Security Expert Interview Series: Susan Peterson Sturm

Susan Peterson Sturm (see her LinkedIn profile here) is a transformational Operational Technology leader with 20 years of experience in profitably scaling innovative software-based businesses, including automation, IIOT and cyber security.  Susan has a proven track record of growing and structuring early stage, profitable digital software-driven P&Ls in excess of $150M.  She specializes in change management, product management, M&A and strategic alliances. Susan is Cognite’s Americas Vice President for Security and serves as a Board Member to One Warm Coat.

cybersecurity interview 2022

1. Firstly, thank you for taking part in this campaign. Can you tell us about your professional background and areas of interest, Susan?

I have been an Operational Technology (OT) leader for 20 years, with experience in profitably scaling innovative software-based businesses, including automation, IIOT, and cyber security.  I have worked in power companies and oil and gas companies, as well as Operational Technology companies.

My focus is often on new markets and innovative technologies, which includes a lot of work in change management, product management, mergers and acquisitions, and strategic alliances. I recently joined Cognite as the Americas Vice President for Security where I am excited to help heavy asset industries to security use data to solve bigger problems like sustainability at scale.  I serve as a board member to an amazing digital and virtual non-profit called One Warm Coat.

2. Could you share a project or inspiration with us that prompted your involvement in cyber security?

I started working in OT Security 15 years ago when U.S. regulations addressing security controls in power generation and transmission and distribution networks were relatively new. Shortly thereafter, Stuxnet, the malicious multi-part worm that caused substantial damage to the Iran nuclear power program, gave critical infrastructure operators a wake-up call. In the rush that followed, many industries struggled to get the people, processes, and technologies in place in a programmatic way.

Since then a lot of critical infrastructure teams have focused beyond compliance and have started to think about cyber security in the same way they think about Environmental Health and Safety teams. I am really passionate about finding ways that we can empower entire organizations to secure their operations, not just the security team or IT department.  

3. Why it is important for organizations to tightly align their cybersecurity posture with the overall strategic objectives of the business?

Companies realize there are many threat vectors to their organization. The engagement of all colleagues is needed to address these potential threats (security really is like safety in that sense).  In critical infrastructure companies, there are new risks every day.

These risks come from an increase in IoT devices being introduced, from static environments becoming more dynamic, or even from the adoption of low code applications (and employees not yet understand the importance of Secure Development Lifecycle in their development).

This dynamic threat landscape is why it is critical that cyber security is tightly aligned with the overall business strategy of the business.  

4. According to you, what are the major drivers of future cyber security? The sophistication of cyber-attacks? Security automation and intelligence? Decentralization and blockchains?

Log4J, a remotely exploitable vulnerability, taught us about the importance of knowing your asset inventory.  It is no longer enough to maintain an up-to-date Software Bill of Materials (SBOM) to understand exposure, rather we need to be able to prioritize potential exposure based on the criticality of impacted assets and real operational risk.

I think we will see critical infrastructure companies aspire to a near-real-time, single source of truth between IT and Operations stakeholders to drive more alignment and targeted interventions. I am really excited by the potential of Industrial Data Operations in Operational Technology and how it can simplify reference architecture in environments with many equipment providers and service groups.

The adoption of cloud in OT and alignment of concepts like Infrastructure as a Service and Security Orchestration, Automation and Response (SOAR) can do a lot to support the resiliency needed in these environments.

Change management – the people and process challenges – is more difficult than the technology part of the equation. To be very direct, with the tech stack now available to us, there is no way a new company entering this space would be organized with the team structures and processes we are used to seeing.

It’s time to start thinking about how we can make OT security easier to maintain and scale in critical infrastructure by focusing on user experience. Lack of security resources is another big challenge. I really admire the work of institutions like the Norwegian University of Science and Technology to create educational programs with hands-on training through their cyber range, and Siemen’s energy internships to help us increase not only resources in the industry but to do so in a way that supports equity and inclusion. 

6. During the last year, have you come across any noteworthy examples of digital transformation in cyber security?

I’m most excited about the adoption of more automation moving towards SOAR. The more we can add automation, the better we can protect our infrastructure.  I appreciate that some very traditional companies with overwhelmingly on-premise types of infrastructure are adopting cloud and getting comfortable with concepts like Shared Responsibility and DevSecOps. COVID – and in the US energy sector – ageing workforce has really accelerated cloud adoption.  

7. What, personally, has allowed you the success you have had in the role of a leader in technology?

I think empathy is important for leaders in this space.  Teams that are driving the 4th industrial revolution or major cyber security initiatives are trying to not only prove out new concepts but scale them across their organizations. Trying to understand the concerns or challenges of other stakeholders is foundational in any major change management or innovation initiative.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview SeriesReach out to us for more information.