Megan Samford

How did the right folks get eyes on it?

And how is that risk disposition properly with escalations that hopefully don't need to have emotion about them, right?

When things are going wrong, everyone should be free to say that this is something that we need to take a closer look at.

But you're really running more like air traffic control.

And then your third line of defense, perhaps my favorite line, is that third-party internal audit, making sure that the risk overseers in that first line of defense are doing what they said that they were going to do and they're not accepting more risk than is appropriate at their level.

And that risk is being surfaced up to the board and all of that.

And then, of course, I'm also a fan, as I mentioned earlier, of third-party independent reports.

So that could come in the form of

like a 62443 certification or an independent consulting firm helping you out just to get an external view on what you're doing and making sure that everything is coming to light.

Sure.

This is a topic, if you had eight hours, I could talk to you about this.

But I think the first thing is you're going into the problem set, viewing it correctly, and that, yes, OT is different.

We say this every single day.

But there's a term that's emerging called industrial realism.

Okay.

Yes.

And what this is, is recognizing that, yes, the controls are going to look very different within OT environments.

We have been adopting a lot of the good security practices from our friends on the IT side.

And this IT-OT convergence has been happening, I think, for the past decade.

five, 10, 15 years, depending on who you ask.