How GE’s security head protects the industrial IoT

When it comes to securing enterprises and manufacturing plants, the CISOs at big organizations have to get their hands dirty on the operational technology side. They can’t leave sensors in the office hallways, for example, or HVAC systems to the facilities or plant operators anymore.

That’s the message that Nasrin Rezai, the global chief information and product security officer at GE, shared with an audience of security professionals this week at the Structure Security conference held in San Francisco. I interviewed Rezai, who has the unenviable job of overseeing not just GE’s internal security but also the production and protection GE provides to clients.

Rezai focused mostly on the gaps that currently exist between the IT side of the house and operations. Both sides have lessons to learn when it comes to working together and any smart executive needs to take control of both if they really want to get a handle on their security because attacks came come from anywhere.

She also brought up the challenge of securing more connected assets and said that if companies want to do this, they have to start building automation into their efforts. Her staff is now focused less on threat detection, which can be mostly automated, and more focused on analyzing when events might turn into new threats. Rezai’s message was echoed by Melissa Arnoldi, a senior executive vice president at AT&T, who also pushed for more automation in security.

Both women emphasized that security talent is tough to find so training internal staff to grow into more analysis roles is essential. This is easy for companies to say, but tough to do. AT&T does this by training workers using courses it developed with Georgia Tech and also with Udacity.

Finally, for executives worried about cyber security in a more connected world, having both board-level and CEO-level support is essential. “Security is part of your company culture,” said Rezai. She told me she reports quarterly to the CEO and is involved with aspects of GE’s business as it connects new things and releases new products and services.

In the wake of Equifax’s hack, which was brought up dozens of times at the event, it seems clear that it’s not enough to talk about “Designing security into your product” or bolting it on after a breach. The new focus should be on making security part of your company because it’s not just the products that will be connected, but also the workforce and the operations.

If the CEO and board aren’t getting involved, your company isn’t doing this right.