As manufacturers confront an ever-expanding list of cybersecurity threats, the NAM is mustering the leading cybersecurity minds in the sector to fight back. Since March 2021, it has been gathering chief information security officers from a large range of companies to discuss their shared challenges and the strategies that have worked against them.
Recently, a group of these cyber leaders met at the NAM’s D.C. headquarters to exchange their latest updates. Here is a sneak peek inside this meeting, where the future of the industry’s cyber defenses was being shaped.
On the agenda: The discussion covered both IT and OT technology and the interdependence between the two that requires a careful but not restrictive cyber strategy.
- Beyond the technology itself, the CISOs also detailed how they present their progress to their boards, including their metrics for success.
Zeroing in: Cyber training for employees was a particular focus for the group, as manufacturers work to educate their workforces about these threats.
- Though most cyber training is directed at IT personnel, there are more and more plant floor workers who also use computers and must receive security training, the CISOs noted.
- It is best to embed training into the overall asset care process, recommended one leader, so it becomes a long-term priority.
- In addition, role-based training ensures all bases are covered, including contractors, according to another CISO.
Guest speaker: The meeting also featured an appearance from a congressional adviser on cybersecurity, who detailed what policymakers are planning.
- Emily Burdick, professional staff member to the majority on the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, explained how the subcommittee is working to oversee the Cybersecurity and Infrastructure Security Agency’s two roles: overseeing critical infrastructure and monitoring federal networks.
Government priorities: Congress is focusing on four key priorities for the year, Burdick said. These include:
- Monitoring CISA’s soon-to-be-proposed rule on cyber-incident reporting (on track for a Notice of Proposed Rulemaking in March 2024, with the final rule expected by September 2025); this proposed rule would require covered entities to report cyber incidents within 72 hours and needs clarification around “covered entities” and the timing of incident reporting;
- Measuring CISA’s effectiveness as a sector risk management agency and as the national risk coordinator;
- Improving private-sector partnerships through the Joint Cyber Defense Collaborative and other processes; and
- Strengthening the national cyber workforce.
What they’re saying: The CISOs in attendance told the NAM how much they valued these high-level discussions.
- “While we often cross paths with fellow CISOs at trade shows and other industry events, it is important for us to gather in small groups and share what we are experiencing in an intimate, off-the-record setting so we can speak openly and honestly about challenges and potential solutions,” said Beth Schulte, CISO of Louisiana-Pacific Corporation.
- “I was able to share some tips with the other CISOs based on my experience and came away with tangible actions and takeaways to both implement immediately and research further after hearing recommendations from peers,” she continued.
Get involved: The NAM’s CISO group is working on industry benchmarks that will be shared with other manufacturers, so the industry can raise its defenses across the board. These benchmarks will help other CISOs evaluate their own practices and keep their boards and executives informed about industry standards.
- If you’d like to weigh in on your company’s activities, please take the short survey here.