top of page
Nick

Cyber: Making the Business Case

This could fall under Pro-tips but is specifically for cyber security. The line gets blurry, but I doubt it matters.


Cyber security is, in hindsight, generally well-funded. The problem is finding money before you have a problem. Any adequately large corporation has people in their purchasing department whose full-time job is to shoot down ideas of how to spend the company's money for tasks that do not matter.


And justifiably so! Companies are constantly being offered new and wild ideas that salespeople swear (up and down!) will pay off. Rarely do they. However, cyber security is like your health: invest upfront and regularly to mitigate problems later on.


Similarly to your health, there are multiple aspects.

  • Having a gym membership is good but only helps if you go regularly and consistently. You want to have money for backup servers, but you need to regularly make backups and test them. (Trust me on that last part. End users hate finding out your backups do not work.)

  • Age will wear down your body, just as it will a control system. Things get more complicated, legacy system parts and expertise get harder to find. You have to stay ahead of the game by proactively acting your age. If that means adding stretching to your routine or eating better, the equivalents could be migrating off legacy parts to newer systems and training the next generation of your team.

  • You can save money upfront by skipping the dentist, but you rarely save money in the long term by skipping the dentist. Make sure to go out and get additional training for your team on new technologies. Find out new problems and, if you lack the expertise in house, hire a cyber security consultant (aka pen tester) to find out your weaknesses. Then, follow through on their recommendations.

  • Never, ever skip brushing your teeth. Similarly, never, ever skip routine documentation and maintenance of your system.

When I saw cyber security, I have a broader meaning than most. Not only do you have to worry about hackers, but you also have to worry about losing support on legacy systems, bugs that your team missed, a well-intentioned contractor cutting your fiber line (hopefully you have a ring), power going down (yes, having a UPS and generator are important), etc.


Selling this to management is not just about getting capital. It is about getting buy-in for scheduled downtime, additional (wo)man hours to put your new systems in and accepting limitations on the end user's part. So how do you move forward?


My favorite lines include...

  1. "How many hours could you run X in hand?"

  2. "How much does it cost to have extra shifts in here?"

  3. "If the automation system saves you $Y / hour without any system improvements, I understand your reluctance. Just so you know, it will take Z hours get back online with the system we have."

  4. "I do not want to name anyone, but I recently saw another firm not upgrade. Let me tell you about what happened..."

Admittedly, #4 is the least pleasant conversation, but it does tend get managers moving. Good luck!

3 views0 comments

Recent Posts

See All

Cyber: Reality check

Cyber is a series dedicated to improving cybersecurity of industrial control systems. These are certainly my least pleasant posts to...

TLDR; The Cuckoo's Egg

TLDR; is a series dedicated to books that might help the automation professional. While this is not quite in the realm of industrial...

Cyber: The downfall of POTS

Cyber is a series that will help empower you to protect your industrial automation better. Or at least know why it is so hard to defend....

Comentarios


bottom of page