21 September 2021 Mie

The cyber security threat will evolve as long as there is a business model or need for it

Jens Christian Vedersø is Risk and Governance Manager at Hempel, and he is one of the speakers at the new international Industrial Security Conference in Copenhagen on 15-16-17 november. At this conference, he will talk about Orchestration of schares efforts and how to live the principle of ‘Keep it simple’ when identifying, analyzing, and mitigating risks in an OT-environment

In this article, you can read an interview with Jens Christian Vedersø.

How did you get into working with security and how did it develop throughout your career?

Well – as everyone in this field you need to be a jack of many trades, as ICS is on the boarder between Production and IT, and arguably also on the boarder between technic and governance.

I have a background as a Naval Officer. In the navy there is a natural mentality to get things working, so whatever challenges with equipment there was, we had to fix in mid sea. As an officer and later as commanding officer I never stopped fiddling with things to improve the use and how to fix it.

Later after studying Political Science, I joined the Danish Energy Agency – as advisor on risk preparedness – and my first task was to describe to the minister what 2.3 on the CMMI scale meant – and weather it is good or bad. Well I was hooked – after seeing the need for conveying security aspects to top management I simply couldn’t stop exploring the field. As project manager of the development of cybersecurity regulation I felt a responsibility not only to listen and involve the stakeholder but also understand the technical and practical implications. Over the last years I have become increasingly involved with the practical orchestration of ICS security efforts risk assessments and mitigations.

What are the biggest challenges within cybersecurity in your eyes?

Well that is easy – communication!

There is a tendency to think of Cybersecurity as one problem – a problem that can be solved by one part of the organization with measures that conform to other problems. That is ridiculous and immature. To ‘solve’ Cybersecurity challenges effectively any organization will need to take a holistic approach towards identifying, analyzing and mitigating risks. This will demand involving the business, the facility management, accounting, the top management and all the others. As such Security is more a Change Management process than anything else.

And then we need to stop clinching to the strict and descriptive measures and processes described in standards – and consider what fits to our culture, business model and strategic aims.

How do we get ahead of ‘the bad guys’?

The threat will evolve as long as there is a business model or need for it. So there may only be geopolitical solution to this, otherwise there might be a solution in the horizon as the insurance companies are going out of the cyber-insurance marked again. And still it will continue to be a race.

When looking forward just 5-10 years, what do you think will be different?

Hopefully cybersecurity has moved from being handled only on the operational level into a consideration that we can discuss on the strategic level. So that organizations can make decisions where cybersecurity is not only a challenge nor a prerequisite but an imbedded part of the analysis and strategy. That way we will truly have organization that are ‘secure by design’ and have a   sustainable approach to security.

Besides more funds for security, what do you think would make a difference in the industry?

I am a constructivist at heard – I do believe that the way we communicate makes all the difference. If we trust our management and not only scream for more funding but also provide them with information, doubts, and considerations, then we become worthy of their trust – and we might help shape better strategic decisions. And at the same time if we are interested in the views and thoughts of our colleagues, we might become wiser on our self – and we help shape more meaningful dashboards, KPI’s, procedures and what have we…

What will your keynote be about?

I will focus on how we communicate security in an organization, and how to live the principle of ‘Keep it simple’ when identifying, analyzing, and mitigating risks in an OT-environment. I hope to make two points clear:

  1. We need to provide each other with the tools to trust each other – otherwise we will find ourself caught up in either our own security theaters or in immense paper-heaps to fulfill requirements stated by lawyers and accountants on the basis of well-meant standards.
  2. Then protecting an OT-environment don’t make the perfect enemy of better – let the local maintenance team take responsibility and make sure that there is something in it for them – an asset inventory, a malfunction investigation tool etc.

What are your own expectations for the conference?

I hope that the conference provides a boost of ideas and aspects that challenge my thoughts and make me change my views. In Denmark there are only that many of us in this field – and their sense of comfort and good humor in the community.

As a huge fan of the Energy-CERT, I look forward to hearing how Søren Maigaard and his team is progressing. But as we all know the visibility in OT networks is a major concern – I look forward to hearing Joe Slowiks take on that. And Jørgen Hartigs talk on IEC 62443 will also be interesting – As I have still to become a true disciple of the Gospel of IEC 62443, I look forward to hearing from one 😉 – sorry Jørgen.

Do want to hear more about security from Jens Christian Vedersø?

Join the first international Industrial Security Conference. Read more here and sign up here.