During the SANS ICS Security Summit 2015 last week in Orlando, Mike Assante moderated a panel titled: Harmonizing ICS Security and Compliance. I shared the stage with Matt Davis from Ernst & Yong and Josh Sandler from Duke Energy. Based on comments from my colleagues on the panel and questions from the audience, there was general agreement that security should transcend compliance. In other words, the goal of any organization should be a security regime that includes people, process, and technology in such a way that compliance is not the driver. Obviously, compliance does not equal security as any practitioner will tell you. Furthermore, having been on the regulator’s side of the table, regulations are intended to be the minimum of what must be done rather than the maximum. This mode of thinking puts the onus squarely on the asset owner, which is exactly where it should be. The regulator should be there to assist, enable, and at times validate, but ultimate responsibility remains with the asset owner.

Thanks to Mike for pulling this informative panel together and asking the key final question: So, what are asset owners to do? My answer was direct and to the point; call me. The Langner Group’s Robust Planning and Evaluation (RIPE) program can help asset owners implement just such a regime that integrates people, process, and technology into a sustainable and measurable security posture. RIPE is used to demonstrate compliance to the most rigid regulations in the nuclear industry on one end of the spectrum and to raise ICS security posture step by step, adjusting to available budget, for companies with no need to comply to regulation on the other end of the spectrum. It does well in these different scenarios and will also do well for your company.

Perry Pederson