Who is responsible for OT security standards?

Security & GRC

Engineering15%

IT57%

Joint IT (driver) with Engineering20%

Joint Engineering (driver) with IT6%

792 PARTICIPANTS
5.5k viewscircle icon3 Upvotescircle icon2 Comments
Sort by:
CIO in Energy and Utilities2 years ago

It is a joint effort between Operation Function and IT in our case.

Information Security Managing Consultant in Services (non-Government)6 years ago

Pending on the size and scale of the organization this should be a joint/combined effort. For separation of duties (audit and compliance) more than one group should always have insight and responsibility for oversight regardless the size and scale of the operation(s).

Content you might like

Does your organization leverage an Enterprise Architecture Solution/Tool for EA Practice?

Yes76%

No17%

We are in the process of selecting an EA tool8%

View Results

I'd like to discuss the privacy and data security implications of compromised accounts where a CoPilot (such as Microsoft's) is profiled on an account. It's clear that this poses a significant security risk, as a CoPilot with access to all our Graph services presents a unique attack vector. Those interested in learning more about what can be accessed and seen should feel free to ask. In cases where an account has been hacked, a thorough data-mining activity is often necessary to assess the extent of the breach. Have you thought about?

I don't have any concern about.16%

I feel there is a gap... but I haven't thought about before75%

I already have something on track to fix it6%

Other1%

View Results

Does someone have advice on how they have balanced the risk/reward as it relates to introducing Open-Source Software to organization? My org is dipping its toe into the OSS world and the architecture and risk governance teams are looking to get ahead of these requests by coming up with policies and standards for OSS technology being brought into our environment. To clarify, this is not for software development and CI/CD pipelines, SDLC etc. This is for installing solutions that already exist out there (Zabbix, GreyLog, Prometheus etc.) into the organization's environment. We are looking to provide a balance on the obvious risk with the ability to move fast (like everyone else now).

Have you evaluated any “AI native” data security platforms so far (like Concentric AI, Normalyze, etc)? Interested to know your thoughts on these, whether or not you move forward with implementing.

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?