okay uh good morning good afternoon and good evening uh welcome to today's webinar on governance policies and procedures for thirdparty cyber security risk management this is the seventh webinar in our 10-part series on cybercity and digitalization with a focus on supply chain cybercity in the energy sector I am Scott Morgan principal consultant with enex and I will help moderate today's webinar so thank you all for joining us uh please note as you heard in the announcement this webinar is being recorded and uh all participants have been muted uh the recording will be made available after the webinar along with a PDF of the presentation slides uh we will be taking questions via the Q&A window and we'll have time for Q&A after the presentation so if you have questions during the presentation please type them into the Q&A window uh note these are only shared with the presenters and hosts and if we don't get to your question during the webinar we will follow up with you and provide an answer afterwards today's event is organized through US Energy association's advancing modern power through utility Partnerships amp up program the amp up program is funded by the United States agency for International Development usaid and as I mentioned a moment ago today's webinar is part of a 10-part series The overarching goal of this series is to discuss the cybercity challenges associated with the expanding supply chain necessary to address multiple transformations in the energy sector including integration of Renewables deployment of grid Edge Technologies integration of regional markets Etc in today's webinar we'll hear from Terry khil senior consultant at Amper industrial security and CEO founder of cyber Kaleidoscope LLC we will also hear from Roland Miller III Ambassador for cyber Florida the Florida Center for cyber security uh Terry is a cyber security and compliance professional with a reputation for success in building and sustaining cross functional compliant cyber security reliability programs and highly complex regulated energy critical infrastructure Terry recently established cyber cyber cyber caleidoscope sorry excuse me um to provide cyber security services targeting critical infrastructure and Industrial control systems and operational technology she's also a senior consultant with Ander industrial security Inc previously she was the director of Technology delivery performance optimization and compliance for Tamp Electric company she also held information security and risk analyst and Senior manager roles for Price waterhous Coopers uh Roland is a senior Information Technology executive with over 20 years of experience in securing National critical infrastructure such as Downstream natural gas nuclear power plants and the electric grid as a former Chief Information Security Officer he his expertise spans various domains including business process optimization Innovation metrics development operational technology ology and Regulatory Compliance in his current role as an ambassador for cyber Florida the Florida Center for cyber security Roland drives engagement conducts Outreach efforts consults with asset owners and operators contributes to risk assessments and incident response exercises and has created material for and conducts workshops on essential cybercity Concepts uh so before I turn it over to them uh one last reminder to our audience um please enter any questions during the presentation via that Q&A window and if we don't answer them along the way we'll have time after the presentation uh so with that I'd like to turn it over to Terry and Roland if you would please take it away thank you Scott and thanks everyone for joining uh we're going to talk today about the governance policies and procedures for thirdparty risk management and our objectives are to focus on the organizational aspects of the governance and best practices um with the highlights on model typical models for man in cyber security and the level of visibility into the associated cyber security risks um for all of the relevant stakeholders and we'll discuss some strategies and approaches to communicating um within the organization and also with regulatory authorities and we will also touch upon um the Cyber investments in capital and operational maintenance expenses and I know that uh this this Pro this webinar series isn't a hard progression but there are a couple of webinars that we feel were foundational to what we're discussing today so we do assume that that you have taken a look at webinar 2 and webinar 3 these are both components that will be integrated or operationalized uh using the methodologies that we're going to be discussing today so please make sure that you uh take a look at these two uh as you dig deeper into what uh we're discussing so you may have already picked a set of Standards or you might have a regulation or maybe you Haven it yet and you might be wondering well how do I get started um and typically in your company you might have a code of business conduct or a corporate compliance committee a Regulatory Affairs team and so on um so you may be able to leverage some of those but you're going to build some sort of governance function and typically what I like to see is three tiers your executive senior sponsorship this is your officers uh a director level steering committee and then a working group of subject matter experts from all of the relevant areas the leads and the managers and you know you'll fles this out over time we're going to talk about that a bit in a few minutes and you'll also want to set up a charter that talks about you know why you're doing this the responsibilities the scope and so on um so what can go wrong Roland well i' glad you ask Terry so I'm not going to I mean as you guys read this slide I mean I'm going to focus on uh just a couple of these things mainly it's if you don't have a centralized procurement um in your organization uh this really is is a limiting factor or at least a foundational piece um as as you think about most Frameworks in security the very first thing that you do is to identify the scope of what you're what you're trying to do so this is this is third-party risk management so if you don't have a an existing method of identifying your thirdparty engagements and every organization has third parties you can't do things alone these days on anything um typically that's through a procurement um this you're going to need to probably set that up first um so but even if you do have centralized procurement I've seen instances where maybe there's Legacy process in place that uh allow for purchases through P cards or through credit cards that don't go through the same level of rigor they don't have NE they they in the past didn't have contracts associated with them so they didn't go through the same level of rigor you need to be sure that you're aware of those because these days technology can be introduced and therefore the risk associated with technology can be introduced through these purchases that may not have gone through the same level of rigor and they do now and the biggest example of that is is software as a service or or the cloud so to speak where it's very easy for employees to just put their credit card in get reimbursed by the company but they've they've agreed to a contract through the Ula and they may be putting your data up in the cloud and you're not aware of this so it's critical that you're aware of any of these blind spots or these ways that that purchases occur that didn't go through Central procurement and as you read through the other options or the other things that can go wrong hopefully they're straightforward um you know organizational culture is is a big thing you know we're going to talk more about how to address that but but not matching up with your organizational uh culture can another be can be another way that things go wrong at the very start so how to figure out who needs to be involved when you are embarking on setting up some third-party risk management um policies and processes in your organization obviously procurement is going to be involved but who are the other common stakeholders so depending on how your company is organized um you know you want to look at the functional areas and if you have multiple Affiliates or you know maybe you have um sort of not duplicated but you might have representation in multiple countries or cities states provinces and so on so you want to look at the geography and um see who might need to be involved there um key decision makers need to be a part of it but also think about who might be harmed from uh the failure of a third-party um risk management program or who can influence it and and even the third parties that you deal with themselves and then anyone in the company that deals with it also you need to think about um any key influencers in your company this might not be a director a lead or a manager um they might be um uh an engineer or um you know just someone that people respect and and maybe when you're you'll know them because maybe you're in a meeting and people are kind of quiet until that person speaks up and starts asking questions and they kind of know which way that person might be headed and then they'll start um talking and participating so you want to make sure you get them involved early and uh you can document all of these um folks in an orc chart or even a responsibility accountability consulted and informed Matrix a racy Matrix um and what you come up with for the project will eventually become part of your ongoing engagement plan Roland and and the things that can go wrong here the things that that Terry and I have seen in the past a lot of as you read through this list a lot of them are self-explanatory so what I want to touch on or deep uh go into deeper Focus here is the third party inclusion some of you may not think that the third parties are stakeholders and and and should be at the table and and honestly they should be now they may not be at the very beginning when you're standing up your your process for evaluating risk of third parties But ultimately they are part of the process they're the ones that will be um sub subject to the information gathering they'll be the ones having to deal with the contract language they'll be the ones going through the process and you need to have and a way to identify their uh criticisms or or or um any feedback that they may have to improve your process um and again they may not be at the table at the beginning um unless you have a third party that that you truly trust and want to have them there at the beginning to help um um make sure your process that you develop is is has their input at the beginning but ultimately you will find that you need to have them at the table later on you need to ensure that you whatever you build has a way to gather that feedback and and most importantly integrate it back into your into your process for improvement um the other things here um hopefully are self-explanatory uh but um you know culture I go back to that company and cultural differences and identifying that even with your suppliers as well is important to to take into consideration because it could cause implementation issues and how do we get executive Buy in um well in some cases it might actually be your Executives or officers that have asked for some additional attention to thirdparty risk management uh sometimes it's the ceso or legal that brings it Forward uh and for the implementation it's usually easier to get the Buy in if it's a regulation but even if it isn't um making sure that you're focusing on the risks that would lead to a loss of Revenue um or a major loss of business operations which in turn leads to loss of Revenue is going to be key so really being able to speak in the language um you know that the executives want to hear uh typically they they're going to want to know the costs um and getting agreement to proceed you may need to do a phased approach and uh sort of demonstrate some small wins with that um you know it's complicated there's a lot of things you need to do so maybe you start small and Roland what can go wrong with this well you you covered some of that I mean not not going into the cost not speaking into business terms I've seen that happen U many times and and really some Executives or some leadership may just just say say oh this is compliance and and and they don't question it but but the really good leaders are going to question how you're doing it why you're doing it um is there a different way to do it is there a different timing to do it especially if it's a significant expenditure and is is and the competing priorities you know they're going to have to make hard decisions about whether they you know upgrade uh equipment or they Implement a compliance program so don't don't go into this saying hey this is this is compliance and we need to do it even though that is a solid argument you may be encountering situations where you have to go deeper and actually show that you've done your due diligence to think about other ways of doing it that may reduce the cost or the impact of the organization because remember most times your organization isn't there to be compliant compliance is not the product they're producing um so there is going to be competition there is going to be the need for prioritization and you want to be able to speak these things uh communicate this stuff in business terms and translate it into business terms because most often your leadership is coming from the operational side or from a different industry and you know they're not going to understand unless you have done that translation all so this slide has a lot of content on it and I did that on purpose because I wanted to demonstrate just some of the things that you need to think about and how complicated organizational change management can be um because you might be doing some level of security awareness at the same time as well as letting people know that there's a change company coming giving that awareness um but it's kind of a lot of things that you're doing at the same time so over on the left um we've selected one model to show here in terms of organizational change management models and by the way that's an entire MBA class in it of its own but if you take you know there's a lot of different models if you take them and plot them out and you look at them going across they're all very similar whether they have five steps or eight steps so uh this one is U has just the five steps creating the awareness and then creating the desire that hey I'm going to like this change eventually creating the knowledge about it and then creating the ability with the processes to handle the change and then um making sure that you are doing some sort of regular reinforcement um so you know once you've implemented a policy and made people aware and taught them what they need to do then coming back a few months later and checking in whether it's a survey or celebrating um hey we avoided a great Risk by doing X or whatever it is to do the reinforcement um and by the way you'll want to make sure that you review these policies and procedures on a regular basis you may do it early you know you may find a sentence or two that's really problematic in the policy that you need to address pretty quickly um but then once you get into a Cadence you could probably do an annual review um and keep in mind that when you're doing the communicating you have to let people know what is the true value why are we doing this and and uh what if we don't do it and create that desire by U telling stories and attracting U the emotion and again um some of this will be your external stakeholders like they talked about in one of the earlier webinars um you know you could end up vendors can end up with a lot of different questionnaires coming in from people and uh it's hard for them to respond so thinking of ways to help them with that um and then part of the reinforcement once you've implemented is to check that the processes are properly implemented and are being followed so some sort of assessment uh and then over on the right um you've got some dimensions of security culture security culture is really your organizational culture and so um these are just some some pieces of information about that um and then making sure that the new people coming into the company are aware of the procedures so there's a lot going on in there um a lot to think about in terms of organizational change management um but where can we go wrong with that that's funny Terry as as I'm sure you guys can imagine um a lot can go wrong here it is and I'll reinforce what Terry said this this is not a this could take up you know multiple webinars many days an entire uh you know graduate level class uh to get into the theory because you're really dealing with with um sociology and psychology and how humans uh deal with change um so the stuff here on the on the on the left I'm not going to go through it these these are all the ways that that things can go wrong when you try to implement uh change in an organization and the methodologies that you choose to to guide you through organizational change management all of these things are built in in other words the methodologies are designed to identify the common ways that changes can be um barriers to change that humans go through or organizations go through and ways to identify where you are or what the issue is and then they also give you U ways to address that and move forward and again this is this is not simple it's not um but but it's absolutely important because what we're trying to do here ultimately is is build a culture of of or establish a culture of um compliance especially around third party risk and and this is something that most companies don't have in place now so you're looking at at really you know the bread and butter of organizational change management which again is is the the things that can go wrong are on the left on the right are some practical issues that could happen if you if what you imp M isn't fully baked into your uh processes or your culture or the change isn't fully um um embedded in or implemented and ultimately you know you're looking at impacts the business due to delays in third party Contracting you may not have uh parts of the company following the process um you can have um issues Downstream where you g in you've gone in and you've already signed a contract with a third party vendor they're impl in something and you realize that that it's causing a security issue that could have been identified earlier if your process had been more robust in terms of the information gathering at which point you're having to redo or you're missing Milestones um you know this causes a lot of business disruption that if your thirdparty risk management process doesn't surface this stuff soon enough for you to take care of it uh Upstream it has Downstream impacts which is what we have outlined here on the right jry so so the biggest part of this is figuring out what the risks are and raising those risks up and having the discussions about them and so in performing the risk assessment processes you may find something uh let's say it's a piece of Hardware or software and uh you're not comfortable with the vendor's authentication practices and so you need to figure out well does that mean we vendors you know who do we raise that up to and so forth or it may mean it's a deviation from one of your internal um policies and standards uh potentially specific to third party risk management and so your technical staff may be the first ones to bring that out or your cyber security or compliance staff um but um the compliance and cyber security staff are typically the ones that'll help translate those risks into business terms and help figure out what the mitigations are or the remediations what triggers that um and what's key to this and you know whenever you're implementing policies and standards you've got to have a process to manage those policies and standards review them on a periodic basis and so on and within that an exceptions process and that's where the governance comes into play and so an exceptions process will typically have you know what standard are we deviating from who owns it you know who's a who are the different players that have to know about and sign off on it what is the actual risk what is the potential risk what's the likelihood and it in essence becomes your risk register and so you can figure out kind of a form to put together and different views of it and um based on your name conventions you can have a component of that that is your third- party risk register and you want to get that in front of your your ceso your um even your CIO Your Business Leaders you know you you would never want someone let's say in a power plant to not know that there was some risk with the things that run the plant um and sign off on it so you've got to get that communication out there for the ones that warranted you know it might not be every single little thing but the ones that uh um are the riskier ones you'll want to do that Roland thanks Terry um so what I've seen go wrong here um as you guys read through this list um first one I'll take off is is inappropriate business approvals so um what I've seen is is Project level managers uh where their motivation is to get something in and they're more than happy to sign off on whatever risks are identified by by the security team regardless of what the impact is to the company you know their their motivations and their their scope May is may not perfectly align with what the risk itself is and and I've seen many manager and director level um um entities or or persons wanting to sign off on on high risk to the company and and that's simply not appropriate um and that's why it's important to have a have a a risk sign off Matrix that that does you know uh the higher the risk or the residual risk the higher uh the approval needs to be because again in my my career I have not had an issue where a high if it's been identified as a high residual risk that a a senior person has wanted to sign off on it they they simply haven't the key to that also is is being able to communicate that risk in business terms um that is so important um because oftentimes these risks that are identified are are highly technical they're very esoteric they have to deal with with it technology and you know business people tend to have their eyes glaze over unless they come from that area and you need to help them with that um they need they're the ones that are signing off on it they need to have the information given to them and in a form that they can digest it and understand it and that's why the translation of these risks to business terms is so incredibly important and critical to enabling this entire process so the other things here I think are are pretty straightforward you know poorly they have ramifications Downstream in the sense that these are things that may not uh come up as issues at the beginning but if you're not if you're not documenting um sufficient ly documenting deviations if you're not following up um you're going to probably have issues Downstream that may come up in an audit and if this is tied directly to Regulatory Compliance that would be the regulator finding them and and those are typically bad days for for most organizations um and then the last bullet there is if your process is doesn't allow for for exceptions if it doesn't allow for flexibility um typically most humans don't do well with those types of processes so be be sure that that you are as you're going through your governance with your stakeholders that you're taking into account you know ways that think that your processes can be fail can fail which includes people not wanting to go through them and thereby bypassing them ter so we talked earlier about executive buyin and part of that buyin is that you're probably going to need some sort of funding um if you're doing a lot of risk assessments um that's really hard to do without some sort of tool to help you keep track of your vendor responses the mitigations the risks and so on um or you might need um you know maybe maybe your contracts folks didn't have a contract management tool before so maybe that even though it's not directly tied to it you know maybe there's pieces that will help you with the thirdparty risk management and so as we mentioned earlier you have to really make sure you explain why are we doing this what is a value value why do we have to do it right now you know can we do it later and why do we have to do it this way and then what happens if we don't do it and so a lot of the things that uh have to occur to get a project like this spun up are uh what we in our accounting standards in the us know as operations and maintenance types of things you know it's not it's not an asset that you're going and and buying and capitalizing to to put a process in place but again if you've got a tool then you can probably capitalize that um depending again on your accounting regulations in your country um but typically those Capital expenditures are are preferred in a utility um but then you also um have to consider the ongoing costs you know after you get all this set up what is it going to take to keep all of these processes going you're doing um you're spending extra time doing the risk assessments reviewing that having the discussions with the vendors on contract language um you know there's uh there's a lot of things that have to happen dayt day and so you might need headcounts so how do you justify and explain that um and again it's keeping it in the very high level terms um but you need to consider those post project uh costs as well and what can go wrong with that well as you guys read through this uh list um it's hopefully they're self-explanatory um you know the uh not putting it in business context or or business value even though it may be hey we need to do this because of regulat compliance hey we have to do this for cyber security you know those those are again good good arguments but again the really good leadership is going to push back on on that a little bit deeper and challenge your assumptions and and and possibly go into the financial uh financials that you have and some of this is very difficult to um to translate into financial terms in terms of you know profit and loss and whatnot so but but that doesn't mean you shouldn't try to go through that that doesn't mean you need you shouldn't avoid or that you should avoid doing you know the probabilities of the impact and and whatnot um because it just makes your your business case stronger because ultimately that's what it is it's going to be a business case that that has to stand or should stand on its own against other business cases and other priorities within your organization and typically those other areas are coming in with here's here's our here's are financials here's what why we're doing it here's the business value here's what happens if we don't do it and um again typically you know in cyber security or in compliance this is this is exercising um you know skills that may not be um in in the Forefront of of people on your team uh you know typically we're we're very technical it type backgrounds and and this is getting deep into business fundamentals and and accounting and and economics and finance so bridging that Gap is is really very important and then we've been hammering that pretty much from the very start um the last bullet here is what I really want to spend a few minutes on um is is not understanding uh really the oper oper operationalization of what you're doing whether it's it's the third party risk management that we've been talking about or any type of cyber Investments that that may be part of the Cyber program and may not be associated with compliance or third parties but ultimately it's all these things need to be operationalized they need to have some sustainability and this is the part that I've seen most organizations don't get it right at the beginning and that's you know establishing uh sustainable compliance sustainable operations and and in my opinion that the key to that is is is integrating it into your culture a culture of compliance a culture of security and like I said I haven't seen any organization do that right right out of the gates they all struggle with it and this is just another area that you need to understand will probably uh go down that same road where you're coming back to it over and over again until you have established a type of culture of compliance which takes years ultimately if you take a step back really putting this into place so that it it it sticks takes years it involves you know complex things like organizational change management like we were talking about and these are the things that in my opinion ultimately are the long-term things that that that you should be focusing on as you as you implement bits and pieces of the of of a compliance program and with that I believe we are at questions and an answers stage um Terry is there anything else you want to add before we uh to wrap this up before we do that since we've got a little bit of time yeah I'll just reiterate that it's really important to have a foundation um you know for how you manage your policies um you know whether you use a Coit Foundation or a nisk management F framework and ISO 17799 but something that uh um you know where you've got policies about how you manage policies and where they're stored how they're reviewed how they're approved who owns them um the Cadence of reviews um and then like I mentioned you know how do you do the exceptions that's really a key foundation for anything thirdparty risk management or or any other uh cyber security related or it related policies it and OT that you have so do we have any questions Scott um yes let me um kind of jump in some of these um so I guess I wanted to dig in a bit on the organizational change management um comment um do you have any specific recommendations for evaluating whether internal policies are are being followed uh and having the intended effect and you know that change is is being affected the way that you want it to be so one thing that you could do is kind of a mock audit or a self assessment against that to uh assess it um and so you would look for um and if you've got a regulation you're you're going to have the evidence if you don't have a regulation you know you may not have really discussed it from that standpoint but you know you want to see if there's been an attempt to get the appropriate contract language into the contracts you'll you'll need to track the purchases that um are in scope for your organization um you know to see if did we do the risk assessment did we identify risks did we follow up on those risks because the point isn't to just identify them and talk about them you want to have mitigations in place or you know if it was such a um a high risk that you changed vendors so just following up to see if those have been done and um so you could do that via a third party AIT or an internal self assessment Roland do you have any other thoughts on that yeah the the one tool I love for for understanding what's going on in terms of organizational change management really it's it's the simple survey it's it's it's Survey Monkey it's forms from Microsoft you know a well-crafted question to the Right audience you know given anonymity will will give you a lot of understanding as to do they do they understand what the policy is they to know where it is you know can they you know it asking just simple questions and just surveying keeping it simple of course you know just to to you know less than five questions you learn a tremendous amount of information about what you're trying to focus on in terms of where the change has you know is it successful or and ultimately what what is preventing the change from being successful so most organizational change management uh methodologies have what survey forms they have questions you can ask that will tease out not only how successful is it or where is it being hung up in the in necessarily in the process of you know how humans go through change and let and then you can take that information and and do mitigations yeah and typically folks you know if you talk to folks that have participated in creating the processes whether it's procurement or cyber security you know whoever is reviewing the risks or whoever's um dealing with the contracts they they kind of know where the problem areas are for example um if you've got some sort of Purchase Card capability um where you have a card that you can just go out and do small purchases um those may not be tracked centrally through procurement and so it's you know through an accounts payable function and so that that can be an area where where we miss things or a subscript subscriptions are another one you know you might not realize that when you're signing up for a subscription you know it might be just someone out in the business thinking hey I'm just you know signing up for the simple tool but if you're actually signing a contract when you do that with a third party and if that isn't being looped through procurement and if there aren't controls in place to catch those by um whoever sees those purchases then you're going to miss some things okay yeah no great thanks um Roland I had one pretty specific question for you actually um I think on the organizational change management slide and sort of what goes wrong um I think one of the bullets was um that you can kind of get trapped into thinking tactically um I guess can you go explain that a little bit more as that kind of as opposed to strategically and U sort of what did you mean there yes yes absolutely I mean that's a great question my apologies tactical versus strategic um you end up getting focused on solving a very particular problem and then you end up forgetting that you're actually trying to do something bigger or longer term um it's it's a typical in my opinion human um uh failing and and becoming overfocused on what's right in front of you that's operational that's that's the fire and forgetting that you're trying to push a probably a longer term strategic change and you may not want to spend so much time addressing this small tactical issue and it's and you should be spending more time you know pushing something that is is more strategic or long term in terms of change hopefully that answers your question no thanks that's perfect yeah um I kind of a follow up on that a little bit do you ever see something that has sort of unintended consequences you know are there policies that you you think okay this is what we need to do this is the problem we're trying to think long term and before you know it you've you've caused a new problem you yesterday solution is tomorrow's problem kind of deal um and how do you kind of correct course if that happens har you you got a big smile on your face yeah I'm just only trying to think of one that I could share um I'm don't have one coming to mind that I could actually share right now I'm trying to think of something I mean you know it's when when you're in cyber security you know a lot of people think that you're you're taking things away from people and you're saying no and and really it should be your you're informing people of risk and and so they can make you know good risk based decisions and not just go into something blind and and make an unintended issue so so I guess the way I would answer that is is you know the intent of this is risk management it's not to take things away it's not because because depending on your company culture or your organizational culture if if it's very intense and it's very results Tri than um you know any time that you are perceived as you know introducing red tape or unnecessary this or that and people don't understand it they're going to try to find a way around it I mean that's just that's most that's human nature and that's that's just in general not a specific example of where if you come across that way um and you don't change that then people will find a way to to sign a contract with somebody and just push it through procurement and and and it never goes through you know legal review and and next thing you know your security team's reviewing a product after the fact after the bond you know after it's been implemented so that does happen and just being aware of your everything we talked about should prevent that you know having the right stakeholders communicating the change socializing it should prevent the organization from rejecting ultimately what you're trying to do and and work around it and so two follow on to that and one is again just emphasizing the capability for the exceptions you know through a documented process where it gives the visibility you get to have the discussions and you know it doesn't have to be rigid unless it needs to be rigid in your particular environment you know if you're some sort of nuclear facility you might be more rigid than than some other you know types of assets and then the other piece is you know when if you've got people going off and doing their own thing then we H when we have like a zero day vulnerability you know and the security team's trying to figure out what we've got in the environment um and and you know you're going off and doing your own thing and you've got equipment in there that nobody else knows about then that's also a risk so just my thoughts on that no absolutely no thank you um so I think uh one thing I feel like I've heard stories about is that um you know it cyber security um often or it often gets tasked with leading the cyber security uh effort um but they don't always have um really great understanding of the way that OT Works um so you're you're kind of pointing there about you know we're not here to try and take things away uh we're trying to enable the process I mean do you ever see that where um you know it security practices kind of get start to get in the way of the availability on the OT side um and can how do you address that yeah I think it's really creating that awareness you know it depends on your organizational structure and you're right A lot of times the cyber security function might be an it but generally there's someone that kind of crosses over at least maybe going up to the perimeter for OT security but what I've tried to do is help people understand OT better um you know if you're coming from it and then to help the OT folks understand the it pieces um and there's a there's a nist uh set of standards and it's not going to come to me I think it's 800 um maybe it's 800- 82 but it's the one on operational technology and there's actually an appendix I think it's appendix F where it explains um uh different risks in the OT environment and I tell people in it that when your engineers your OT Engineers are telling you something about their equipment you know when you've raised an implementation thing that they you know that you want to talk to them about pushing out and you might perceive them as pushing back but really they're telling you the same thing as what's written in that appendix so that kind of like if you go and read that before you talk to them you'll be in closer alignment um so I'm I'm not too sure how much that applies to third party risk but I think it still does just trying to help each other collaborate you know and get to a point where you're talking to each other um and I think industry has made a lot of progression in that um there's a lot of uh resources out there to help with that actually you're kind of reminding me of an example where um it seemed like like it did not appreciate that the OT vendor really had a strong need to be able to have some sort of remote access to do this troubleshooting on a um they something that they had provided and um that became sort of a point of contention of not um following the sort of standard it protocols um so yeah that's it well I think you one thing we all have to keep in mind is that a lot of the OT environment was designed for safety and reliability but it wasn't designed for misuse and so having that mindset now is um it's it's kind of a change so that's happening over time to to say you know I designed it it's you know it's safe it's uh safety of life and and that kind of thing but if someone's going to go in and intentionally misuse it then you have to think about a different set of controls for that yeah I mean we we've been hearing about itot convergence for probably 20 years now I they're not going to completely converge there there are different reasons for ot to exist they're different requirements it's a different culture it's a different set of people and quite honestly in my opinion it's always going to be that way so there needs to be that bridge that understanding that OT is different you need to collaborate you need to work together because ultimately there are risks in the OT environment and even though it may be the same technology at the base there are different again operational requirements that cause the standard it controls to not be applicable um so it's critical in your organization to understand that that divide if there is a divide between it and OT you need to bidge that Gap you need to be speaking the same at least not speaking the same language but talking to each other because ultimately you're both on the hook for for resolving or mitigating risk even if it comes you know in this case it be coming from an OT inv vendor like you mentioned Scott and just knowing that they're different is the best start and then trying to bridge that Gap is the best way to mitigate it in my opinion yeah and kind of goes right back to what you presented at the beginning of having those key stakeholders having the right people involved in developing it if you're not hearing from the side then you're more more likely to miss exactly what you're talking about absolutely uh I guess another uh kind of thought you raised in handling um exceptions um do you ever see sort of policies around um when risks are are realized so you know if you uh it doesn't necessarily have to be if you had an exception in place but just you know um sort of the worst has happened um sort of what policies do you put in place in order to um I guess kind of come back from when our risk is realized well it sounds like that would translate into your incident um planning and response policies plans procedures and um you know I think a lot of folks in the energy space are really good good at that um you know with the mutual Assistance programs and um close tie-ins with our um you know federal law enforcement agencies and and that kind of thing um and and a lot of companies also because of their uh need for things like storm management or other disaster management they've got a lot of Emergency Management procedures and the cyber security piece can tie in and so if a third party risk translates to a cyber security incident or issue um it's probably just going to float over to the um to either your all hazards Emergency Management approach or Andor your cyber security planning and response I agree with that that's what came to mind as well realize risk isn't as a cyber event and you should have an instant response Andor business continuity Dr policy or procedures to handle that and the most important part of those procedures are they should have you know a feedback mechanism built in at the end they should have a lesson's learn piece where you incorporate what what you've learned from that which in this case sounds like you would have some learnings that would go back into your third-party risk management process or procedures that need to be implemented so it doesn't happen again in the future right okay thanks um so I gu maybe kind of FAL question here when it comes to sort of making changes to these policies is do you see sort of an appropriate Cadence um to do it I imagine you know you're putting too much out there all at once everyone's going like what is the latest thing what were we supposed to do again or you know too much confusion there um so kind of managing that that level of expectation yeah I I've seen and Terry you can we may have the same answer here um I've seen it a minimum you know policy update cader review every two years um that's kind of the maxim I said minimum that's the maximum you want to have a policy sit out there without being reviewed um you know a minimum I think uh for most organizations if you're updating something more than once a year that's way too fast it's it's too much change necessarily to push through an organization um so really the best Cadence has been between one and two years that I've seen in my in my experience and obviously it depends on your culture all goes back to culture and understanding how quickly things move uh you may have policies that can sit there for more than two years but as long as you have a checkpoint to say hey has anything material changed here then they can sit there for another two years uh that's that's what I've seen as best practice Terry well and I think in your policy review process you have a capability to change you know you don't have to wait until that review date if you got something uh you know whether it's a minor or major change that needs to be updated and if it's a major change you'll want to communicate around that and so especially as you are first implementing like I said if you you know if you all got together and consens on the way it was written and then once you started implementing you know some piece of it becomes really problematic and you find you need to change it then you should you should change it um but you don't want to change it every month um because then you'll maybe start to lose some credibility there but um I agree with Roland you know one to two years uh my personal preference is about every year um and just you know getting people ACC accustomed to that uh I agree it depends on your organizational culture as well I agree um I think I heard my boss joke about how so many businesses are managed by astrology because we do things by calendar years but it does there's something about it that just sort of feels natural to align to with you um I wanted to try out kind of one thought um in U that I had in listening to some of these descriptions um in particular Roland you kind of mentioned a culture of compliance um I think you've you know I heard some stories or concerns that um you know a culture of compliance um potentially not leading to security but uh so I thought I had is you know maybe that means that a sign of good policies is that you know a culture of compliance does overlap well with a culture of security um is that gonna how do you feel about that yeah I completely agree I mean compliance and security are different things they can lead you down different roads um but if you do both of them correctly you you're on Parallel paths and again it's you're dealing with with culture which is multi-year time span is is what those things are these aren't simple projects you just said and forget that that's why it's so hard and a lot of organizations struggle with and I think all of it ties back to your organizational culture having an accountable culture you know playing to the goals of the company you know that are set you know at the executive level and um you know just making sure you're holding yourself and your teams accountable okay great um well that's I think all the questions I had and questions that I saw come in so um I guess let me final words for our audience and then um we'll kind of let you go to the rest of your day well I appreciate the time thanks for in inviting us to to join I'm open to you know hearing additional questions if people have any and I'm looking forward to seeing the handbook yep thank you for your time I hope I hope somebody learned something from this and it was valuable um that that that was my my goal is that this was useful to someone out there and and obviously if there's questions afterwards I'm also open to uh answer him afterwards great um okay well in that case let me say um thank you to uh ter and Roland for sharing your expertise and your experience um and thank you to everyone who joined us today uh for the webinar um so just reminding the the recording of today's webinar will be uploaded to USA's YouTube channel uh and a link or potentially even an embedded video uh will be added to the event page along with a PDF of the presentation slides um so next up we have the eighth webinar in this series um which will actually be held in three weeks this time on April 11th and we'll cover uh managing cybercity risks in a rapidly expanding electric grid uh so webinars do proceed continue to proceed every other week thereafter um so please be on the lookout for the email announcements or visit usa.org events um and if you missed previous webinars in the series or want to go watch the two that Roland and Terry referenced um you can see them on uh the usca event page as well as USA's YouTube channel um so thank you again to everybody for joining today uh we hope to see you at the next webinar on April 11th so have a great rest of your day bye