Should Operational Technology (OT) cybersecurity controls (like NIST) be required by law, or remain as recommendations to businesses?

Strategy & ArchitectureGovernance, Risk & ComplianceSecurity & GRC

Control required by law.67%

Business recommendations.32%


562 PARTICIPANTS
2.1k views1 Upvote5 Comments
Director of Technology Strategy in Services (non-Government), 2 - 10 employees
I have a view that the requirement by law should be descriptive, not prescriptive.

The extent should be a mandate that each business has someone accountable for Cyber Security, much like jurisdictions have for privacy officers
3
CEO in Services (non-Government), Self-employed
Operational technology is a very broad space. I think we need to reclassify devices and "things" so that those that may impact human health and safety fall under regulated cybersecurity mandate and those that have little impact are suggested but not mandated.
2
Chief Information Officer in Manufacturing, 10,001+ employees
The landscape is a living place that is constantly changing and i believe there should be a body that develops cybersecurity standards that provides and supports all industries as a foundational framework. From that point it's a business decision to follow those standards to protect their interests. 
1
CTO in Services (non-Government), 51 - 200 employees
I went with business recommendations purely because any regulation would need to take into account company size. Smaller companies just don't have the resourcing to implement comprehensive, documented security.
2 1 Reply
Director of IT in Education, 5,001 - 10,000 employees

I agree, for small businesses the regulations can cost more for implementing than revenue.

Content you might like

Has your organization been hit by ransomware in the last 6 months?

Governance, Risk & ComplianceSecurity & GRCRisk Management+4 more

Yes28%

No, but we expect to be hit in the future.48%

No, and we don't expect to be hit by ransomware in the future.24%


241 PARTICIPANTS
2.2k views1 Upvote2 Comments

Would anyone be willing to share best practices about how their organization deals with ensuring Cookie Compliance, specifically to GDPR rules? Where should this sort of compliance review sit in an organization? The particular issue we have is who should review new web deployments that use cookies and to make the decisions on whether Cookies are Strictly Necessary or Functionality Cookies. For example is a Cookie required for a Live Chat to work Functionality or Strictly Necessary? Our Security team does not consider taking on these compliance reviews as their domain, as Cookie Compliance is not an internal security matter and the Data Protection team has a limited interest as the GDPR rules around Cookies apply in case of any Cookie being used by a website, whether or not it contains personal data. 

Security & GRCRegulatory Compliance
642 views1 Comment

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
143 19 Replies
Read More Comments
47.1k views133 Upvotes324 Comments

What tools or techniques do you use to manage your suppliers?

Vendor/Product RecommendationVendor ManagementPeople & Leadership+1 more
Read More Comments
3.1k views2 Upvotes5 Comments

Which of the following areas are you planning to make the biggest changes to within your governance and risk program in 2022?

Governance, Risk & ComplianceSecurity & GRCRisk Management

Continuous Monitoring51%

Staff Well Being57%

ESG & Sustainability45%

Service Provider Location Risk14%

Other (share below)2%


537 PARTICIPANTS
2.4k views1 Upvote4 Comments