And this morning we are going to be speaking to Willie Nelson, the new CISO for Operational Technology at Fortinet. Fortinet will be supporting as headline sponsors on the ninth annual control systems cybersecurity USA conference we host each year, it will be in Celebration, Florida this year, September 29, and 30th. That celebration Florida, September 29, and 30th, the ninth annual control systems cybersecurity USA conference with headline sponsors Fortinet, that's www.cybersenate.com backslash events. For those of you that would like to check out the agenda and the schedule, and possibly join us we'd love to have you. Willie Nelson joined fortunate as the seaso for operational technology in August of 2022. He brings more than 25 years of experience in information security working across industry verticals such as health care, telecom, financials, manufacturing, and life sciences. Most recently, with GlaxoSmithKline he established and directed the global ot infrastructure security team charged with monitoring and protecting the OT assets for GSK. Globally, the team deployed 43 additional controls across the OT landscape assessed against NIST CSF and align business units to embrace a unified model for security, incident response and risk reporting. During Willie's tenure, he also oversaw the creation of the security organization and the global cyber defense team for GSK as consumer health startup now called Haley on beyond building and leading the OT and consumer health security teams, he led the security team responsible for cloud transformation for both it and OT, Willie relies on a pragmatic and systematic approach to achieve company goals while also maturing the organizations and teams he leads with. He's a graduate of Rockhurst University in Kansas City, Missouri, USA, and holds a Certified Information Security Professional certification in good standing. Well, he lives in Northwest Arkansas with his family. He's an avid outdoorsman, cyclist, woodworker, and veteran. Thank you for your service. Willie, welcome to the show.
Thank you. Thank you for having me.
fantastic having you here today here today. And I know we've had a little bit of a chat previously about your history. And I've introduced your history at the beginning of the show here. But you used to work for GSK. That's right.
I did. Yes. About two weeks ago. Yeah. All week. I'm just starting my second week within fortnight.
Fantastic. Well, welcome. We're glad to have you here. And it sounds like you have an amazing amount of experience to share with the IoT security world having worked at GSK. And I know that Fortinet will be a fantastic opportunity as well with all the industries that they work with. So we have Fortinet, who are joining us on our ninth annual control systems cybersecurity USA conference that is taking place in Celebration, Florida on September 29, and 30th. That is our ninth annual event there. For those of you who are listening to this that used to join the CyberSenate. Previously, that show was in Northern California in Sacramento and then was relocated to Florida. But for any of those listeners out there that may want to see the agenda or possibly attend that's www.cybersenate.com backslash events. And you will see a listing of all the events coming up, including the one in Florida. One of the great topics that we're going to discuss today is on preparedness and Willie Nelson is going to provide a presentation for this conference in Florida, entitled the checks and balances for cybersecurity readiness. And I'm just going to give the audience a description here of that presentation. So you know, where some of the questioning from this podcast comes from, and of course, what you can expect to hear when you come to the show if you're able to make it. Larger, small cyber attacks are making headlines and elevating executive attention towards cyber resiliency. Preparing for responding to and recovering from cyber attacks should be a strategic part of any business continuity plan. As recent cyber attacks have demonstrated increased risk to both it and operational technology environments. Readiness equates to enforcement of rules and policies that provide the visibility control and situational awareness To respond at the speed of business, cyber criminals are maximizing their opportunity by exploiting older vulnerabilities. And an expanding tack surface. Strategic readiness should be underpinned with the notion that eventually an attack will happen. And when it occurs, you're proactively ready to respond. During this session, Willie will explore security considerations for developing cyber resilience covering security fundamentals, as well as readiness planning to protect your it and OT environments. So, with that in mind, it's bit of a mouthful, thanks for sticking with me while I read it all out. Willie, sounds like a great topic. Preparedness is something that it's been very key for us here, when putting together this event, and really trying to convey that the organizations that will be most successful now and in the future will be those that are able to pick themselves back up after an attack, and, and keep moving. And we see lots of examples of that, not from an OT perspective, but at least in the banking sector, where, you know, they've they've grown quite used to cyber attacks for quite some time. And they keep they keep moving, they keep their keep their production lines flowing, so to speak. So questions for you, Willie, are we seeing an uptake and readiness in the industry? What would your thoughts be?
Yeah, I think preparedness has always been, you know, in the back of everybodies mind, right? But in light of recent events, you know, really spanning the last several years, really, from my experience, last three to five years have really raised the awareness, right. From pipelines to farm and transportation, if you know not to name anybody that that has had issues, right. The boards are starting to get really involved in that discussion. Which, which turns the, the readiness discussion away from just the across the table here are our Are we prepared to now you get to report on it? Right. As a new associate within GSK, I really can't speak to what other customers are doing. But I can tell you from from my previous workforce, we had, we had dedicated individual that was that was working specifically on readiness across the across the organization, with the business with the operation center, you know, trying to make sure that the the responder knew, you know, what is good and bad looks like, but also what what should they be doing? And who should they call, when you look at a company like, like GSK, where I came from a global company, you know, having just the right phone number, sometimes it's hard, it's hard to come by right. And then be able to respond to something and knowing what what is real, is it's critical.
So, I speak to a lot of different companies in many different sectors, and what you're describing in your previous role, there is phenomenal. I mean, it's like an organization that has top down buy in right, and, and an element of preparedness. And we really now see that with a lot of different organizations out there that are different maturity levels, and just off the cuff here, I mean, how do you get C C level buy in? At that level? I mean, is that something that you inherited when you went to GSK? Or is that a culture that you helped develop there?
Last year, I guess you'd say inherited, that's that was part of what what brought me to GSK. Right? Was that was that by in the in this point in time, you're looking at, you know, 2019, you can look at news and you know, the wanna cry had just gone, just happened, right? No one wanted to be the next person in the news for that. The organization already had a program built for, you know, for OT, but it didn't quite have the, the focus that it needed. And there were several of us that were brought in specifically for for that focus. And, and that's, you know, that's really what led us to, you know, being able to work with the business. That partnership, you know, with the business is so important, because you can, you know, security, we quite often are the you know, we used to be the team of No, right? We have to enable the business and an OT, you take the triad, it's turned upside down. It's all about availability, and you can't be No, you have you have to work with this business. And that's, that's where the partnership starts. Obviously the getting buy in from from leadership.
What examples based on what you've just described there, what can you share with us? Are there any examples of of readiness that you might be able to share from that maybe from your GSK experience or possibly from I know, you're new in the role now, it probably still becoming acclimated with the fortnight client base that imagined, but I think I think it'd be really interesting to see what fortunate kind of says on that as well. You know, our, our, our is our client base or that are their maturity levels increasing with with this evolving attack paradigm, or are some organizations still straggling behind? And we're really having to help them?
Yeah, I would. You know, that is a great question. One that is loaded to some extent, right. Yeah.
Yeah, I apologize. It's, it's a hard one to answer. And it sounds to me like a lot of organizations are just at so many different levels there. So as far as readiness goes with, with an organization, such as your previous employer, I mean, what does that look like? Are we looking at team meetings and literally like fire drill exercises? Or what does readiness look like from from that
readiness at any organization is going to be, you know, it's all dependent on? What are you trying to solve for? Right, and it could be the we train the way we fight, we fight way we train that model. It could be do we have the right playbooks, right? Have we gone to the model of of bringing up mitre the minor attack and make sure that we have we filled in all the boxes? And look, do we have the compensated controls in place? Right? Have we built the compensating controls, and then as the business consumed those, and then just tracking those sorts of things. So from a fairness perspective, it could be any of those things or all of them. And really, those, those will span any organization, whether it's the large pharma, or the, you know, the the small mom and pop shop that's sitting somewhere in in Texas, you know, trying to build up their their own, you know, their own organization? Don't oil and gas kind of company.
Sure. Okay. Thank you. And in your opinion, what does cybersecurity mean to most organizations in OT, the staff know what to look out for? Or do you have any suggestions as to as to how this can be improved? What are the barriers?
Well, and you know, it's all about awareness. Right. So I think that historically, O T, was well known and in the IoT space, right, you, but everything else is ran through it. Okay, all your your your security controls, we have to air gap, we're good to go. Now that that has kind of changed. And the leadership, the board's, you know, executives are starting to have more awareness of their manufacturing facilities, their operations. I think I think it changes some of that to the staff of what what do I used to think was security? Well, I was it is problem, right? Now, it's, you know, it's everyone's problem. You know, there's the, you know, I forget what, what it is basically, IT security is, you know, is for all of us, right? But I think from an OT perspective, it's, it's, it's back to partnering with with your operation centers. So they know what what is real, what's not. Those Those automation engineers are. And then they're just phenomenal folks. extremely smart, very capable. They have all that knowledge. But typically an operation center, they don't go talk to him. Well, this is this is what we do. And this is what we look for. And so we need to have that communication, that communication has to open up. When you you know, almost the the banking industry did the fusion center, right? Where we had fraud and cyber all getting together and trying to work work, we almost need a fusion center ask model when it comes to, you know, OT, and having having those automation engineers and those operators sitting next to the sock folks and realizing what is good, what's bad. How do I respond? Because I can't just stop that. You know, that line? I have to I have to do something else. If availability is the number one. The number one thing on my list.
It's interesting that you say that because it's something that I'm hearing all the time and have for years, but it almost sounds like these teams would be so much better off if they all sat in the same room.
I think that yeah. It would be an interesting experiment for sure. Yeah, I think some extent Yeah, it's it's, you know, people process technology. If you look into technology, you know, Fortinet provides you with that fabric. You know, you're able to utilize all those tools that that you've already purchased. Not all of them. But you know, there's a lot of partnerships there, right? Yeah, that we end up into Fortinet gives you the visibility, you need the ability to automate and orchestrate response, except, you know, Secretary of Technology, the people and process piece those go back to fundamentals, right, those those are we have to sit across the table, or we have to sit on the same call, and we have to talk and we have to understand what what is it? If I do X, how does that impact the business? And do I want to do X, right? And then right, that process that goes through that, and then you have to have, it has to be dynamic. So you continue to, to improve it? Because you will, as a as the threats change, your your, your your response plans are going to change the least they should?
Yeah, awesome. Thanks for saying that. I mean, it's when you said fundamentals is like yes, yes, the fundamentals, the fundamentals of people. It's funny how we kind of leapfrog that all the time. Maybe we're just so addicted to technology and trying to have create quick wins across our businesses or efficiencies, you know, or we become distracted very easily. In the modern workplace, that often I think those fundamentals are are something that we keep forgetting about, you know, and I was speaking with a health and safety executive on one of our rail shows here in the UK. And in when I was running nucleolar shows as well, that was one of the things is like, you know, what are the cyber impacts on safety? Well, we talk about it and OT not talking to each other as much as they should. But what about safety teams? Are they in the conversation? In most cases? Not yet. You know,
in in those fields, obviously, safety is paramount. Right. It's not just really, you know, I don't see that as just a safety problem. Internally, that's a safety problem for everybody in, you know, in the, the immediate area. Right, whether it's rail or nuclear excetera. I see safety as just as important, as, you know, as those other forms that yet that other individuals you need on the table at the table.
Yeah. Yeah, be interesting to see how that evolves. It says here in your, in your presentation, cybercriminals are maximizing their opportunity by exploiting older vulnerabilities and expanding attack surface Akash. The question here is, how can an organization organization gain more control and mitigate inherited vulnerabilities? Because there's a lot of asset owners that that tell us, they're still working on acid inventory. And of course, there's a lot of vulnerabilities here. So I guess the question to you is, how can Yeah, how can they mitigate inherited vulnerabilities, as well as new vulnerabilities that are being brought on board through things like IOT?
Yeah, and I think you kind of nailed it, in my opinion, the start, right? It starts with, you know, what you have? You know, from that inventory perspective, do you know what your organization currently what assets they have today? And, and without having that you don't really know what your inherited vulnerabilities are? Cuz, you know, if, if, if you don't, if you have an asset that is never been patched as an example, but it's on your list, you're never going to get to it. Right? And whether it's a compensating control that goes around it, is just visibility, how do I respond to it, etc. And that could be, you know, that really could be anything and any, in any field, if I don't know what it is how do you do that with the new vulnerabilities and behold, you know, I think that when you ideally, you gotta leave out, you have visibility into all of it. You're aligned with the business, your operations, architecture and engineering teams are all talking your partner with a security vendors, and you have you have that nirvana. But I think that's where, you know, Fortinet recognizes that Nirvana really isn't you know, isn't isn't capable, you know, no business is capable of hitting Nirvana before that provides you with that fabric that allows me to at least connect all my different all of my tools plus the ones that possibly have already been purchased that are, you know, that are partnered, right? And yeah, given me that, that that simple management location that entire Security, Architecture visibility. And with all without having to purchase new, an entire new stack, you may still have some, some pieces that you know, some holes that you need to have. When you have your, your asset inventory, I know what I have, and I have visibility within my, my full fabric. From there I go, where are my holes, and we're starting to play him. Right?
It's quite a challenge, really, when you look at it, I mean, just just judging on the conversation we've had already. And if we look at, if we look at all of the moving parts about what we're talking about here, we have, we have old vulnerabilities, we have new vulnerabilities, we have this speed of complexity that comes along with technology, we also have the fundamental basics of, of people in process that aren't always perfect. They don't need to be perfect, but they do need to be there. So this kind of brings me to the next question is, in your opinion, what does a team look like that could manage this? It says both old and new vulnerabilities. From just from a guy who comes from such a, you know, a great diverse team who's who's seen probably a one of the industry's possibly most amazing examples, who knows, you know, pharmacy Pharmaceuticals is a big industry. And, you know, and sounds to me, like they really put a lot of effort and time and money into what they were doing. So, you know, when we when we look at other companies like mining companies and whatnot, they don't have that, you know, so what's the team look like for them?
Yeah, that's like saying what color capes should they wear? Right? Because they, they have to be superhuman, to some extent, I think the, the team is kind of going back to almost that fusion model of it's, it's a, it's a functional team, it's a collaborative team, one that allows me to, to lean in on on a on another team member that may not even be within my word, but they have this skill set or the the ability to to make change, you know, control over an asset, if you will, right. And that's a partnership. And I think that is in your smallest of teams, you still need that you need that partnership, because you can't do it all yourself, you know, if I have, if I have myself and, and three individuals, and we're trying to protect, you know, 100 sites, 10 sites, we can't, we can't be everywhere. At the same time, we have to be able to leverage those that are those that are folks that are local. And it's the same thing as if you're, you know, you're a large conglomerate, and you're global, and you got sites all across the world. I can't I can't be at two of those sites at the same time, myself, and I only had a limited number of assets or resources sorry, of people. Right. Yeah. So leveraging those, those other folks making them aware of the risk, and and the the need to be to be leveraged, right. So it's adding like, almost like a local champion, a local ambassador. Right. That will help spread the word of security, but also will help rally the troops if I need them.
Yeah. And that that eliminates my next question. going to ask is, if it's possible to have situational awareness of an asset base, a large asset base? And what skills and tools would be required? I mean, obviously, if anything, you know, comment, if you would, but I think that you've kind of nailed it there on what those tools would look like. And it cuts back to that communication and that integration. It's,
it's funny how, you know, a lot of it comes back to those, you know, blocking and tackling right, the fundamentals of what what do we do? The, we've had some great, great organizations out there from a technology standpoint, that's one of the reasons that came to Fortinet was some some of the things that they are doing in the IoT space is phenomenal. And that covers a good good portion of it. Right, that allows me also to have maybe fewer people because I have better visibility, but I still need the skill sets. I still need the process. And I still need, you know, that communication piece of just talking to the business. I have to have the business involved with my work.
Yep. It's interesting. I was speaking I was speaking to somebody recently who mentioned to me that a lot of this will be automated And then, you know, we really need to work on our response and preparedness more, you know, then maybe potentially looking worrying about skill sets and team sizes and things because everything will be automated. I don't normally have those conversations. And but I did think it was an important one to have. And
you don't want to, like, comment on that. But, you know, I, I would agree that there'll be a lot of automation out there. Right? Will everything be automated? Maybe someday, but that's, I mean, that's further in the future, they're still going to have to be somebody who makes that decision to, to automate and automate, right. And I think that, you know, standpoint of the, how, great. You know, the, the change, you know, machine learning, artificial intelligence has has made for us from an industry perspective. And, you know, I can't fathom what the next three to five years look like when a woman has made such a leap in the last three to five years, right. And maybe that is where everything gets automated. But at some point in time, you're still gonna have to get with the business, and you're still gonna have to, you know, know, what is the right response? Versus? I don't I don't know, maybe, maybe I'm old fashioned, but I think there's, there's still an aspect of it, we're going to need some human intervention or somewhere.
Yeah. Yeah, I think so. I would agree with that. I think human intervention can't be overlooked. And it's scary to think that someday we, you know, I've looked up topics and research them before on AI attacking AI. I really want to put that into conference. But you want to know what it's just not there yet. It you know, it doesn't exist that I'm aware of. But it's not that it wouldn't, it's a scary idea as well, that that, you know, these machines would take over a lot of the decision making process from an offensive and defensive perspective. Well,
you know, the threat actors are, are going down that path, potentially, right. So and I can't respond quick enough, I can't push that button to say, you know, set that site in Ireland mode or, you know, stop that attack, because I've, by the time I made, made the decision, that yes, this is bad. And I've been able to like, muster enough guts, to push the button to stop something, you know, and that's whoever you know, you can't give that to to a to an associate, when you're out of college and say, Hey, here's your, here's your responsibility. If this happens, I want you to push that button to stop that plant from marketing. And that's going to cost us millions and millions of dollars or pounds, etc. But you just go ahead and do that. It's going to have to be some type of machine learning and artificial intelligence that will do that. But you'll still have to go through a scenario of what is this going to cost us? And how at what threshold? Do we? Do we say yes or no? Right.
It's an interesting thought. Onto another topic here. An are an organization struggling with skills gaps and workforce development, where can they get the help they require?
You mean every organization? Yeah. Yeah, absolutely. You know, and that's one of the things fortnight is, is champion right? There, they're taken on the the, to close that cybersecurity skills gap. And the workforce gap of was like 2.7 million jobs globally, that aren't filled. Providing you with, you know, the free education, you go online, on the website, you can find the free education they're partnering with, with K through 12, with universities to work on, you know, ot curriculum, which is for ot securities curriculum, which is phenomenal, you know, that just, for me, the thought of that, in this day and age is is, you know, kind of mixture, puts the hair of them back and neck stand up saying that's, that's great. That's how we're going to, you know, we're going to, we're going to get ahead of this and start putting it into mainstream and saying, let's, let's make people aware of this instead of Yeah, you got your, you end up as Oh, and other duties assigned, by the way, here's cybersecurity as well. Right. Yeah.
Yeah. I think that threat, the threats and the vulnerabilities to critical infrastructure, manufacturing, any of these industries should be more mainstream. You know, I mean, I speak to my family and, you know, and, and then a lot of folks in this industry do and, you know, they they are explaining it to their family, but nobody's stopping to think about where their water comes from. And then, you know, the digital transformation of their water supply and what the impacts of the fact that the Internet doesn't work next week. Might have on that, you know,
but anybody thinks about that from like, we're gonna watch come from worth, you know, see? Where does Where does my food come from the grocery store? No, there's there's a lot of work behind that, that allows that that food to show up in your grocery store. Right. Same with the water as it comes out of that tap around the bottle. There's a there's a ton of technology that sets behind that just to provide that a the same product every day. And same healthy clean product every day.