Shared Technology Risk Management

One flat VLAN. One big blast radius. A huge mistake is treating OT like it’s off the grid. Like it doesn’t need modern control. The truth? Modern plants are digital. Sensors, HMIs, SCADA; all plugged into corporate networks. And attackers know it. OT downtime costs real money. Now that IT and OT share networks and risk... ...every leader should be asking: Do we know what’s in our plant network? Can we stop lateral spread before it starts? Who responds when the alarms light up? Visibility must come before control. Here’s the risk: Most plants still run flat. No asset inventory. No real segmentation. That means: → One infected sensor = plant-wide exposure → No logs. No alerts. No response window. Why? → No passive discovery → No segmentation by function or risk → No playbooks for real-world events These aren’t tech misses. They’re signals of unowned risk: → No Purdue-level firewalls → No ops-friendly rulesets → No drills. No handoffs. What works in live plants: ⤷ Nozomi Networks + Claroty for passive asset mapping ⤷ Fortinet OT + Microsoft Defender for IoT for layered visibility ⤷ Cisco + IEC 61850 profiles for contextual segmentation Proven rollout: ᝰ.ᐟDiscover via SPAN ports; no inline risk ᝰ.ᐟSegment by function; rules ops can read ᝰ.ᐟMonitor passively; tune alerts with plant teams ᝰ.ᐟDrill the bad day; assign owners and response SLAs Ops leads: sign the playbook. PMs: add OT gates to the delivery plan. CISOs: measure time to contain, not just alert count. 📁 Share if IT and OT now share a wall. السلامة لا تبدأ من الأمن، بل من الرؤية. Safety doesn’t start with security — it starts with visibility.

Interesting to see JP Morgan’s open letter to suppliers highlighting the risks linked to the #SaaS delivery model. With significant concentration risks tied to key vendors and intense pressure to rapidly deliver new features and products, maintaining strong security must be a top priority for third-party providers.   Third-party suppliers are crucial to a comprehensive, efficient, and adaptable FCC approach, but risks such as privileged access to customer systems, hidden fourth-party dependencies, and insecure authentication methods can leave firms vulnerable to exploitation and create critical points of failure.   At Plenitude, we’ve observed some key trends in this area: ➡️ Greater scrutiny from 1st line control owners on FCC system security and the robustness of contingencies in the event of system outages; ➡️ Growing discussions around contingency planning with operations and financial crime teams to ensure firms can quickly adapt to new systems and processes, reducing sole reliance on a single system or vendor; ➡️ Increasing involvement from InfoSec teams in shaping FCC system requirements to ensure secure technology integration and stronger operational resilience.   💡 As the letter highlights, FCC software providers must deliver comprehensive security as standard, along with clear, ongoing evidence that controls are working effectively. 💡 Strengthening collaboration between InfoSec and 1st line systems teams will be critical to achieving a comprehensive risk mitigation approach, enhancing security, operational resilience, and the effectiveness of FCC frameworks. Read the full letter here: https://lnkd.in/eDBWDBkj #saas #3rdparty #riskmanagement Pat Opet

Mandiant (now part of Google Cloud) just released an absolute must-read on the benefits to integrating CTI and Risk Management teams/workflows/efforts. "The overarching goal for both risk practitioners and CTI analysts is to inform the decision-making process within an organization." Mandiant suggests 3 steps for achieving this outcome of collaboration between teams: 1. Build mutual understanding 2. Identify how foundational elements of CTI can be applied to cyber risk 3. Build collaborative workflows If you know me, you know this is a passion of mine. I've worked in both fields, and even gave speeches on Creating a Risk Managed and Threat-Informed Cyber Defense Strategy. The benefit is there, but fundamental differences in mindsets have prevented any good overlap. I hope teams begin to embrace this philosophy and move their cyber programs towards a more connected and holistic approach to defense. Fantastic job bringing awareness and solutions John Doyle Jamie Collier Shanyn Ronis Kelli V. Neil K. Andrew C.

𝐇𝐨𝐦𝐞 𝐃𝐞𝐩𝐨𝐭'𝐬 𝐓𝐡𝐢𝐫𝐝-𝐏𝐚𝐫𝐭𝐲 𝐒𝐚𝐚𝐒 𝐒𝐥𝐢𝐩-𝐔𝐩 - 𝐀 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐖𝐚𝐤𝐞-𝐔𝐩 𝐂𝐚𝐥𝐥 𝐟𝐨𝐫 𝐄𝐯𝐞𝐫𝐲𝐨𝐧𝐞 In today's day and age, third-party SaaS vendors are like the proverbial banana peel, and mighty companies like #Microsoft, #Okta are all slipping over them, despite stringent cybersecurity controls. Earlier this month, Intel Broker published online the personal information of 10,000 #HomeDepot employees. This data leak included names, work emails, and User IDs — enough to set the stage for ripple effect. This fiasco sounds the alarm bells for all corporations utilizing third-party SaaS applications. That's practically everyone! Is the existing cybersecurity strategy enough to ensure employee and customer trust as well? I wouldn’t be so sure. The need is for a full-fledged cybersecurity strategy that leaves no stone—or vendor—unturned. ➡️ Rigorous vendor assessments based on SaaS security controls ➡️ Third-party SaaS governance and SaaS sanctioning ➡️ Proactive monitoring and remediation of third-party SaaS applications,  ➡️ and an associated incident response playbook These aren't just checkboxes; they're the building blocks of a robust defense in depth strategy against the ever-evolving cyber threat landscape. Now, let's turn the spotlight to you! ❓❓Do you think traditional Third Party Risk Management programs, anchored in outdated models and reliant on procurement reviews, are sufficient to address the shared responsibility model for SaaS Ecosystem? ❓❓How do you tackle the evolving third-party threat landscape? Share your war stories and battle-tested strategies. How do you keep your organisation's cybersecurity mojo intact while dodging the digital pitfalls? Let's get the conversation buzzing! 💬 #SaaS #ThirdPartyRisks #SharedResponsibility