Welcome to Razorwire, the podcast dedicated to exploring the complex and evolving world of cyber security legislation. I'm your host, Jim, and in today's episode, we delve into the intricate landscape of cyber security legislation with our guests Steve Applegate and Phil Tonkin from Dragos.

In this episode, our guests shed light on the challenges and intricacies of navigating the cyber security legislature, focusing on the impact on critical infrastructure and the evolving landscape of compliance. From managing connectivity safely to the complexities of integrating IT and OT in modern manufacturing, we explore the key factors influencing cyber security legislation and its practical implications.

Key Talking Points:

1. The importance of managing connectivity safely and ensuring proper segmentation and visibility in the Niz legislation.

2. Challenges faced by organisations, such as Sellafield, in implementing controls and recognising legacy challenges in OT environments.

3. The impact of conflicting regulations on consumers and the need for practical compliance requirements in cyber security legislation.

“We can't let FUD be the guide, right? If every time we hear a thing, we start panicking and we deviate from our processes and start making a whole bunch of new mandates, even internally, all the people within a company that have to track that and follow it and meet with people, and it's a distraction, I think, from real security."

Steve Applegate - Dragos

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

In this episode, we covered the following topics:

• Managing Connectivity Safely: Emphasising the need to ensure proper segmentation and visibility in cyber security legislation.
• Challenges Faced by Organisations: Discussing the difficulties in implementing controls, recognising legacy challenges, and the importance of proportional controls.
• Conflicting Regulations and Consumer Impact: Raising concerns about conflicting regulations and the impact on consumers due to compliance costs.
• Information Exchange Hesitance: Discussing the hesitance of information exchange for cyber security purposes and its impact on managing threats.
• Reporting Dilemma: Describing the challenge of eradicating cyber events and the dilemma of reporting to the public versus mitigating further attacks.
• Third-Party Oversight Frustrations: Addressing the frustration with third-party involvement in security oversight and assessment processes.
• Transparency in Security Relationships: Advocating for transparent and trust-based relationships with third parties, emphasising actionable intelligence, and fostering transparency.
• Evolving Skill Set of Security Professionals: Describing the evolving skill set of security professionals, particularly the increasing specialisation and separation from GRC.
• Legislative Impact on OT Environments: Expressing concerns about the impact of legislation and compliance on operational technology environments and the difficulty of implementing changes in systems with old technology.
• Challenges of Sudden Legislative Changes: Discussing the challenges of sudden legislative changes, public outcry influencing legislation, and the need for realistic expectations of change in a legacy industry.

Resources Mentioned

- Dragos

- Sellafield