Gartner Research

CIO Involvement in Operational Technology Vendor Risk Management Mitigates Security Vulnerabilities

Published: 26 March 2014

ID: G00261054

Analyst(s): Kristian Steenstrup, Gayla Sullivan

Summary

Accountability for risk management of operational technology vendors is often unclear, but IT components imbedded in OT can potentially disrupt critical production processes. CIOs must get involved to help mitigate the immature software life cycles and security management processes of OT vendors.

Table Of Contents
  • Impacts

Analysis

  • When Should a CIO Consider Getting Involved in Managing OT Vendor Risk?
    • Key Intrusion Examples

Impacts and Recommendations

  • OT vendors lack experience in addressing software life cycle and security management processes, and consequently introduce vulnerabilities to enterprises — CIOs are uniquely positioned to help manage these vendor risks across the entire IT/OT spectrum
  • Issues around authority, organizational boundaries and lack of trust between CIOs and operations/engineering team leaders prevent enterprises from adopting standardized vendor risk management practices across the IT and OT vendor ecosystem
  • Due to a lack of sharing, transparency and accountability among CIOs and operations/engineering team leaders, many common OT vulnerabilities are unknown to the enterprise and remain unmonitored — and could have potentially devastating consequences
  • Many OT vendor risk management programs are either nonexistent or too immature to enable CIOs to adequately and effectively mitigate enterprise-class vendor risks

Gartner Recommended Reading

©2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Purchase this Document

To purchase this document, you will need to register or sign in above

Become a client

Learn how to access this content as a Gartner client.