A strategic account manager’s guide to cybersecurity

What does cybersecurity have to do with you? If you’re selling digital solutions, the answer is: Everything. Steve Mustard, President and CEO of National Automation and President of the International Society of Automation, explains why SAMs should care.

Listen to this episode of The SAMA Podcast here.

Channel Artwork
The SAMA Podcast
A strategic account manager’s guide to cybersecurity

Listen and subscribe on your favorite app.

Open and read the episode’s full transcript in a new browser tab.





Harvey Dunham: So it’s my pleasure today to be speaking with an expert from the International Society for Automation, Steve Mustard, who’s an expert in cybersecurity . Steve, welcome. It’s great to, be speaking with you and look forward to the conversation we’re about to have.


Steve Mustard: Thank you, Harvey. I’m very happy to be here. I’m very happy to discuss cybersecurity with your members.


Harvey Dunham: And Steve, while we’re here in the early parts of this should you just give a brief introduction about yourself so they know a little bit about your background and how you earned your stripes in the cybersecurity world?


Steve Mustard: Sure. I I’ve worked in industrial automation and real-time embedded systems for 30 years, space defense and then energy and utility companies. And, in the last 12, 15 years, cyber security has become a big issue in industrial control systems. And as a result of my background, I’ve got heavily involved in that side of life, and I’ve spent a lot of my time these days consulting with asset owners about how to improve their cybersecurity posture in their mission-critical facilities.


Harvey Dunham: Right. And as I understand it, this actually goes outside of just industrial plants too, doesn’t it? I mean, it can spread into more the, if you will, commercial sectors, as well, can’t it?


Steve Mustard: Absolutely. Yeah. Cyber security affects everyone in every sector of business today. And I do tell customers that I work with that it is only a question of when they will be subjected to a cybersecurity incident, not if they will be. And the level of preparedness of the organization is the thing that makes the difference between how serious that incident is for them.


Harvey Dunham: Well and that gives me great context to just, for our audience, just to give them a little bit of a, the SAMA audience specifically, you know why this is such an important topic for strategic account management. Because you know, we’re seeing the trend we’re seeing across industries: it doesn’t matter if you’re in your logistics or healthcare or industrial, is a move towards digitizing an existing product or wrapping some kind of a digital envelope around an existing product. I dare say almost everything that SAMs are selling has a digital element and, you know, because of that, anything that you’re selling that goes into a customer’s place of business can be introducing significant risk to a customer’s place of business.


And I really felt that it was important for the SAMs to be aware of what cybersecurity is, aware of what those risks are and what they need to do to protect their customers and their own company to the, to the extent that they can. Because they’re the catalyst when a new installation or a reconfiguration or whatever’s happening in a customer site. And the more they can do to anticipate and prepare the customer for this and their own company, the more successful the installation’s going to be in the long run.


Steve Mustard: No, absolutely. QWat you just said is really important, and it’s an area in the cybersecurity world where suppliers [and] customers don’t necessarily have a very good appreciation of still today, which is that there is a supply chain involved in any organization that involves multiple vendors, multiple suppliers, different products, different solutions and the customer somewhere in there. And there’s an assumption that someone else is taking care of cybersecurity somewhere. And yet, as you said, pretty much everything in the operation these days is digitized in some way.


And there’s a heavy reliance on that digitization. And if that fails, then the operation fails. The business fails. They’re unable to produce what they’re making. They’re unable to deliver what they need to deliver. They’re unable to fulfill customer requirements. And so this is a serious impact on any organization, and SAMs would have a big part to play in that, both in terms of making sure that they understand cybersecurity risks but also help their customers understand cybersecurity risks as well.


Harvey Dunham: And, you know, maybe for those people that are like me, can you kind of give us a better idea of what success cybersecurity is and the kind of impact it can have on a company?


Steve Mustard: Cybersecurity is really all about an attacker — and we’ll talk about those at the moment — exploiting some vulnerability in an organization. And vulnerability is a term that can be interpreted in different ways. But in this context, we’re talking about a flaw,usually in software or hardware. Think about it like a hole in a, in a boat. If you’ve got a hole, there’s going to be water coming in the boat, you’re going to eventually sink if you don’t do something about it, which is plugging the hole. The difference with vulnerabilities in software is that they’re not usually visible, like a hole would be.


So the problem we have in cybersecurity is that Microsoft, for example, provides Windows operating systems. And there are flaws in there. People make mistakes when they’re programming it, and then people discover those mistakes and they exploit them even before Microsoft is aware that that is a problem. And then that is when you get attacked, potentially, because someone is using that “exploit,” as we call it, this piece of code that they can get through that vulnerability to steal your personal information. Or they get access to your computer so they can do other things on the computer.


And the biggest problem we have really is that we all in the industry recognize that these vulnerabilities exist. But even when they are fixed by the vendors, they have to be updated, the computers that have those vulnerabilities have to be updated in order to make sure they don’t have those holes anymore. And that is one of the biggest problems is: you probably know yourself from home. Every time you get one of those messages saying you’ve got an update to apply, or your phone or your iPad or whatever it might be. You’re constantly seeing these messages saying you’ve got to update it, which is tedious and you don’t really want to do it. It takes 15 minutes, maybe to update your phone. And so you tend to put it off and, by putting it off, then you’re leaving yourself exposed to these vulnerabilities that people can exploit.


But it’s not just flaws in software and hardware. It can also be just processes and procedures. And this is especially important where you’ve got a relationship, a strategic relationship, with a customer where, you know, that they might have a procedure about paying bills, that involves logging into the customer’s system. Or they might have a procedure for providing information. And if those procedures aren’t followed properly, you can also have some exploitation of that flaw as well.


So a good example would be, you take a USB drive and you want to plug it into a computer at the customer’s location so you can provide them with some information or print something out, and you haven’t scanned it for malware. And then malware gets from the USB drive to the customer’s computer. And then once it’s on the customer’s computer, you might not have even known it got in there, and then it potentially gets all around their network and then causes major problems for them.

Harvey Dunham: Sounds like the coronavirus in a way.


Steve Mustard: Yeah, pretty much. That’s a good, it’s a good summary. Yeah.


Harvey Dunham: Maybe it’d be great to, if you could give an example of the kind of damage this can do this, that’d be great. As I say, I know it happens in industrial arenas, but maybe two or three examples….a hospital, for example?


Steve Mustard: Right. So most people, I think, have heard of some high-profile ransomware incidents that have been reported in the news where someone gets what’s called ransomware on their computers, and that makes it impossible for them to get access to their customer information for instance, or they can’t run their business. And they’re very often forced to pay the ransom. There can be tens of millions of dollars in ransoms potentially to get people’s data back.


But I want to talk about a specific case where this happened and, in this case, no one actually was targeted with this particular ransomware. It’s called WannaCry, and it came up in May 2017. It’s believed to have come from North Korea, and it’s believed to have been part of North Korea’s attempt literally just to make some money for themselves. They were only charging $300 per computer to release the ransomware lock on the computer. So it doesn’t sound like a very much money, but this one actually ultimately infected 230,000+ computers around the world.


One of the biggest impacts was actually the UK’s National Health Service. So about one third of computers in the UK’s NHS were impacted by this. As a result, thousands of appointments were canceled, ambulances had to be rerouted and all kinds of other problems with the NHS’s operation just because of this ransomware. And as I said, bear in mind that the NHS wasn’t targeted by anyone here. They were just unfortunate enough to have lots of computers which had a version of Microsoft’s operating system which had a vulnerability and it hadn’t been fixed–even though, in this particular case, Microsoft had fixed the vulnerability several months before. But the National Health Service, like many other users, hadn’t bothered to update their computers.


This particular ransomware also impacted the Maersk shipping company. They ended up spending something in the region of $300 million to recover from that incident, and they had several days where their operations were impacted by this ransomware.


The other thing that is very common in cybersecurity, which most people are familiar with, is data breaches. So we’re familiar with the case of, say, your own personal information–Personally Identifiable Information as it’s called, or PII That can be things like credit card information, social security number and such like. People steal that and they sell it on the dark web for something like $1 or $2 per record. Sounds not very much, but again, you’re talking about potentially millions of records that you can steal. In the Target case–Target, the supermarket, that was hacked in 2013–they had 70 million records stolen, and so, you know, that’s not a bad haul for someone. But Personal Health Information, or PHI, that can sell for 200X or 300X the amount that a Personally Identifiable Information record can be sold for.


So, the U.S. has egulations on protection of health information, HIPAA, and similar regulations exist around the world. And in the U.S., if you have a breach that involves more than 500 records, you have to report that to the Department of Health and Human Services. So there is a lot of records about, these breaches, and something on the order of 15 million health records have been stolen to date in the U.S. alone. And that’s based on the reports that we’ve got. Now, a lot of cybersecurity incidents don’t get as well reported. So that’s probably an underestimate in terms of how many records have been stolen, and bear in mind that’s people’s Personal Health Information that is now being sold on the black market for $300 or $400 a record.


Harvey Dunham: Wow. That’s amazing. That’s just–it’s frightening in a lot of ways. I mean, it’s a significant amount of money involved here, a significant amount of risk. And once again, this is industry specific, right? I mean, if you’re in the B2B world, I suppose it’s even in the B2C world. It’s pervasive. Nobody’s immune.


Steve Mustard: Nobody is immune, that’s right. And I think the worst thing we can have is where customers or vendors or suppliers or consultants who think they’re invulnerable. They think they’re not a target. They think they’re not a at risk. You know, maybe they think, “Well, I’m a small player. No, one’s going to bother to target me.”

But the examples like I gave with WannaCry, you don’t have to be an actual target. You just have to be part of the collateral damage in a widespread malware attack where people are just looking to make as much money as possible, as quickly as possible.


Harvey Dunham: So, you know, when I think about our clients… I mean, typically a strategic account is one of your larger customers. For any given business, if you know, your strategic accounts are those accounts that are strategic to you and, at the highest level, you are also strategic to them. So very often you’ve got more access to those customers and they trust you and, you know, built that up over time.


You know, for your customers, I mean, what are the IT and the C-level people, what are they concerned about? How do they look at these risks? And how high are cybersecurity risks on IT and the CIO and the CEO’s agenda? Are they aware of it? Do they care about it? I mean, does this keep them up at night? How would you characterize that?

Steve Mustard: I would say that today, most organizations would be aware and concerned about a cybersecurity incident in their organization. So think that the CEO, the ??? or CSO, depending on what type of organization it is, they will be thinking about this problem all the time and constantly worried about what the next attack is going to be and are they’re prepared for that. The problem, I think, with most of the organizations is that there’s often a gap between the C-level, where it’s understood that this is a risk, and then further down in the organization, where people are maybe less well-informed about the risks, may not have had adequate awareness, training and preparation for dealing with those incidents.


So if you think about the examples I gave with the ransomware, the recommendation from Department of Homeland Security and FBI is that if you have a ransomware on your computer, you should not pay the ransom. It encourages further attempts at ransomware attacks on you and others. And in fact, in many cases, there’s no guarantee that even if you pay the ransom, you get the data back. And so the only option you’ve got then is to be better prepared for an incident. As I said at the outset here, it is only a matter of time when an organization gets hit. It’s not if they get hit, it’s when, and it’s how well prepared they are as to how serious it is for them.


So a good organization would have a response plan in place that they will say, “If we get an incident, this is what we’re going to do to deal with it. This is who we’re going to call. This is how we’re going to handle it.” And included in that would be making sure that you have your backups in place and you’ve tested them and you’re ready to deploy them if you need to.


This is again where the strategic account management comes in as well because, as you said, the strategic account is by very definition core to the operation of the customer. It’s an integral part, often they’re working side by side in the same buildings, in the same networks and they’re collaborating on stuff all the time. And when an organization does have an incident, the strategic account management has to come into play as well. They have to be part of the response. It’s not just for the customer to respond, but all the time I see that organizations who aren’t well prepared panic, they have no response plan in place.


They don’t have that established communication channel with the vendors and the suppliers and the strategic account managers, and they have a knee-jerk reaction. And then that often includes “We’ve got to pay the ransom as quickly as possible and get our data back.”

Most recent example was Garmin, who provides sports watches and computered [????] cycling and running. They got hit, and there were clearly totally unprepared. They ended up paying the ransom because all of their customers are complaining that they could not download the activities that they’d recorded on their computers. And that’s basically the fundamental purpose of that Garmin website was to allow customers to do that. And so there, because they had no plan in place, they were forced to pay the ransom and they should not have paid the ransom. They should’ve had a plan in place to recover back to a certain point in time and resume operations as quickly as possible.


Harvey Dunham: So how should a SAM show up at their customer with regard to this issue? I mean, what would be the ideal way for a SAM to walk in the door with a new solution that’s got a digital element, which is probably almost anything you’re going to do these days will have some kind of a digital impact on the infrastructure, your customer’s infrastructure. What do you think a customer would really value for the SAM and how, if they showed us this way?


Steve Mustard: So I think, a good SAM would turn up to a customer offering their solution and they would be able to tell the customer, “We have made this secure by design. We understand security risks. We understand the challenge you will have. We know that your business is critical, and we know that whatever you buy is going to form a critical part of that critical business. And therefore, it cannot be compromised by anyone. We have taken that into account in our design, and we’ve done all of these things and we verified it with independent test houses and we know it’s as secure as it can be by design.”

Then I would then say, “We also know that defense in depth is an essential part of protecting an organization against a security incident. So just because our solution is secure by design does not mean that your overall operation is going to be secure. You’re going to have to do some things in collaboration with us in order to ensure continued security. And here is our guidance, and here’s our support, and here’s how we will help you make that defense in depth work in your organization.


I think that it’s changed a bit in the recent years, but for many years I would talk to– I would be on a customer site, and I would be looking at something which clearly was insecure. And I would ask the supplier of that insecure solution. And they would say, “It’s not our problem to make this secure. It’s the customer’s job to do that.” And that’s simply not acceptable these days. A good strategic account management organization would say, “We understand security, and we know we have an important part to play in it, and we are going to play that part. And we’re going to work very closely to make sure that you have an incident response plan in place that involves us, that allows us to react immediately to get you back up and running as quickly as possible.”


Harvey Dunham: Wow. So what I’m hearing from this is that for the SAMs out there, you should really be asking your own company before you approach the customer, ” Are we secure by design, and do we have… what was that? The term that used again, please?


Steve Mustard: Defense defense in depth. Yeah. So it’s a military term, actually, and it originates, way back when, so in the days of forts and castles. Especially in Europe, you would have your moat and your drawbridge and your spiked fence, nd you’d have your arches, and you would have a tower on a hill, and you’d have another gate inside. And you’d have all these different layers of defense in place so that even if someone could breach the moat, they still have to get through the gate, and they still have to be through their archers. And then even when it gets through the first gate, they’ve got to get through the next gate, and so on and so on and so on. So all the way you’re deterring someone from reaching the ultimate goal.


And with attackers in cybersecurity, it’s exactly the same. An attacker, f it proves too difficult to breach one organization, they’ll eventually give up and move to someone else who’s less well prepared. So defense in depth, it’s a bit like that story of being chased by the bear. You don’t have to be the fastest runner. You just don’t have to be as slow as the slowest runner because the bear will get them instead.


Right. So in cybersecurity, that’s very much the case, and the organizations that actively manage cybersecurity, including with their suppliers, their vendors. If they’re all part of that supply chin, they all need to be part of that defense in depth. And the Target example that I mentioned earlier from 2013 is the best example of what happens when it fails.


So in 2013, Target was attacked. They weren’t attached directly, their HVAC vendor was attacked. So someone in that organization received a phishing email. They clicked on the link that gave the attackers access to their computer. And because the HVAC vendor was a strategic supplier to Target, they had direct access to Target’s financial systems so they could generate their invoices. So once the attackers were on their vendor’s computer, they were able to get into Target’s computer. And once you’re in Target’s computer, they could get to the point-of-sale system and steal 70 million credit card records. So that is the problem. If Target is saying, We’re worried about cybersecurity,” that’s great. And they do a really good job of making themselves secure. But if their vendors don’t make themselves secure they’re the weakest link. And they’re what the attacker is going to target.


Harvey Dunham: Just to be clear here, I can see for a new installation this is an issue. But if you have legacy systems and in your customer, is that a vulnerability as well?


Steve Mustard: It is. Yeah. In fact, it’s hard to say which is a worse, but I probably err on the side of the older the equipment and the installation is, the more vulnerable it is. The more exposed the organization will be to attack. Just think about, for instance, the age of the Microsoft operating system that’s running on the computers. If you go into, say, many fast food restaurants, for instance, if you ever see their point-of-sale computer being rebooted, you can often see which version of windows they run on. I was in a fast food restaurant not too long ago in Australia, and one of them was down and it was restarting, and it was Microsoft Windows XP, which has not been actively supported by Microsoft for many years. But they were still running it on their point-of-sale system.


So the challenge is it’s very costly, expensive, and time consuming to upgrade systems like point of sale because it’s mission critical and you can’t afford to take it down for too long, so you tend to defer that upgrade as long as possible. But the longer you defer it, the more known vulnerabilities there are in that system, and the more opportunities there are for attackers to exploit those vulnerabilities.


And the the other problem with old systems and old facilities is that people forget what’s actually there. So it was installed many years ago. They have very poor documentation. They don’t have very good drawings. They don’t really know exactly what’s out there. The person who used to maintain it retired a few years ago, and the new people only know what they’ve been told. And then, not so much these days, but not too long ago, I would go to facilities and I’d go around the back of the cabinet, and I’d find an old dial-up modem still plugged into a telephone line. And then you’d ask someone that they would say, “Oh yeah, I forgot about that. But yeah, the supplier, they use that to dial in every now and again to check something. But it’s permanently connected, and it shouldn’t be permanently connected because that’s a way in for someone else.


So old systems: very problematic, hard to manage and, you know, understandably difficult to upgrade to the latest standard. But even in new facilities, the time it takes to deploy a new manufacturing facility or new hospital or logistics center, if you imagine how long it takes to build and f it out one of those, it can take years. The project I’m working on at the moment is building a new oil and gas platform, and that project has been running for more than 10 years now. And last four years it’s been in the actual construction phase, but a lot of decisions that have been made for that project were made more than five years ago. Products were purchased which are coming towards the end of their life now, and they have to be upgraded already before we even have finished the project. And that is not unusual in this type of environment where you’ve got huge networks of equipment to manage mission-critical operation for someone.


Harvey Dunham: Wow. It’s it’s mind boggling to think about — which brings to mind someone I hadn’t thought about until just now, but your customer’s legal department. I’m still thinking about a legacy system — or a new system — but, you know, I suppose the customer has– you as the supplier have some legal ris k if there’s a breach, if you introduce a breach into your customer. Do you have any sense of that? I know legal isn’t necessarily your area, but any stories or any experience that you’ve seen from a legal perspective about the risk that a supplier has?


Steve Mustard: Well, yeah, I’m certainly not a legal expert, but I do see it is a big minefield, and it’s a big gray area because it’s not at the moment maybe as well defined as the world of safety, for instance, product safety, where it’s quite clear whose liability it is for some failure. So today, for instance, if you see that there’s a breach and someone has ransomware, say, and they have to pay the ransom, I don’t currently see a lot of suppliers being, involved in having to pay any kind of restitution for that. But what I do see is that they have a, I guess it’s more like a moral obligation. If they want to maintain that customer relation, then they’re going to have to step up and provide the resources to help the customer clean up afterwards. And that’s very expensive for them. So even if they’re not going to be fined or there’s not going to be a lawsuit for them to recover money, they’re going to spend a lot of money recovering.


So not too long ago, there was Saudi Aramco, the biggest company in the world. They’ve been attacked multiple times. Probably geopolitical players who are attacking them, trying to destabilize Saudi Arabia. But more recently, attackers have pivoted to vendors. So 2018, towards the end of 2018, a couple of key vendors for Saudi Aramco were attacked directly on purpose to try and do similar to what happened with Target: get into Saudi Aramco and disrupt the operations via a strategic vendor. Now, as a result, those vendors spent millions and millions of dollars having to recover from that situation and also to help Saudi Aramco clean up armed. Not only that, but also all the other oil and gas customers that they had accounts with that were using the same infrastructure they were providing to Saudi Aramco.


So it’s a huge challenge for any supplier/vendor to operate in this day and age because, the risks, as I said before, it’s through the entire supply chain and of course there’s no easy way to extricate yourself from that and say, “Well, you know, we’ve done our bit. And so it’s all down to you.” It isn’t. Everybody’s always got some responsibility for maintaining cybersecurity.


Harvey Dunham: Well on the message is clear. I get it. Even if they can’t sue you, if they know it was you that introduced the vulnerability and you don’t help your customer, they’re not going to be a customer for very long. That’s pretty clear to me.


Steve Mustard: Yeah. That’s right.


Harvey Dunham: You’ve opened up a world to us, Steve, that I’m almost lost for words, for what I’ve learned during our conversation here, and I hope it’s as valuable for our members. Maybe one other thing: if somebody is really interested in this topic , is there a place that’s publicly accessible, that they can get more education on this topic and really figure out how to be proactive and, and, you know, care for their customers really better by being smarter about this issue and being proactive and introducing it with their customers?


Steve Mustard: Yes. ISA has a link on their website, which brings together a whole host of cybersecurity resources that are available for members and nonmembers to read. They also have an alliance called the ISA GCA or Global Cybersecurity Alliance. And that brings together end users, vendors and consultants to help organizations understand this problem and understand how they’re going to deal with the challenges. And they publish a number of white papers and recommendations and guidance that’s available in that link. So if I provide that link to your members, I would definitely recommend they go and check that out because that will be a good introduction to some and for those who already are up to speed , they can learn some more about other things they can be doing.


Harvey Dunham: I suppose, in this field that it’s evolving and changing every day. It seems to be. I mean, as quickly as you plug one hole, the hackers, for lack of a better word, figure out a different way around it.


Steve Mustard: That’s right. It’s a constantly changing field, but there are some unchangeable things like the things we’ve talked about about understanding the risk and understanding defense in depth. But the threat is always changing. The people are changing. And the attacks are changing. And every time we plug a hole, they find a new one. So this is never going to go away. It’s always going to be a problem. And once organizations recognize it and they begin to deal with it, then they’re in a much better place and much less likely to be severely impacted.


Harvey Dunham: Well, you know, we talk a lot in the strategic account management world about how to be relevant and indispensable to our customers. And to me, I see a very, very clear path for SAMs because it sounds like it’s more the exception rather than the rule, the suppliers that are sensitive to the cybersecurity issue and being proactive about it. So I think you SAMs out there can really differentiate yourself by walking in with a secure-by-design approach and, you know, really tackling it head on with your customer.


Because we talk a lot about customers. They have a need for an automation system or a control system or an enterprise-wide software solution, whatever it may be. But the unconsidered need is, how are you going to ensure my cybersecurity when I put this in place? And if you as the SAM proactively address that, they’re going to look at you differently and better. You’ll stand out in the crowd.


Which is why I really felt it was important to get this threat exposed, and you’ve just done a marvelous job, Steve, of opening our eyes to this. So thank you very much. I wish you good luck on your project that you’re on and thank you so much for the collaboration with ISA and SAMA. We really appreciate it.


Steve Mustard: Well, thank you for your time and thank to you for giving me the opportunity to raise the awareness. I think it’s a really important message to get out there and you summed it up perfectly about being proactive.


That’s what this is about, and I hope this helps your members.

Recent Posts

Subscribe to Blog via Email