Establish a Risk Management Culture

Learning Objectives

After completing this unit, you’ll be able to:

• List questions to consider to implement a holistic risk management approach.
  
• Identify actions to foster collaboration.
  
• Describe how to create ecosystem-wide cyber-resilience plans.
  

Let’s continue exploring the World Economic Forum (WEF)’s cyber-resilience principles for the oil and gas (OG) industry.

Principle OG4: Holistic Risk Management

The board of organizations in the OG industry should manage cyber risks across the OG ecosystem by providing an appropriate mandate, funds, resources, and accountability for cyber-resilience programs. 

Boards should consider these questions when implementing cyber resilience at their organizations:

• What risks for the organization do internal and external parties pose?
  
• What financial and personnel resources are sufficient to achieve the appropriate holistic cybersecurity risk management objectives?
  
• How does the current risk management approach incorporate cyber risks from the supply chain?
  

Implement a Holistic Risk Management Approach

Suggested activities for the implementation of holistic risk management include:

• Identify cyber risks posed within the supply and value chain and work with relevant partners to mitigate their vulnerabilities.
  
• Define and quantify cyber-risk tolerance in collaboration with other business units.
  
• Perform a review of the supply- and value-chain dependencies and identify blind spots and high risks related to cyber threats.
  
• Ensure risk management actions and tools follow a consistent holistic approach adopted and accepted across the ecosystem (for example, security assessments, questionnaires, and audits).
  
• Adopt a common risk framework recognized by the industry, such as the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) 27000 series, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) or the Cybersecurity Capability Maturity Model (C2M2).
  

Suggested metrics can include:

• Percentage of strategic suppliers and partners assessed (cyber-resilience due diligence) and with security clauses embedded in their contract.
  
• Number of critical systemic risks (affecting the industry as a whole) covered by the organization’s risk analysis.
  
• Frequency of risk assessments (the overall process of risk identification, analysis, and evaluation) conducted for critical business assets, functions, suppliers, and partners, for example, based on business impact analysis information.
  
• Number of critical assets covered by the risk management process.
  

Let’s look at an example

A Scalable Process on Cyber-Risk Acceptance

Carolyn is a corporate officer at an oil field service company; its approach is to document cyber-risk management and treats cyber threats as a hazard to business operations. To ensure cybersecurity is a top priority, Carolyn leads internal and vendor security reviews as part of the company’s procurement and building process. 

This process has four distinct steps: request, assess, approve, and track. When a request is made, Carolyn’s team conducts a risk-based assessment grounded in a stable, repeatable, and scalable controls library, taking into account factors like data classification and business process criticality. The process then requires approval from the business, legal, and information technology (IT) departments, with defined levels depending on the degree of risk. 

Finally, Carolyn uses regular executive reporting to track cyber threats, including remediations. This repeatable and scalable process ensures the consistent application of risk-based controls with clearly designated responsibilities for risk assessment and cross-functional risk ownership.

Principle OG5: Ecosystem-Wide Collaboration

The board of organizations in the OG industry should empower its management team to create a culture of collaboration for the effective oversight, monitoring, and control of ecosystem-wide risks. 

Boards should consider these questions when implementing cyber resilience at their organizations.

• How does the organization engage with cyber-resilience collaboration platforms and action groups?
  
• What cyber-resilience plan of action covers the organization’s ecosystem(s)?
  
• How are the lessons learned from collaboration activities used to strengthen the organization’s and ecosystem’s cyber-resilience practices and how are they enabling new opportunities?
  

Let’s look at an example.

Establishing an Ecosystem-Wide Approach 

Gregory is the head of IT at an energy company, whose dispersed ecosystem relies on different organizations, partnerships, and joint ventures throughout its upstream to downstream business. Each part of the ecosystem brings its own operating environmental norms and diverse approaches to cybersecurity, which can prove difficult to manage. 

To reduce cyber risk, Gregory launched an initiative aimed at bridging the gap between these different operating environments and connecting the operational technology (OT) upstream and downstream teams together. The IT group financed a centralized team to ensure common practices and approaches to cyber risk, implemented a standard infrastructure and consistent asset inventory tools, and aligned processes to continuously monitor the OT environment. 

Through this centralized team, Gregory’s company can continuously improve the collective cyber-resilience controls and plans between upstream and downstream partner organizations.

This methodology balances preparedness and protection while improving monitoring and response capabilities. Collaborating and aligning on the adoption of unified approaches and controls improves the monitoring and visibility of the OT environment, which reduces the detection and response time of IT/OT software versioning and patching from a few days to minutes.

Implement Ecosystem-Wide Collaboration

Suggested activities for the implementation of the principles of ecosystem-wide collaboration for boards include:

• Collaborate with ecosystem partners to develop, improve, and adopt unified approaches informed by industry frameworks, standards, and tools.
  
• Engage in and report on interaction with policymakers and global standards organizations to make ecosystem-wide collaboration easier.
  
• Engage in or lead cyber-resilience communities and initiatives (under the stewardship of industry, national, or international organizations) that encourage information sharing, strengthen collaboration across the ecosystem, and drive collective action.
  
• Collaborate with ecosystem stakeholders and actively participate in system-wide cybersecurity information-sharing bodies on cybersecurity topics, for example, the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC), the Operational Technology Information Sharing and Analysis Center (OT-ISAC), the American Petroleum Institute (API), the European Union Agency for Cybersecurity (ENISA), etc.
  

Suggested metrics can include:

• Frequency of events and engagements with ecosystem and industry peers.
  
• Frequency of meetings with security officials and cyber-response experts, including policy-makers, national security and intelligence officials, and private-sector cyber-response and legal experts.
  
• Number of threat intelligence reports and briefings exchanged with peers across the ecosystem.
  

Principle OG6: Ecosystem-Wide Cyber-Resilience Plans

The board of organizations in the OG industry should encourage management to create, implement, test, and improve collective cyber-resilience plans and controls with other members of the ecosystem. 

Boards should consider these questions when implementing cyber resilience at their organizations.

• What data or information do we need to protect? What activities are included in the cyber-resilience plan? How does the plan cover the organization’s ecosystem(s), including incident response, communications, business continuity, and disaster recovery? Is the plan adequately tested with appropriate regularity?
  
• Which collaboration platforms should boards and management teams support to advocate for the development of collective resilience plans?
  
• How do the collective resilience plans reflect and balance preparedness with response and recovery across the ecosystem?
  

Let’s look at an example.

An Energy Company Helps Secure the Value Chain

Rebecca is a board member at an energy company. She supported an initiative in which her company partnered with a research center dedicated to information security to conduct a survey of industry executives and managers at global OG companies to assess the companies’ cybersecurity readiness. The results of the survey showed that, across the sector, most organizations have difficulty hiring cybersecurity personnel with in-depth knowledge of OT-connected energy assets necessary to identify and address cyberattacks before they occur.

Rebecca’s company recognized that one way to improve cybersecurity for all OG companies is to ensure small- and medium-sized organizations can access advanced artificial intelligence (AI)-based monitoring and detection solutions, which helps strengthen the weaker links against cyberattacks in the digital ecosystem. By combining interoperable and manufacturer-agnostic AI technologies, and efficiently leveraging OT-native human expertise, small- and medium-sized energy companies can gain access to monitoring, detection, and cyberattack prevention capabilities–a level of protection previously achieved only in-house at companies with adequate budgets.

Implement Ecosystem-Wide Cyber-Resilience Plans

Suggested activities for the implementation of the principles of ecosystem-wide cyber-resilience plans include to:

• Develop a cyber-resilience plan as one of the organization’s strategic priorities, in close collaboration with all business function and unit leaders, and explicitly incorporate the board’s role.
  
• Set a regular cadence of reporting on cyber-resilience plans, to include critical updates, testing frequency, and results.
  
• Conduct regular cybersecurity exercises and tests on cyber resilience that include systemic failure and subsequent recovery as a component or focus of the exercise.
  
• Verify that the cybersecurity strategy and program are linked with internal and external sources, the management of incidents, and response and recovery capabilities (from a people, process, and technology perspective).
  

Suggested metrics can include:

• Number of tests conducted and adopted corrective measures.
  
• Number of hours of interruption or disruption of essential business services, including the financial impacts of disruptions.
  
• Percentage of critical open actions and closed actions resulting from cybersecurity preparedness exercises, including systemic failure testing as a component or focus of the exercises.
  
• Percentage of critical systems that implemented and successfully tested contingency and disaster recovery plans this quarter.
  

Sum It Up

In this unit, you’ve been introduced to how to implement a holistic risk management approach in the OG industry. You’ve also learned how to foster ecosystem-wide collaboration, and the importance of creating ecosystem-wide cyber-resilience plans. 

Next, you’ll learn more about how to operationalize the principles for cyber resilience in the OG industry, and actions organizations in the industry can take to enable the adoption of new cyber policies and principles. 

Resources

• External Site: ISO/IEC 27001 Information Security Management 
  
• External Site: NIST Cybersecurity Framework
  
• External Site: United States (US) Department of Energy: Cybersecurity Capability Maturity Model (C2M2)