Is cybersecurity a disaster science?

At time of writing, #BHMEA23 speaker Megan Samford (VP and Chief Product Security Officer for Energy Management at Schneider Electric) is the only female CPSO for a major industrial firm. She leads product security strategy with a focus on industrial control systems security and critical infrastructure protection. And she brings a unique perspective to her role and to the wider security community.

We asked Samford how her approach to cybersecurity has changed over the course of her career so far – and how a background in emergency management influences her work.

How did you get into cybersecurity?

“I was recruited into cybersecurity based on my experience in critical infrastructure protection and emergency management. I had worked for the Governor’s Office of Virginia and had connected with some folks at General Electric that ultimately recruited me to lead their fairly new, Product Security Incident Response Team (PSIRT).  

“I fought applying for the role for about six months because I didn’t believe I was qualified but I finally broke down and applied when the hiring manager said – ‘Look, you’ve got the right attitude and you know incident response foundations, we can teach you cyber,’ and that’s exactly what happened.

“It changed my career trajectory entirely because I had every intention of remaining in government, and I probably would have stayed in government because I love policy that much, but at the end of the day it was one of the best decisions I’ve made in my life and I still get to do both policy work and work for the private sector.”

Could you tell us how ICS4ICS came about, and what it aims to achieve?

“Going back to when I worked in government and gained experience in emergency management, I also gained experience in a system used across all federal state and local governments, and really most first responders in the world: incident command system. Incident Command System for Industrial Control Systems (ICS4ICS) is designed to improve global Industrial Control System cybersecurity incident management capabilities leveraging the Incident Command System for response structure, roles, and interoperability. The Incident Command System is used by First Responders globally every day when responding to motor vehicle accidents, small and large fires, hurricanes, floods, earthquakes, industrial accidents, and other high impact situations. It has been tested for more than 30 years of emergency and non-emergency applications, throughout all levels of government and within the private sector.

“The incident command system (ICS) improves emergency response efforts in several ways:

1. Standardisation: ICS provides a standardised, structured approach to emergency response that enables emergency responders to work together seamlessly, regardless of their agency or organisation. This allows for effective communication, coordination, and collaboration between different emergency responders.

2. Coordination: ICS facilitates coordination and collaboration between multiple agencies and organisations by establishing clear roles, responsibilities, and communication protocols. This allows emergency responders to effectively work together to manage the incident.

3. Flexibility: ICS is a flexible system that can be adapted to respond to different types of incidents, from natural disasters to hazardous materials incidents, to CYBER. This ensures that emergency responders are able to effectively respond to any situation.

4. Clear Command Structure: ICS establishes a clear command structure, with a single Incident Commander who is responsible for managing the response effort. This ensures that decisions are made quickly and effectively, and that resources are deployed where they are needed most.

5. Effective Resource Management: ICS facilitates effective resource management by providing a framework for identifying and prioritising resource needs, and for deploying resources in the most effective manner. This helps to ensure that emergency responders have the resources they need to respond to the incident.

“Overall, the incident command system enables emergency responders to effectively and efficiently manage emergency response efforts, improving the safety of the public and responding personnel alike.”

How has your perspective on cybersecurity changed over the course of your career so far?

“When I first started working mainly in cyber I tried to convince myself that it was very different from the emergency management world I came from. Over time I’ve found that really both are just disaster sciences, although cyber doesn’t yet know it is! The foundations of what it means to protect something are the same, they’re just expressed through different threat models and control points.”

On a personal level, how do you manage the pressure of leading cybersecurity for an organisation in a critical industry?

“You have to be willing to be unabashedly vulnerable and wrong from time to time – it’s how you learn and it's how you don’t become so fragile you break. Also, like many, I value a good cup of coffee in the morning and a healthy dose of humour.  

“On a serious note, I have a great group of peers in industry that support me and I try to support them. To have friends, you have to be a good friend, and I think the ICS Cybersecurity community is very much like that; if you put in and give to this community, it will give back to you.”

Why are events like Black Hat MEA valuable to you?

“For the same reasons I outlined above about the ICS Cybersecurity community. It's so valuable to stay on top of the hot topics in industry and it's equally as important to make the connections with other professionals in industry that you can learn from and you can call on for support.  

“Stephen Covey once said, ‘everything moves at the speed of trust.’ And I think that is so spot on for the cyber industry.”
Thanks to Megan Samford at Schneider Electric. Join us at Black Hat MEA 2023 to learn more.