Big organizations usually own a wide range of skills, often dedicated to their business needs. The bigger an organization is, the more scattered such skills are in different heads across many persons belonging to different business units. Experts know a lot within their field of expertise, but often, they have limited time to invest in cross-disciplinary skill development. The often-criticized “it’s not my job” behavior of people who have turned away after an ad hoc request is also a consequence of specialization.
There are often different reasons for this reaction. The most common is the natural behavior of people protecting themselves from unhealthy overload by limiting the scope of their responsibility.
The challenge of these pillars of knowledge appears in particular in interdisciplinary projects. At BxC, we observe this specifically in cybersecurity programs involving many business units. A binding glue is required between the different project phases, workstreams, and teams to ensure a comprehensive cybersecurity design. Without a clear understanding of the business demand, technical implementation often focus on technical features. Business people, financial controllers, and technical staff of IT and OT talk completely different business languages. Thus, the technical implementer is usually not very interested in the business purpose, and the business often does not care about the details of the technical implementation. As cybersecurity effectiveness depends on the weakest link, all aspects must be incorporated into organizational and technical measures.
The Libero Role
The required role needed to overcome the previously mentioned challenges requires the ability to combine a wide scope view on business and technology topics. But the most important aspect is the ability to communicate to all project participants in their specific language and thus understand business, IT, and OT demands and needs.
This role is what we call, at BxC, The Libero.
To be clear, this is not a Project Manager (PM). A PM manages the project and ensures sufficient visibility on all the operational status, progress information, risks, and financial aspects. The PM has to be able to understand and follow the business purpose but usually does not understand technical language, which is spoken by IT specialists, OT engineers, and cybersecurity teams.
The Libero understands the architecture, the protocols used, down to important configuration aspects of chosen solutions. He is both able to openly discuss with business representatives about chances and risks of decisions taken during the project and about technical architecture options to be implemented. He is connecting the dots between the project teams. He is able to adapt and overcome alone or with some support the “It’s not my job” issue by taking the initiative, therefore making sure that functional and technical requirements and risks do not get lost or forgotten from one phase to another.
The importance of the selection and the positioning of the Libero
An IT or OT (security) architect with several years of experience in different fields and is able to talk to business, and IT / OT specialists is a very good fit. This role is depending as it requires adaptation, flexibility, and open-mindedness. In general, people who are able to play this role are rare and thus invaluable to the organization.
In addition, the Libero has to be able to be independent of the organizational conflicts of interest. This Libero needs to take decisions and work without being impacted by the different battles between line management functions that happen behind the scene.
The Libero must be held independent from such battles. You have some options to choose your Libero wisely:
Take a person from within your organization with experience, but with few motivation for a management career track. Such employees are usually not influenced by other management functions, who try to enforce their opinion and goals.
Use somebody from outside your organization, who is not bound to any line function and not influenced by one. With certain experience of working in different projects of similar sized organizations, they know the challenges of political decision load balancing.
BxC Take Away
Given the strategic impact of digitalization projects for many companies and the few we currently know about new technologies and their impact on the business and way of working, it is of paramount importance to communicate transparently about chances and residual risks for decisions being made in such projects.
Cybersecurity architecture and processes focus too often on only the question, how likely it is that an attacker gets access to company assets. But there are many more aspects which need to be considered for making educated decisions. In OT, misleading solution architecture may impact the availability of production services and can even have a negative effect on Safety Instrumentation Systems (SIS). Without proper analysis and transparent communication of residual risks, companies are in danger of creating incompliance and endanger their value chain.
By applying an honest and open way of communication, a Libero can make a big difference in solution effectiveness and cybersecurity.
At BxC, we recommend any organization to: