Yesterday afternoon, I facilitated a discussion session at AutomationXchange for end users only-- no vendors allowed-- and we talked for a whole hour about issues that the end users attending the conference indicated in a pre conference survey they considered their "hot button" issues.
There were several, but the one that got the most heat and light was security. One of the end users said, "I'm startled. I don't make energy, I don't make oil, I never thought we'd be talking about this but now that I see, I'm going to have to figure out how to sell a functional security program to management."
I'm grateful to one of the end users present, for helping me out of his vast store of security knowledge: Evan Hand of ConAgra, who was the first co-chair of the ISA99 security standard committee.
We talked about the need for layers of protection, and how the functional safety model can be used to guide people through their risk assessment strategies.
I reminded people of the old Yiddish proverb: "A fish stinks from the head down." In order to fully implement functional security you have to have not only management buy in but management evangelization.
AutomationXchange is about the only place you can get 10 or a dozen senior control system managers to sit down for an hour and have this kind of discussion.