“You are buying an outcome not a solution.” Honeywell’s Jazeem Mohammed discussed the company’s outcome-based approach to advancing the OT cybersecurity of its industrial clients.

Can you measure the outcome of your cybersecurity investments?

June 11, 2024
Honeywell’s Jazeem Mohammed discussed the company’s outcome-based approach to advancing the OT cybersecurity of its industrial clients

When it comes to cybersecurity measures, return on investment has always been difficult to calculate. As with other forms of risk reduction, how much is enough? And if the feared disaster doesn’t materialize, does that mean you spent the right amount? Too much? Or too little and you just got lucky?

In the case of ensuring the cybersecurity of industrial OT environments, Honeywell Process Solutions has developed a better way based on its more than three decades experience helping to secure the assets of some 10,000 customers, according to Jazeem Mohammed, global industrial cybersecurity director for the leader in industrial automation systems for critical infrastructure.  

The traditional method of cybersecurity investment starts with a transactional, customer-defined initiative that may or may not accomplish an organization’s true goals. “It’s an outdated execution model after which the value of the service provided is not visible, and the customer retains full responsibility for risk management,” Mohammed explained in a presentation at this week’s Honeywell Users Group (HUG) meeting in Madrid.

In contrast, outcome-based services are strategic agreements that both parties agree to. Cybersecurity is treated as an ongoing pursuit; the client pays for intelligent results; and the two parties partner to develop shared roadmaps for the future. “You are buying an outcome not a solution,” he said. And by an outcome, he meant that technologists in the OT realm have had sufficient time to develop standards and regulations that describe the qualities of cybersecure systems.

“And compliance with the standards relevant to your organization is a key outcome that we can help you achieve,” he said. Beyond compliance with industry standards, quantifiable outcomes that can also be addressed include risk reduction, operational safety, workforce development, resilience and business continuity.

The program is modelled on one that the company developed a dozen years ago to work with industrial clients to deliver specific outcomes for users of its Experion PKS control systems. A key difference is that in the case of OT cybersecurity, nearly every plant and every company is already on a journey and may have an array of non-Honeywell systems in place. “It’s not about changing your platform, but how can we help you continue the journey you’re already on,” Mohammed said.

Honeywell’s methodology begins with gaining a better understanding of where a client currently stands on a cybersecurity maturity index, then mapping a journey forward to an agreed upon state, often compliance with relevant industry standards. A range of quantitative key performance and key risk indicators (KPIs and KRIs) create a “posture score,” documenting progress along the way.

“The program will give clear visibility on the investment required to improve cyber outcomes in a timely manner,” Mohammed said. “We look at the outcome; we focus on where you are now, and a vision of where you want to go.”

About the Author

Keith Larson | Group Publisher

Keith Larson is group publisher responsible for Endeavor Business Media's Industrial Processing group, including Automation World, Chemical Processing, Control, Control Design, Food Processing, Pharma Manufacturing, Plastics Machinery & Manufacturing, Processing and The Journal.

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.