Earlier this week I attended the CS4CA Europe event in London. The event was an intensive two-day conference that brought together many of Europe’s most insightful voices on industrial cybersecurity. It was an enlightening experience with sessions covering everything from balancing a human-centric cybersecurity strategy to understanding how IT/OT integration can deliver a measurable return on investment . The event, chaired by Wayne Harrop, GRC and Resilience Manager at National Grid Ventures, did a great job of highlighting the challenges and opportunities that lie ahead for industrial cybersecurity. Here are my key takeaways from this industry gathering:
CS4CA Europe – The human element in industrial cybersecurity
The CS4CA Europe event began with a panel discussion that set the tone for the human side of cybersecurity in industrial environments, a central theme throughout the conference. The panel emphasized that at the core of any cybersecurity strategy is the need to understand people: operators, decision makers, and, in some cases, vulnerabilities within the system.
Wayne Harrop and other panelists discussed the challenge of striking the right balance between technology-driven and human-centered security measures. As the integration of AI and advanced digital tools becomes more prevalent, it’s easy to see why many organizations are looking to rely heavily on technology solutions. However, the salient point is that ignoring the human dimension, i.e. underestimating factors such as cultural influences, individual behavior, and even generational differences, can lead to ineffective cybersecurity outcomes. I was aware that there was a gender.
Human-centered security: An industry expert’s perspective
Renowned cybersecurity executive Trish McGill made an insightful point regarding the evolution to Industry 5.0, where robots and human workers collaborate like never before. This era presents both opportunities and unique challenges for cybersecurity. The convergence of machine capabilities and human intelligence presents increasingly complex scenarios that cybersecurity professionals must understand and address.
Gregory Blezard, head of BISO at Scottish Power Renewables, challenged the conventional wisdom that the ‘human factor’ is the weakest link in cybersecurity. He argued that humans are also the “sensors” of an organization’s cyber resilience, keen observers who can notice anomalies and prevent potential threats from escalating. This was a strong reminder of the importance of fostering a cybersecurity culture where every individual, from the boardroom to the factory floor, sees themselves as an integral part of the organization’s defense strategy.
Brezard emphasized the need for organizations to shift their focus from purely technical controls and compliance-driven processes to building a culture where people are seen as key stakeholders in cybersecurity. This insight highlights how important it is for companies to invest in the training and development of their employees.
Building a human-centric firewall
Marta Majtenyi, Director of Cybersecurity Services, further expanded on the concept of human-centered security and emphasized the importance of understanding the different needs of different roles within an organization. She noted that employees’ level of engagement with cybersecurity varies depending on their role, technology familiarity, and concerns. While senior management may be concerned about reputational risk and financial impact, factory workers may be more concerned about safety and operational stability.
The consensus among speakers was that building an effective “human firewall” requires more than just awareness training, it requires a cultural change across the organization. This means mobilizing not only direct employees, but also suppliers, contractors, and other third parties with access to the organization’s systems. Speakers emphasized the need for expanded training programs to include these external partners and to make such training mandatory to ensure that an organization’s cybersecurity standards are followed by all involved. He insisted.
Building an OT Cybersecurity Program: Insights from Medmix
Claudio Sangaletti, OT Security Lead at Medmix, delivered one of the most hands-on sessions, sharing his experience building an operational technology (OT) cybersecurity program from scratch. His story began dramatically with a late-night phone call about a ransomware attack that led him to dive deeper into the world of OT security. This story highlighted the point that OT cybersecurity is not an easy field to get into. This is a discipline that requires urgency and a willingness to participate at all levels of the organization.
Sangaretti emphasized the importance of understanding relationships and the core business before getting into the technicalities. His initial focus was not on technology, but on understanding business processes, getting to know the people behind those processes, and building trust. His emphasis on relationships as the foundation of cybersecurity efforts was reflected throughout his presentation. In his view, cybersecurity is as much about people as technology; it is a “people business.”
Human-centered security as a business enabler
One of the standout messages from Mr. Sangaretti was his perspective on the role of cybersecurity in business. He sees cybersecurity not as a necessary compliance burden, but as a business enabler. He urged cybersecurity leaders to avoid jargon that can alienate key decision makers and communicate in a way that resonates with various stakeholders. He argued that executives need to understand how investments in cybersecurity contribute to improved operational reliability, business continuity, and even productivity.
Sangaretti used an apt analogy to explain the process of building an OT security program, comparing it to building with Lego blocks. He explained that it’s about starting with the foundational elements and building upward in a scalable way. Cybersecurity programs need to grow with the company, adapting to changing needs without losing sight of the core purpose of helping people work more safely and efficiently.
Cybersecurity ROI: A complex issue
Another important discussion at the CS4CA Europe conference revolved around the concept of ROI in industrial cybersecurity. This is another hot topic close to our ongoing research efforts at Takepoint Research. Adam Pature, Director of Cybersecurity at the International Center for Chemical Safety and Security, presented a compelling session on turning your IT/OT cyber strategy into measurable benefits for your company.
Pature highlighted the challenge of convincing stakeholders to invest in cybersecurity. Unlike safety investments, which are often related to compliance and have direct, quantitative benefits, investments in cybersecurity can seem more abstract. Many companies justify these investments by pointing to media coverage of cyber incidents and the costs of non-compliance. However, Pataturej emphasized the need for organizations to go beyond post hoc justifications. Instead, he encouraged companies to align their cybersecurity strategies with their core business objectives and demonstrated how these strategies protect critical assets and add value to the business.
Paturej introduced the idea of using results-based risk analysis for cybersecurity planning, similar to safety protocols. In safety management, professionals not only identify risks, but also consider the potential consequences of those risks. Applying this to cybersecurity allows organizations to better prioritize their efforts and focus on mitigating the risks that have the most significant impact, such as operational downtime or regulatory violations.
Aligning IT and OT cybersecurity: different sectors, different needs
Paturej also addressed the complexities involved in aligning IT and OT cybersecurity strategies, noting that there are significant differences across industry sectors. Unlike IT environments, which have benefited from years of standardization, OT environments are often highly diverse and operate under unique constraints, making standardization much more difficult. The Purdue model, which is often used as a framework for IT/OT integration, has limitations, especially when trying to address the nuances found in OT environments.
One of the main challenges is ensuring that different parties, sometimes with very different priorities, have the access they need without compromising security. For example, in sectors such as renewable energy, operational staff need real-time data access to ensure efficiency, while cybersecurity teams need to ensure data is protected from unauthorized access.
Cybersecurity as part of your overall business strategy
The overarching theme of Mr. Paturej’s presentation was that cybersecurity should not be treated in isolation. This needs to be integrated into the organization’s overall safety and business strategy. Effective cybersecurity is more than just defending against attacks. It’s about ensuring businesses operate reliably, resiliently and with stakeholder trust.
By aligning cybersecurity efforts with broader business objectives and focusing on results-based risk analysis, organizations can not only protect themselves from threats, but also drive efficiency and innovation. This approach is especially essential in industrial environments where downtime and interruptions can have severe financial and operational implications.
Add value with more actionable insights
While the CS4CA Europe-wide sessions were definitely insightful, I would have liked to have seen a few more practical topics, perhaps a dedicated technical track that offered deeper practical knowledge. Many of our clients are looking for steps they can take to resolve these complex issues. They want practical instructions, tips and tricks they can use when they return to their organizations. Dedicated tracks focusing on technical solutions, specific case studies, or even practical workshops would have added tremendous value to a decent agenda.
However, it is also worth noting that the informative discussions during the sessions and the many valuable interactions during the breaks made the entire event a rewarding experience. The opportunity to speak directly with thought leaders and share perspectives with your OT cyber peers is a reason to attend in person.
Future direction of industrial cybersecurity
The CS4CA Europe event highlighted the evolving dynamics of industrial cybersecurity, especially the importance of considering both human and technical factors. Whether discussing the integration of IT and OT systems or the role of humans as both potential vulnerabilities and critical assets, experts agree that a balanced approach is essential. Matched.
For me, the key takeaway from CS4CA Europe was the need to build cybersecurity programs that prioritize human involvement, scalability, and alignment with business objectives. Industrial cybersecurity isn’t just about implementing advanced technology or meeting compliance requirements. It’s about making sure everyone in your organization understands their role in securing your operations. By focusing on building relationships, empowering people, and effectively communicating the value of cybersecurity, organizations can create resilient and adaptable security frameworks that will serve them well into the future.
Jonathan Gordon
With more than 30 years of experience in cybersecurity, information systems, and communications, Jonathon provides focused research and actionable insights for industrial companies and those responsible for protecting them from cyber threats. Since joining TPR in 2018, he has authored numerous reports and playbooks on a variety of industrial cybersecurity topics, including secure remote access, network visibility, asset inventory, perimeter security, and ransomware attack recovery. I have published it. Jonathon is also known as the author of the annual Buyer’s Guide to Industrial Cybersecurity. Prior to joining TP Research, he held various technical, managerial, and senior management positions at prominent technology companies.
