It’s true that oil and gas companies are unsure about the value of compliance. Just one in four (27%) respondents believe that compliance drives the right focus and behaviors, compared with 42% more broadly.
The situation will improve over time, as rules become more sophisticated and responsive to the new business models being developed in the sector. Today, however, 6 in 10 (61%) oil and gas respondents believe regulation will only become more fragmented, and therefore time consuming, in the years to come.
How oil and gas CISOs can excel as strategic enablers
CISOs in oil and gas have an opportunity to increase their influence and ensure their operations have the resilience needed to sustain cyber-secure growth. Faced with the challenges of a rapidly changing sector, they need to act decisively.
Become an expert in the new business models
New revenue streams mean a larger and more complicated risk exposure. As outlined above, the board may not have personal experience of the investment levels needed to contain all the elements of this risk. In turn, we can expect them to look to the CISO for insight.
The research suggests, however, that cybersecurity teams may need to enrich their own understanding of new oil and gas business models, and the accompanying technologies, before they can provide guidance to others. Currently, for example, just 27% of respondents believe that senior leadership would describe the cybersecurity team as being “commercially minded.” Cybersecurity professionals in oil and gas are much more likely to be described as protecting the enterprise, responding quickly to crises, and working collaboratively with others. All of these attributes are admirable in themselves but, in today’s sector, they need to be balanced with a deeper understanding of how the threat is changing in parallel with new value creation.
By broadening their knowledge beyond the established remit of cybersecurity, CISOs will be better placed to articulate the risks to the board or executive management committee and outline what is required to ensure resiliency in a changing commercial environment.
Build stronger relationships outside the traditional sphere of influence
To embed security by design, oil and gas CISOs need to develop stronger relationships with operations teams and with the organization’s equipment owners and strategic partners. By seeing the reality of field operations first hand, cybersecurity teams can anticipate where their interventions might encounter resistance from business partners.
Cybersecurity teams should also recognize that the OT development life cycle is much longer, with less frequent maintenance windows, than that of enterprise IT. OT changes can’t be made at the 11th hour. Network change happens over several weeks, if you’re lucky, and some change can’t happen at all. So oil and gas CISOs must be understanding when they look at security by design and start by saying "How can we work together to layer security around those assets and protest them?"
Approach compliance as a benefit
Our findings indicate that oil and gas CISOs are pessimistic about regulation and the time it takes them to achieve compliance. International oil majors are likely to be the most affected by changes to regulations, as they struggle to comply with regional as well as transnational standards, but changing regulation will impact all.
Cybersecurity leaders are looking into automation, new skills and centralization as ways to make the process more efficient, but the first step is a change in mindset. The sector has no choice but to evolve and protect itself against these new risks and broader threat landscape, as opposed to saying that the requirements are too difficult. Moving away from regulations as a burden, and toward regulation as an essential pillar of evolving sector, will help oil and gas companies overcome the long-term challenges they face and seize new opportunities. Adopting sound HSE principals over the years has become part of the ethos of the sector. Good cybersecurity should be no different.
The oil and gas sector has changed significantly in recent years, but its transformation journey will only increase as the world turns away from fossil fuels and energy companies respond with innovative new strategies for growth. As they do so, the cyber threat will continue to grow, and well-positioned CISOs stand to become ever-more critical to long-term business success.