OT Security Marketing: Insights From the Plant Floor

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

Mike D’Agostino: [00:11]

Welcome once again, everyone, to our latest episode of our Cybersecurity Marketing Unplugged interview series. Today we’re going to be focusing on operational technology, and OT security marketing. Now to set the stage, over the past several years, a whirlwind of issues has put an extreme emphasis on securing operational technology or OT. From the COVID-19 pandemic accelerating overall digital transformation to the threat of kinetic wars and other physical and logical disruptions of critical infrastructure, the time has come for operational technology to mature up with regards to protecting system availability, and preventing attacks targeting legacy systems. In fact, our very own most recent CISO Engagement and Decision Drivers Study identified critical infrastructure security as a top 10 topic among nearly 400 that is creating the most content engagement since the start of 2022. That said, more and more vendors are popping up seemingly every day that address various issues with regards to OT security, and most of these entities specialize in a specific function. But what if a company at the heart of manufacturing and building the equipment that runs industrial systems start to address OT security from the inside out? Rockwell Automation is just one of those companies and has embraced its position as not only a leading industrial automation company, but as a leading secure industrial automation company. Our guest today, Kamil Karmali has over 15 years of experience in cross functional team leadership, global sales leadership, talent development, and executive consulting and OT cybersecurity services. He is currently the senior global manager of OT cybersecurity consulting services with Rockwell Automation. Again, a leading global industrial automation company founded way back in 1903. Kamil is at the forefront of Rockwell Automation’s OT security, marketing and sales initiatives, and we aim to gain insights from him on the strategies he and his group have found most productive when it comes to marketing and positioning Rockwell Automation as a security innovator. Kamil, welcome to the series.

Kamil Karmali: [02:41]

Thank you, Mike. Happy to be here.

Mike D’Agostino: [02:43]

Great! I provided a quick introduction to yourself and Rockwell Automation, but perhaps you can spend a couple of minutes just to fill in the gaps as far as your background goes, a bit on Rockwell Automation in general, and how they fit into the operational technology or OT space and details on what your role covers within the organization.

Kamil Karmali: [03:02]

Absolutely! As you mentioned, I’ve been with the organization almost 20 years now in various leadership roles customer facing consulting, business strategy, but more specifically, I was part of the initial 10 employees that started our network and cyber services practice about a decade ago for Rockwell. We’re an OT organization 100 plus years old through and through, providing everything from manufacturing systems to traditional automation and control, information solutions and MES, lifecycle services. But the goal here is to help customers drive secure digital transformation. And for me, specifically, my team, my peers, our business, it’s all about cyber hygiene, and certainly data-driven decision making where we can contextualize outcomes, where we want to provide a gamut of those outcomes to vertical industry. My role is all about the C-suite, CISO experience, customer consulting, practice in OT. We focus a lot on creating and delivering solutions to the market that reduce risk. The job of my organization and my team is to make sure that we’re positioning that and developing it in terms of a trusted journey. But I’m supported by 300 plus people, inclusive of sales executives, domain experts, delivery experts, customer success functions, and a very mature portfolio organization who’s thinking through the cyber OT needs of the future, Mike.

Mike D’Agostino: [04:35]

Very good, appreciate the oversight and no pun intended. But what Rockwell Automation does is very critical, deals with a lot of critical infrastructure and operational technology systems in general. You’re coming from a unique perspective given your company’s history. Not necessarily known as a cybersecurity company per se, but cybersecurity has become paramount to your offering. Just to kick things off, like what are some of the high-level challenges from a marketing and sales perspective that you and your team have faced over the past couple of years as you try to create more market awareness regarding your cyber and OT security capabilities?

Kamil Karmali: [05:17]

I would say first and foremost, brand amplification, recognition, conquering the identity of what and who decision makers think of us, as an older manufacturer. We got to break the barriers on what we are versus what we’ve evolved to. And I think I think the challenges are complex. First, our sellers are calling higher into IT organizations, which has never been part of our DNA. And that means understanding outcomes differently. It also means having thought leadership experience in spaces that we’re not necessarily used to. And that means from a marketing aspect, we’re touching a global body of regions and people, technology providers, our customers, the end users, analysts. We got to convince all of them that we’re serious. We got to convince them we’re in the game, we have credibility, and we have the expertise to do so. And that we come first to mind. When I think about when I go to sleep at night, is who are we being compared to? What and what are they comparing us toward? Our identity and shifting that in the market has certainly been a challenge. But we’ve been able to back that up with proven expertise to show them how we can walk a customer – an enterprise customer, a single site customer through a cyber journey, over a period of weeks, all the way to several years, creating the risk profile that they want to see from an OT standpoint in the future. But the investments into marketing had been critical to ensure that we’re pressure testing that brand messaging and making sure that we’re making an impact.

Mike D’Agostino: [06:53]

It’s definitely a bit of a paradigm shift that you guys are going through, but like I mentioned before, it’s one thing to sort of come from the outside in and bolt cybersecurity onto these systems. It’s different when you’re from the inside out, and you’re doing that from the ground up. But we shouldn’t even have started with this. OT security is different than IT security. Can you just provide a quick background or on like, what the differences are, where you see them sort of converging?

Kamil Karmali: [07:27]

Yeah, absolutely. IT or we call it the carpet space, I think that focuses a lot on ERP and data-driven decisions, cloud agility, confidentiality, business data, all of the main core functions of marketing, human resources, the things that keep an enterprise moving. Whereas OT is all about physical systems and human workforce safety, safety systems, you’re looking at production data, high velocity applications, things that feed the development and creation within the production of a particular product quality. And you want that to be repeatable, you need modernized automation platforms, you need systems, and you need processes. The security challenge in both of those roles are distinctly different and so are the people. I always use the example of, for 50 years operators pushing buttons to make a product in the manufacturing environment. We’re good at doing a core set of skills. Now they’re on the frontlines of nation-state attackers being threatened and having cybersecurity added to their job profile, when they’ve got a million other things to focus on in terms of production and quality. This is a very different environment. It’s a very different world. There are different focal points, different skill sets. I think making the decisions quantifying, investing in those decisions, but thinking about the people, those are probably the biggest differences from my lens between IT security and OT security.

Mike D’Agostino: [08:58]

Yeah, and definitely a very rapidly changing environment, literally, it seems by the day. And now that nearly everything has an IP address and is connected to the internet in some way, shape, or form, including some of these industrial systems, it just raises the attack surface so to speak exponentially. Within OT security and industrial automation in general, and I think we can guess, at some of the answers here, like what is driving the need and interest? Is it the overall move towards digital transformation in general, like I just said, everything is being connected to the internet these days, is it the growing optics like it’s becoming more and more apparent that many of these systems are seemingly outdated and some of the strategies when it comes to securing operational technology and critical infrastructure? Is it just the right thing to do? Like what’s driving the change here?

Kamil Karmali: [09:57]

That’s a great question. I’m going to describe my answer this way. So 2017 was an inflection point for the industry for what I call OT manufacturing and industrial companies where we saw this influx of ransomware for the first time into production environments with NotPetya and WannaCry. Next thing you know, you’re seeing globally large enterprise producers incurring hundreds of millions of dollars of expenses and exposure around lack of cyber strategy in OT, lack of disciplined incident response capability. That has only gotten more frequent. And it’s only getting worse. I would say digital transformation connectivity, definitely, as you mentioned, ransomware legacy systems, the need for ongoing patch management strategies, in OT are seeing things like consolidation of technology platforms, building of many more greenfield production facilities. Cyber should come first and foremost, as an equal, in my opinion, as a board level directive and a board-level objective. And we’re seeing that more and more, and we’re seeing it more and more come as a primary funded responsibility and priority for security decision makers. In critical infrastructure, like I said, I think it’s only going to increase in terms of frequency and complexity of the number of threat vectors, the frequency of the number of attacks, the cyberthreat actors, in terms of how mature they’re getting. There’s a lot of underreporting in the industry that’s causing this. So I think you’ve put all these together in an ecosystem and you shake it up, OT manufacturing has traditionally been behind it in terms of speed and adoption. But when it comes to security, I think we’re seeing them catch up pretty quickly because of these things.

Mike D’Agostino: [11:46]

Yeah, absolutely. You listed out a laundry list of reasons why it’s a good thing to do. I have sort of a quick hit list of some more marketing-centric types of questions here. So we’ll go through them. First of all, when it comes to marketing, most traditional cybersecurity vendors focus on the CISO, or the chief information security officer as the somewhat unicorn, they would want to influence. But what is the main or what are the main, if more than one, persona that your organization hones in on? I’m sure a CISO is part of it. But what are some of the other typical targets for you?

Kamil Karmali: [12:28]

Absolutely. We focus on a variety of personas, I always say it’s a team sport, you can you can attempt to get to the C-suite often, but they’ve got a lot of priorities. It doesn’t necessarily have to be the CISO. It could be a security persona, such as a director of IT, plan for production manager, a production director, I include human resources, finance, safety, leadership, in a lot of our meetings when we do consulting, because I think everybody needs to be involved. An outcome of an attack, or a potential human loss of life casualty related to cyber incidents, is going to impact all those functions, certainly profitability for the company, whether it’s an enterprise or a local municipality, or even like an energy company.

Mike D’Agostino: [3:13]

Scary stuff and appreciate the account-based marketing approach. The understanding that you need to influence more than just that unicorn within an organization, I think is a sound strategy.

Kamil Karmali: [13:28]

Mike, we’ve spent a lot of time building out in collaboration with great companies like yourself, massive amounts of persona documentation and the how to engage strategy, not just at that CISO level, but what are the next two to three down that have responsibility and accountability into it? We’re seeing a massive return in terms of confidence of our sellers being able to relate more, and have those conversations.

Mike D’Agostino: [13:54]

Absolutely, all about planning? I suppose the elephant in the room question here is, what types of strategies have you seen be effective in creating engagement with these target personas?

Kamil Karmali: [14:07]

I think starting with picking a professional company that we needed to benchmark our current state and our current approach off of was critical. Given the depth and precision that a lot of partners in the industry can help with, I think we had to do as a first step, pressure testing our market strategy against an advisory board and a committee of CISOs that know the game. Regarding sellers, we have to keep it simple. Our strategy was to keep it simple. We’ve taken an approach of choosing what we call outcome-based selling as a competency and as a strategy to tie very specific outcomes to buyers within their journey that align to the capabilities that we deliver. In fact, we went as far as choosing the NIST framework as a security framework as part of the core, fundamental, go-to-market strategy, whether we were teaching it and showing it to our sales organization and how to manage the conversation to create demand, or from a marketing and brand amplification standpoint, saying this is how we align as a company, to something so widely adopted and known. I think speaking the same language was a core part of what our marketing engagement and investments did to get feedback on how we should come to market. I think marketing is complex. As a global company, we serve a lot of global regions, and they’re all different government regulations, regulatory compliance based on life science, or oil and gas. Some of these countries or geographies will help drive where we need to be aggressive. I think we do a lot of analytical research so we can pinpoint and know where we need to drive focus/messaging around from a marketing standpoint.

Mike D’Agostino: [15:54]

Sounds like a very mature process. Like you mentioned before, even just having spending so much time on building out persona profiles and understanding who the target audience is, what makes them tick, all is going to set you up for success in the future. Kind of piggybacking off of that, I’m not looking for any trade secrets or anything here, but are there any specific channels either online, through digital means or in-person events that you found more successful than others when it comes to engaging with these target personas?

Kamil Karmali: [16:33]

I’m old school, I think human interaction is where trust is built. I’m a firm believer that in cyber where there are a million players with technology to provide services, companies’ integrators, that trust is a repeatable and demonstrated process which you have to be in front of people in order to articulate so I think there’s a balance between digital forms and in-person forms. I think the method of using fireside chats, executive roundtables, attending security trade shows, going to events where you have a representation of government and state local officials present that want to talk about cybersecurity partnership as part of collective defense, I go as far as even including academia, we see by bringing all these pieces together and attending or pulling people into that type of cross functional slice that those are all the pieces to the puzzle. I think, in collective defense, no single person, technology or company is going to solve it. We all have to come together to adapt and think about it proactively, however, that’s done.

Mike D’Agostino: [17:40]

To your point earlier, with a number of people in the target range for you, like you mentioned, security is an obvious one, but plant engineers, HR, you name it. You basically have to go to where they hang out, where they get their information, the events that they attend, you need to be there as well, I don’t think there’s a silver bullet, one event or one channel, that’s going to do it all for you. Now, I know, just from the inside that Rockwell has a very extensive partner network. So how are you working with your partner ecosystem, from a marketing standpoint to solidify your position within OT security?

Kamil Karmali: [18:28]

I like what we’re doing. We’re taking the approach of going inside and out, if I think about our partner ecosystem, it’s represented by a body of technology providers, cyber ecosystem partners, certainly our channel to market being our designated channel partners within North America or in certain regions around the globe, we’ve been able to develop a global framework as a standard of how we want to bring these things to market. And then we kind of scaled down from there. We also co-build marketing strategies with each of those ecosystem partners or technology providers, and we show them and we kind of, I would say, we bounce ideas off of research and analysts companies like Gartner and ARC, to get as much data-driven acumen as we can build into how we’re sharing that and how we scaled. So I think Rockwell Automation certainly takes an approach. And then we scale down from there to help our distributors and our technology and cyber partners, be able to help amplify that message together with their own value propositions, a lot of these companies that we’re selecting, are already in themselves best in class and how they show up to the industry. If I think about companies like CrowdStrike, Dragos or Claroty, when it comes to threat detection. We’ve certainly made a large impact by announcing co-developed offerings in the market and we trust each other’s teams to be able to go relay that messaging correctly.

Mike D’Agostino: [19:50]

That’s great. Capitalize off of what each company does best and incorporate it into what you do. Now, just a couple more questions for you. Rockwell Automation is a very large organization. How do you collaborate with other departments, whether it be the marketing organization, sales organization, product management, your executive teams or otherwise, to ensure that your marketing efforts are aligned with the overall business objectives?

Kamil Karmali: [20:22]

You’ll probably chuckle. I don’t think it’s as hard as under large companies only because we have a security-first culture. And that means that we have buy-in all the way from our CEO, Blake Moret, to our senior vice presidents, and down to the individual contributor level within our company of how we practice our own security philosophy. It took a while to get there. But when we got there, I’d say look, I’m a team player. So as far as extended organization, we all know what role we play in each of these different functions. I think we’re always going to ask for more funding tied to marketing efforts. Cyber is a game where you have to pay to play in order to curate the results you want to see in terms of mindshare, and quality of your presence into the market. But I firmly believe that we have convinced in our organization’s bought into how important security not only is for us in the way that we treat it, but how we need to bring that to our customers, since we had been in the business of building manufacturing plants from the ground up for a long time.

Mike D’Agostino: [21:24]

Yeah, I don’t think that you guys have a choice. Security culture needs to be built in when you’re dealing with the types of systems that you guys are so that’s good. Last item here, very open ended. But how do you know that your investments in marketing are paying off?

Kamil Karmali: [21:43]

As a leader, I look at the game versus the score, I’d say the score is revenue and funnel, the score can be measured off of net new logos we’ve created success around the game is how many more customers we’re helping weekly to a secure and reduced risk with, how many more CISOs or IT organizations are buying in to the philosophy that we’re preaching in the OT world. And frankly, the number of leads that we get from customers that we’ve never worked with, we’ve never penetrated, or certainly we’ve never had success in selling into because of them perceiving us as this 100 year old, traditional hardware company. I look at it between the game and the score. But I think both are equally important to get to where we need to need to be.

Mike D’Agostino: [22:29]

Absolutely. Kamil, I probably have a million more questions I could ask you. But I appreciate all the time that you’ve given us so far, so we can end it there. Really appreciate your participation and your insight. OT security, like I mentioned, upfront, we’ve identified across our network that it is going to be a top topic that cybersecurity is going to be dealing with in the years to come. And we know that there’s just more and more interest around it, more and more companies popping up that are helping address OT security. And like I said, you guys are right at the heart of it. You’re doing it from the inside out. Great speaking with you, appreciate the insights into what you do and how the organization is approaching marketing and sales within OT security. Best of luck. Hopefully we can have you on again.

Kamil Karmali: [23:23]

You as well. I’m humbled to have been your guest. Thank you so much.

Mike D’Agostino: [23:27]

Thank you very much, and thank you everyone for listening. We’ll catch you next time.