Skip to main content

Discover Cyber-Resilient Governance

Learning Objectives

After completing this unit, you’ll be able to:

  • List the six principles for the OG industry that will help board directors govern cyber risk.
  • Describe how to establish a comprehensive cybersecurity governance model for the oil and gas (OG) sector.
  • List questions to consider to promote a security by design, resilience by design culture.
  • Explain why management should consider cyber risk to the organization and the broader ecosystem.

Oil and Gas Industry Cyber-Resilience Principles

The following six principles are specific to the oil and gas (OG) industry and complement the World Economic Forum (WEF)’s general cyber-resilience principles to address critical cyber-resilience challenges

  • OG1. Cyber-resilience governance
  • OG2. Resilience by design
  • OG3. Corporate responsibility for cyber resilience
  • OG4. Holistic risk management approach
  • OG5. Ecosystem-wide collaboration
  • OG6. Ecosystem-wide cyber-resilience plans

These principles for OG industry-specific activities provide cybersecurity practitioners with implementation support. Let’s delve into these principles in more detail.

Principle OG1: Cyber-Resilience Governance

Note

Before establishing a comprehensive cybersecurity governance model, it’s a best practice to determine what data the organization is protecting, and take into account factors like data classification and business process criticality. Once this is done, the next step is to develop a cybersecurity governance framework with clear roles and responsibilities, mission, and vision. 

The board of organizations in the OG industry should require management to establish a comprehensive cybersecurity governance model.

Boards should consider these questions when implementing cyber resilience at their organizations.

  • How does the governance model create a collaborative relationship between information technology (IT), operational technology (OT), and physical security functions? What effective mechanisms are in place to support this relationship?
  • Which roles and responsibilities for cyber resilience have been established, integrated, and adhered to across IT, OT, and physical security functions?
  • What are the existing incentives for best practices to secure operational and safety environments?
  • How is the cyber-resilience governance model reviewed?

Implementing Cyber-Resilience Governance

Some suggested activities for the implementation of cyber-resilience governance include:

  • Build a comprehensive governance model with the capacity to manage and supervise cyber resilience for IT, OT, physical security, health and safety environment, and digital transformation.
  • Ensure the proper level of authority and command of accountable officers and subject matter experts, with the experience and resources to execute cybersecurity duties.
  • Provide regular updates in close collaboration with different business unit leaders at an adequate frequency for cyber-resilience strategy implementation and budget.
  • Promote a cyber-resilience culture by sharing best practices regularly through training and awareness exercises across the organization.

Suggested metrics can include:

  • Percentage of employees who have successfully completed cybersecurity awareness education programs on cyber-hygiene practices with a focus on high-risk groups (for example, board members, C-suite executives, and IT, engineering, human resource, and finance personnel).
  • Number of cybersecurity collaborative engagements with business units.

Principle OG2: Resilience by Design

The board of organizations in the OG industry should promote a security by design, resilience by design culture, and should require its management to implement similar standards and values while documenting progress. 

Boards should consider these questions when implementing cyber resilience at their organization.

  • Are cyber risks and associated implications evaluated, embedded, and appropriately managed in all aspects of the business by design?
  • How is cross-functional and cross-departmental ownership of cyber-risk management established to achieve resilience by design?
  • How are risk management activities coordinated across departments in the organization?
  • How are direct and indirect cyber risks managed in ongoing activities and planned for new initiatives?
  • How are key members of personnel made aware of the cyber-resilience impacts and expectations of their role?

Let’s look at an example.

A Petroleum Company Integrates Cybersecurity Risk

Tim is a board member at a petroleum company, working to integrate cybersecurity throughout all aspects of the value chain, from IT devices to energy assets connected by OT control systems. To enforce the importance of cyber risk, Tim and the other board members and the CEO developed and endorsed key cyber principles in a memorandum that the chief operating officer (COO) and chief information officer (CIO) communicated to the company. With board support, the team was able to strengthen its cybersecurity program by adding personnel and funding plus establishing a cybersecurity governance system to better manage risks.

Tim presents a plan to the other board members to hire more personnel and infuse more funding into the cybersecurity program

Implement Resilience by Design

Suggested activities for the implementation of resilience by design include to:

  • Define cyber-resilience metrics and appropriate incentives for all business units to enable ownership and commitment to implementing new cyber-resilience requirements in their operations.
  • Establish a regular cadence of cyber-resilience reporting by the officer accountable for cyber risk and resilience.
  • Collaborate with business units and risk functions to adapt the cyber-risk posture to business needs.
  • Establish a cybersecurity awareness program tailored to the needs of each business unit and its unique risks.
  • Equip personnel with the ability to identify and manage cyber risks.
  • Ensure cyber resilience, protection, detection, and response capabilities are integrated with technical and business activities by design.

Suggested metrics can include the:

  • Percentage of business unit processes that adopt and integrate cyber-resilience practices by design.
  • Percentage of employees following cyber-resilience and awareness training (tailored to different levels).
  • Percentage of lighthouse projects that serve as a model covering cyber resilience by design. The term lighthouse denotes that these projects can act as beacons to guide others that are looking to apply cutting edge technologies like artificial intelligence (AI), and advanced analytics to designing cyber resilient systems.
  • Average time to detect, respond to, and recover from a critical cyber incident leading to a system failure or disruption.

Principle OG3: Corporate Responsibility for Cyber Resilience

The board of organizations in the OG industry should encourage management to consider cyber risks to the organization and the broader ecosystem, examine the organization’s cyber culture and practices, and explore how to manage these risks. 

Boards should consider these questions when implementing cyber resilience at their organizations.

  • How does management view the cyber-related risks that the organization is introducing to the ecosystem, the potential cascading impact, and corresponding reputational risk?
  • How are the primary and cascading effects of cyber risks evaluated and managed in all aspects of the business, and how are the potential cascading impact and corresponding reputational risk assessed?
  • How does the organization plan to communicate a potential cyber risk, vulnerability, and incident introduced to the ecosystem to relevant parties?

Let’s look at an example.

An Energy and Petrochemical Company Shifts from Cybersecurity to Cyber Resilience

Many organizations harbor different cultures with various risk appetite levels, which can be detrimental to implementing company-wide cybersecurity policies and best practices. Risk appetite is the organization’s or stakeholder’s readiness to bear the risk after risk treatments are implemented to achieve its objectives. Legal and regulatory requirements should factor into this risk appetite so that organizations or stakeholders stay within the boundaries set by regulators.

With the goal of reducing the potential impact of cyberattacks at an energy and petrochemical company, Alison, the chief information security officer (CISO) recognized the need to balance risk appetite levels within business units with stakeholder expectations to implement cyber resilience holistically throughout the company. The board provided support for training and awareness and resources dedicated to developing the company’s cyber resilience further. By assuring Alison had the appropriate resources and support, the board provided the means to build allies in implementing new cyber policies and practices.

Implement Corporate Responsibility for Cyber Resilience

Suggested activities for the implementation of corporate responsibility for cyber resilience include:

  • Collaborate with other business unit designees and individuals who have the responsibility to integrate cyber resilience in their processes.
  • Take steps to address internal cyber risk for supply chain partners and the overall ecosystem should the organization experience an attack or breach.
  • Augment existing business continuity plans with offline recovery measures, out-of-band communication methods, and independent recovery sites to cover cybersecurity-related events and increase resilience by design.
  • Establish ecosystem-wide collaboration and resilience plan activities.

Suggested metrics can include:

  • Number of critical/high cyber risks related to suppliers/business partners by status (accepted, avoided, mitigated, transferred).
  • Number of cyber incidents detected/shared within the ecosystem and actions in place to remediate reported vulnerabilities per quarter.
  • Frequency of budgeting and resource allocation reviews, ensuring appropriate reflection of the organization’s cyber-risk appetite.
  • Number of cyber-incident scenarios included in the business continuity and disaster recovery plans.

Sum It Up

In this unit, you’ve been introduced to how to establish a comprehensive cybersecurity governance model for organizations in the OG industry by learning three of the six principles. You’ve also learned how to promote a security by design, resilience by design culture, and the importance of considering cyber risk to the organization and the broader ecosystem.

Next you learn more about how to implement a holistic risk management approach for cyber resilience in the OG industry, and actions organizations in the industry can take to promote collaboration.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback