In an article on Network World, author Ron Lepofsky offers assistance to internal IT security teams in discussing NERC CIP security mitigation steps with executive management. SCADA vulnerabilities are an issue in businesses where security budgets must be discussed. Often executive management is of the impression that network security is expensive, and Lepofsky, founder and president of ERE Information Security and Privacy Auditors, offers valuable dialogue to aid in the sell.
“The key is to write the documentation with an emphasis on ease of implementation. Keep the initial documentation short and simple, in a format that is easy to update, and keep it updated. Once you have proved the initial policy, process, and other documentation to be successful in terms of meeting objectives, then you can look for budget to expand scope. I have seen this approach work successfully many times.
As far as technology implementation budgets, I’ve seen best success with creating a multi-year plan with smaller annual budgets. As long as you can prove success with meeting each year’s goals, your chances of getting successive budgets of course improves. Nothing succeeds like success.”