Adopting Zero Trust
Adopting Zero Trust
How Critical Infrastructure Leaders Are Rethinking Cybersecurity
0:00
-44:32

How Critical Infrastructure Leaders Are Rethinking Cybersecurity

S4 EP 5: What’s changed, what’s working, and how to prepare for when, not if, incidents hit critical infrastructure.

Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.

Adopting Zero Trust has been on air for four years now, and you may have noticed we have avoided talking about a certain topic: Breaches and incidents. However, today, we tread carefully around that subject, and are fortunate to have an expert handy to guide us through what is inevitably a bumpy topic. Our guest, Ian Bramson, Vice President of Global Industrial Cybersecurity at Black & Veatch, had a frank conversation about asset visibility, the breakdown of IT/OT silos, and the growing call for consequence-driven cyber strategies.

“The only guarantee I can give anyone is that someone’s going to get in at some point.” — Ian Bramson

Editor’s Note

To be clear, the reason why we don’t cover incidents and breaches is that hindsight or external reporting is not beneficial when it’s just commentary. That is why we have avoided this subject in general, but since this is more about defensive measures and continuity, it seemed safe enough.

Also, it’s that wonderful time of year again, RSAC. Neal and I will be floating around there somewhere, and likely recording an episode or two. I’ll primarily be over at the Palace hotel supporting Microsoft Threat Intelligence, and our panel is already booked solid, but you can still try to register here.

Key Takeaways: Preparing Critical Infrastructure for Cyber Incidents

  • The cybersecurity conversation has shifted from skepticism (“is this real?”) to urgency (“where do we start?”).

  • Asset visibility is foundational: Many organizations still don’t know what’s connected in their OT environments, making risk assessment and response nearly impossible.

  • Executive conversations should focus on outcomes, not tools: Speak in terms of safety, uptime, and business continuity, not patching or protocols.

  • Risk-based framing unlocks funding: Use consequence-driven models (e.g., bowtie risk diagrams) to illustrate probability vs. impact.

  • Bang the risk register until money comes out: Translate cyber issues into operational risks that boards understand.

  • IT/OT convergence is real and accelerating: Legacy equipment is being networked, cloud-connected, and exposed in ways it wasn’t designed for.

  • Use your own data first: OT systems produce rich operational data that can reveal threats without relying solely on external feeds.

  • Don’t show up with just a problem, bring options: Propose solutions in business terms, with a plan and a clear ask.

The Question Has Changed: From ‘Why Cyber?’ to ‘What Now?’

Ian noted a dramatic shift in how critical infrastructure operators are framing cybersecurity. A decade ago, leaders dismissed the risk. Today, they’re asking where to begin.

“I’ve had them look at me and say I was making up cyber to sell them stuff. That was rough. But that’s not the case anymore.”

The first step, Ian says, is helping non-technical stakeholders understand the fundamentals: What do you need to protect? Where are the holes? Executive conversations shouldn’t start with asset inventories—they should start with business risk.


Dollars Follow Risk, Not Scans

It’s no surprise that funding is often the biggest hurdle. Ian emphasized the importance of translating technical findings into operational risk language.

“Bang the risk register until money comes out.”

The key? Frame investments around safety and uptime. Don’t come to the board with a list of CVEs. Come with a risk equation that explains the potential business impact and options to mitigate it.


Threat Intel Isn’t Just Data, It’s Direction

We dove into how threat intelligence can be operationalized, and Ian didn’t hold back.

“Data is not intelligence. You have to synthesize it, pattern it, and make it actionable.”

Teams must shift from firehose mode to focused intelligence gathering. That starts by defining requirements: What do we need to know to keep operations safe? From there, tailor the collection and make it digestible for decision-makers.


The Collapse of IT/OT Distinctions

The boundaries between IT and OT are rapidly disintegrating. From connected turbines to cloud-enabled remote access, industrial environments are more exposed than ever.

“You can have an IT attack with an OT consequence. Think Colonial Pipeline.”

To manage that complexity, Ian advocates for a consequence-driven model. Don’t organize your security response by which network a threat entered on, organize it by the operational impact it can cause.

What’s Driving Change? Pressure, Pivots, and Pragmatism

Whether it’s post-breach wake-up calls or the push to modernize industrial controls, Ian sees more organizations coming to the table earlier, especially during new construction or system overhauls.

“Segmenting a live network is painful. If you build it in, it’s cheaper and better.”

The industry is slowly shifting from bolt-on to built-in security, but legacy systems and cultural gaps still create drag.

Don’t Just Raise the Alarm, Bring a Plan

When it comes to vulnerability management in OT, urgency has to be balanced with availability. And above all, leaders must bring solutions to the table, not just problems.

“Don’t say, ‘Oh my God, what are we going to do?’ Say: ‘Here’s what it means in business terms. Here’s the plan. Here’s what we need.’”

Discussion about this episode