Now that we have a little bit of context on what's driving our current cybersecurity landscape. The next question is, “where does this pragmatic approach come in? What is a pragmatic approach? What does the word pragmatic mean? The dictionary definition is dealing with things sensibly and realistically in a way that is based on practicality rather than theoretical consideration.
What does that mean from a cybersecurity context? If we look at the definition of pragmatics, this is more about linguistics and language study. What's interesting is it looks at how context contributes to the meaning. I wanted to include this because this is what a cybersecurity vulnerability means depending on what device it's impacted, depending on what the risk could ultimately be. That context is everything for industrial control systems cybersecurity.
Why is a Pragmatic Approach Needed?
If we look at why a pragmatic approach is needed, there's four facts that lead into building this view of the industrial control systems base.
Increasing Number of Credible Cyber Threats
Industrial companies are facing an increasing number of credible cyber security threats. More remote access with more ransomware and other types of malware really being prepackaged for industrial control systems, with more companies experiencing more threats from more bad actors. We can see a lot of different reasons why this exposure and the number of threats that companies are facing is growing. This is a difficult, complex problem to solve.
Limited Number of Resources to Address Threats
We don't have an infinite amount of resources to address these threats. Companies still have to make sure that they're able to operate. They have to balance security objectives with operations objectives and have limited financial resources to apply to these. We can't just take everything we have and throw it at those threats and expect a good result. With the scarcity of resources, we have to be realistic.
Realistic View of Current Risk
We have to understand what our current risk is then take sensible steps to reduce it. We've got to understand that we're not going to get there overnight. It may take time. It may take a series of steps and programs to really build in and ramp us up from where a lot of organizations in the industry currently are to where they need to be to have a defensible position. We've got to understand that journey and take it one step at a time.
This is something that even from our first book on industrial cybersecurity that we published over five years ago, it really comes down to following that pragmatic approach and understanding how we can leverage the standards and leverage all of those industry best practices and guidance and really take it and apply it to a site in a way that's going to be most beneficial for them.