Governance, risk and compliance: impediments and opportunities for managing operational technology risk in industrial cyber security and safety

The appropriate governance of cyber security programmes is essential to their success; however, it is the principal reason for ICS security programmes failing. This paper discusses organisational risk, from the Board throughout the organisation, examining convergence of IT and ICS systems. Implementation challenges are considered, arising from organisational design and significant changes in the ICS landscape, which have expanded potential risk. It is contended that the changes, including the future of Cyber Physical Systems, are fundamental, necessitating new roles and skills to address broader digital risk beyond traditional information assurance. Established guidance and new approaches to managing ICS security and governance are recommended.