At Your (Remote) Service

I came across an interesting article titled "How Much Network Access Should You Allow?". In this article, Jim Montague of ControlDesign.com provides an excellent overview of the state of cyber security in the industrial automation space.

One trend I find particularly interesting is the fact that equipment and control systems vendors are stepping in to ensure that their customers' shop-floors are more secure. As the article states "[Vendors] can audit customers for compliance with NERC-CIP and other standards and provide recommendations and services for correcting problems, performing security updates, patch management and monitoring operations."

We are starting to see this kind of thinking from several of our customers. These companies are using the secure "tunnel" built into the NextNine platform, as well as built-in application such as software and patch distribution to deliver value added services to the end-customer.

As I discussed in a previous post, this is another great example of using business value to gain customer acceptance.

It is no secret that one of the key challenges of remote service is overcoming end-customer security concerns. Customers are naturally wary of installing software that collects and transmits information from the supported product to the vendor's service organization. This is why most remote service software platforms incorporate security at different layers of the solution. (You can learn more about the security features of the NextNine software here)

However, we have found that the companies who have been the most successful at overcoming security concerns were the ones that did an outstanding job communicating the business benefits of remote service to their customers. These companies first created a strong demand for the service with their customers' business constituents. By the time the security folks were asked to voice their opinion, they already knew that "My CEO (or other high-level exec) really wants this solution in place", so their mindset shifted from "Should I approve this?" to "What is needed for me to approve this?"

We recommend the following steps to improve the security discussions with your end-customers:

1. Start at the top - try to first initiate conversations with a high level business executive that is involved with the remote service project.
2. Get business buy-in - find and articulate the "Killer Value Proposition" in business terms. In some industries, simple elimination of downtime can save the customer millions of dollars, in others it may be about proactive problem discovery or asset optimization. Make sure you can back up your promise with benchmark or customer specific data.
3. Focus security discussions on "HOW", not "IF" - having realized the benefits, ask your end-customers what is needed for them to embrace remote service. Would they prefer to manually approve every remote connection? Would they want the remote service software to transmit information on-demand, or at preset times of the day? Assuming your solution has a flexible security policy, there are many "concessions" you can make to find common ground.
4. Reference customer success - Security has a lot to do with "common practices". If your remote service software has a track record of adoption in the same industry, make sure to leverage it. For example, if you sell manufacturing equipment, it is extremely beneficial if the same remote service software has already been installed in other plants.

What have you found useful in your security discussions?