LinkedIn posts and the IT vs. OT cybersecurity debate
I’m unsure how to feel about what’s shared on LinkedIn. Whilst the platform’s algorithm does a decent job of showing me posts related to my interests – energy distribution, operational technology (OT), and cybersecurity policy – I feel there is often a disconnect between what is “said” and what is “meant”. The optics of a post seem to be the currency LinkedIn posters trade in – reading their posts is 1 part watching the Inception movie, 2 parts reading a fan-fiction novel, and 7 parts trudging through Facebook.
“Between what is said and not meant, and what is meant but not said, that’s where you’ll find most LinkedIn posts” – I may have taken some liberties with this quote.
But LinkedIn feels so much worse than Facebook. Adverts (a.k.a. sponsored content) are a prominent feature on both platforms, yet on LinkedIn, the user-generated content is a near facsimile of the sponsored content. Far too many posts pay lip service to the topic at hand – a service paid to bolster the author’s prestige, as opposed to sharing genuinely useful knowledge. Does this approach work? Are others sensing the same unease I feel and simply glossing over much of the content nowadays, knowing that it’s not there for the reader’s benefit?
The IT vs OT debate
Given that I have had some free time on my hands (thank you NZ summer holidays!) there has been one LinkedIn post that got me thinking – enough to write this article.
This post wasn’t particularly unique, among other things its tone implied that Operational Technology (OT) and Information Technology (IT) are two distinct domains under the cybersecurity risk management umbrella, and because of this uniqueness, readers are best to maintain a moat between the two. Separate ways of thinking about risk, separate strategies to deal with risk, and through all of this, Operational Technology must be the thing that gets put on a pedestal because of the potential risks.
This mindset makes me cringe – it’s one I see often in cybersecurity – pushed by those who have something to gain from the division. It’s a mindset that divides what should be a well-integrated ecosystem – or at least a journey towards that goal.
That’s not to say there aren’t distinct risks associated with each field. Certain risks (i.e. impacts and likelihoods) will undoubtedly feature more prominently in one or the other. However, in today’s highly interconnected world, many risks span both domains. The 2024 CrowdStrike BSOD incident is a prime example - cyber threats don’t distinguish between OT and IT!
So, what’s my takeaway from this?
If you are a risk management professional, treating OT and IT as entirely separate entities ignores the reality of what is a hybrid ecosystem where traditional distinctions no longer apply. You absolutely must manage risks in an integrated manner – know your business, which means knowing what makes your business tick.
Take the time to learn what drives growth and profitability in your organisation, as this will allow you to map the assets that matter (i.e. the data, software, systems, and people), after which you’ll sit down, work through probable risk scenarios, and impliment controls to mitigate those risks. If your business spans both IT and OT, I think you will be surprised to see how much one relies on the other, and how risks in one domain easily propagate and impact the other.
Managing risk is not black-and-white, it exists on a spectrum. Get comfortable working in the ‘grey’ as failing to do so will only hinder your security strategy.
Managing risk will include many touchpoints over the lifetime of a capability