Issue link: https://iconnect007.uberflip.com/i/1088168
MARCH 2019 I SMT007 MAGAZINE 75 Johnson: Okay, so a takeaway here is if I have an IT staff in my manufacturing facility that is dedicated staff—and all of them do—I better start making it an objective to get my IT staff trained on cybersecurity issues. Humphreys: Yes. You need to have five people overall, and two of those people need to be strategic. The other three need to be tactical. That's basically to sum it up from a strategic standpoint. Johnson: You're saying 40% strategic, 60% tactical. Humphreys: Absolutely. Johnson: If I need to get my staff trained, where do I go? Humphreys: Well, the SANS Institute gives a lot of great online training. They're prob- ably the worldwide leader. I wrote their security utility curriculum. IEEE probably has a lot of training and outreach as well. Aca- demia now is offering some special programs in Texas; I remember seeing that at the University of Texas, San Antonio. I also know Texas A&M University has a lot of vulnerability assessment teams where the public can use their undergrads to come out and do work and assessments, and look at them to get the training that they need. At the end of the day, there are training orga- nizations that can do it. There might be some specialized graduate programs in information systems management in security, but to the lev- el of hands-on manufacturing and things like that, I don't think that exists. I don't know if they do industry-specific or niche training, so if you wanted a training session for your readers in manufacturing, that needs to be created. I think there would be a demand for that if you have enough of a base that we could go in and do a two- or three-day workshop. We would explain the end-to-end skill set you need, what your program needs to be com- prised of, and how you need to monitor it and leverage what you already have. Many compa- nies already have a lot of this in place, they just have to put it all together. I think that would be a great opportunity. One of the reputational risks right now is cir- cuit board manufacturing is under high expo- sure with the malware stuff being found and the chips data being found on those circuit boards coming from China. Those are all parts, whether we make them here or make them there, coming from the same place for the most part, too. Again, given my regulatory experi- ence and the knee-jerk re- action to regulations, you'd better believe that every time the media posts some crazy security story that's done in a summit like this where hackers show up, it's easy to compromise one of these circuit boards; that's the best use case they can get for moving toward regu- lation of those things. Johnson: The trouble is you can't see that through the manufacturing lens. Humphreys: No, you can't. I think the regula- tion stuff is going to continue to grow. It's go- ing to be the first knee-jerk thing everybody jumps to trying to corral it. It's not sustainable. You can't count on that to be the bar to be set for security and operational efficiency. It can provide a foundational layer for people that don't normally look at that kind of stuff, but it's definitely not the ceiling. Find that sweet spot to justify the efficiency gain and the risk mitigated by going ahead; beyond that is my niche. I can put that carrot in front of them and I can make them follow that carrot. Johnson: Okay. At the risk of oversimplifica- tion, it's not enough just to do what's required through regulation; you need to do the right thing. Humphreys: Yes.