25Minutes: Insights. Expertise. Impact.
In just 25 minutes, I deliver concise and thought-provoking conversations with top minds in technology, cybersecurity, business, culture and enterpreneurship. Whether you’re a technologist, executive, culture-enthusiast or someone passionate about growth, each episode explores trends, strategies and ideas that shape success.
For those with limited time but unlimited ambition, 25Minutes offers actionable insights and fresh perspectives where they matter most. Your time is valuable. Your 25 minutes. Your advantage.
Contact: eliel.mulumba25@gmail.com
X (Twitter): Eliel Mulumba (@ElielCyber) / X
25Minutes: Insights. Expertise. Impact.
6 - John Kingsley: Why common sense isn’t common – Lessons-learned, Zero Trust, DeepSeek & the future of OT Security
In this episode of 25minutes, cybersecurity expert John returns to discuss the lessons he has learned over two decades in IT and OT security, focusing on the realities of risk management, leadership and the evolving threat landscape. We explore why common sense in security is often an illusion, what Zero Trust really means beyond the buzzword and how the OT security landscape has shifted with emerging threats. John shares insights on DeepSeek and AI-driven threat detection, the persistent challenges in bridging IT and OT security and why businesses must rethink their approach to cybersecurity as a strategic advantage rather than a compliance requirement. This conversation offers valuable perspectives on how to future-proof security strategies, mitigate risks before they escalate and ensure resilience in an increasingly complex digital world.
Our Guest:
LinkedIn: https://www.linkedin.com/in/sjkingsley/
https://www.youtube.com/watch?v=kp6F90MH48U
https://www.linkedin.com/pulse/ot-cybersecurity-resources-kickstart-your-learning-today-kingsley/
25 Minutes Podcast
Hostey by: Eliel Mulumba
Audio editing & mastering: Michael Lauderez
Join conversation on LinkedIn: www.linkedin.com/in/eliel-mulumba-133919147
Hey, John, thank you very much for finding already again, the time for me. We had a last session, which was amazing, where we talked about your career in cybersecurity and in particular. In OT security with your strong automation and engineering background focus really on design and documentation. So we both felt one part that we had not elaborated that much on and also based on the feedback from the community are your lessons learned and personal wisdom.
And that's why we both have the pleasure to meet each other again today and to actually discuss. So when it comes to your entire cyber security journey, John, and if you would reflect a bit. at your younger John, uh, 20, 22 years younger, what would be the key lessons learned you would tell him about?
Right. So, And, uh, thanks again, Eliel. Glad to be back here. it was really good, uh, the first time around and I hope I do justice again as well. So coming to the question, yes. Uh, yeah. So, uh, before going into The requirements, the best practices of the standards and all the other things that surround us. would really suggest everyone to be open and, um, I think common sense is not common. So, so that's something that we need to be very steadfast in. And, uh, it's all about the basics. That has been my profound experience. Right, like we speak on a lot, a lot of things and we speak on very complex, uh, uh, attacks and, uh, techniques and tactics used by the hackers and so on, all that aside, uh, one very important aspect here is. Uh, knowing the basics, you know, one needs to be very strong in the fundamentals and also try to stick to the basics, right? It could be anything, right? Like, uh, from training, awareness, uh, or there's a very simple, simple things that goes on when we speak about cybersecurity. Because if we fail in the basics.
Mm
it would create a kind of, uh, uh, smaller holes, right? Uh,
hmm. Mm
take this example of, uh, cheese. uh, like for example, people might have seen the cheese, uh, which I always share, whenever I conduct some trainings. We have, uh, holes in the cheese, right? when
hmm.
have different layers of, uh, protection, Uh, uh, right.
And it could be policies, audits, uh, endpoint security, firewalls, and many other layers of protection. the number of holes over time probably will reduce, right? Like, and it could be, uh, one in a million, or maybe Some unexpected zero day vulnerability for something to happen.
Mm hmm.
be steadfast in all the basic concepts because at the end of the day, that is what is going to save a lot of trouble.
Mm hmm. And I mean, John, when did you have this moment within your career where you realized that this lessons learned is now materializing? Where you had the feeling like, wow, now everything starts to make sense. I understand the big picture behind that. I understand that different pieces need to be assembled together to work.
Mhm. Mhm.
good thing about having a very long career, right, like, it doesn't really, uh, necessarily have to be on the cyber securities itself. Of course, people do have, uh, security focused careers, right, uh, but unfortunately, I didn't have. But since I was working in the industry, uh, currently responsible for the OT cybersecurity, the critical infrastructure, This has always been there, right?
Like, because Of course, cyber related risks is, is there, but even before that, we always had some kind of hazards in the site, in the facilities where we work. So, we need to work safely, we need to operate safely. Uh, that, that could be always some kind of hazard that could be errors in the design or some manual errors during the operation and safety was always a paramount focus. So, that kind of puts in a discipline to you, right, like you treat the, the and the plant or the facility with that most respect and, um, it was just natural. Uh, when I was transitioning into O. T. C. Cybersecurity and when I started to visit clients, started speaking with them and started visiting, uh, the various facilities for audits and, uh, close outs the mitigations that has been happening.
Uh, taken, it was kind of a, if any kind of a moment, okay, ultimately we need to stick to our basics and we need to comply and we need to do a, uh, continuous, uh, improvement in terms of, uh, see another thing people get scared is when they do the audits and they have a lot of findings, people think it's a bad thing.
Yes. It's
think it's opposite finding issues is good because we can prevent them, rectify them, and try to understand what went wrong and try to ensure that it doesn't happen. if
Mhm. Mhm.
we can reduce all such. Issues and is what when I stressing basics means, right? So we're doing our job. We have only one job, so we tend to get distracted. The current world is like that. There's a lot of hype. uh, that is, that is no silver bullet. That's the real truth. When people try, people realize that it could be engineers, it could be, uh, middle managers, it could be the CXOs. When they realize that, they will know what to do.
Mhm. And I think knowing what to do is actually, um, a great statement here. Because we both also talked about how to communicate with sites. That are mainly focusing, as you said, on the availability of systems and making sure that the production is running because it's part of the value chain. And there's so much business value behind that.
So when you would think back about your early days. What were things that maybe haven't been that good in the way how you approach site also for documentation and cybersecurity, which might be perceived as a burden and what would you now do differently?
Um, yeah, so, see, again. Uh, I see those days, uh, those were my like my initial early days in the OT cyber security and I used to work with various engineers and middle managers, right? uh, I need to accept the truth here that They were simply powerless. They knew what their problems was, uh, the solutions that they were trying to implement, I don't know, like maybe, uh, the, the consultant or maybe whoever was responsible for the cybersecurity management. Uh, probably never got feedback or inputs from them what could be a potential solution. And, uh, this, this is something that I used to see, uh, a lot, uh, right? Like, uh, uh, instead of tapping the boots on the ground, people Trying to come up with their own solutions and, and the implications is not visible immediately.
These things take time, a year or two and so on. the good thing now is, um, there's a lot more recognition in terms of these cybersecurity issues and the various impacts and how various regulations in, uh, the North America and the Europe, some of the organizations have started. been starting to take this very seriously and, it needs to be a top down approach, right?
Like if you want the organization to change and the culture to improve, we need a top down approach and it needs to go all the way to the bottom and it's not just the I. T. Engineers or the O. T. Engineers or the automation engineers or the security engineers job. Uh, everybody is responsible in some way. Of course, people have specific roles and responsibilities when it comes to security. It's everyone's responsibility. Everyone needs to be aware. People know when, uh, they are being, uh, uh, spammed and, uh, is there some kind of a malicious links or attachments. They should be judgmental and Not opening and not clicking, right?
And this can only happen when, uh, that there is a organization wide effort, right? So, oh, oh, yeah, like,
saying that, if I understand you correctly, that everyone has a role to play and that, uh, OT security or cyber security in general is not something for Loon Wolf, it needs the team at the intersection of IT and OT. And I would be curious to learn a bit from you when it comes to conversations with executives.
Do you see a difference in conversations today compared to maybe 10, 15 years ago where people maybe didn't pay that much attention? What, what, what is your reflection on that?
uh, that's one good thing, right? Like with time. People, seem to be more aware, um, they know, uh, their challenges, they know their, uh, the implications. And, uh, even recently, uh, Schneider Electric, ABB had some kind of, uh, some kind of, uh, uh, downtime because of some attacks. And we have been seeing the ransomware attacks blow up like anything. matter. It's not OT, right? It's again a cybersecurity aspect could again happen to even a facility or OT facility. So, so those kind of incidents has in a way created more fear in terms of the challenges of having a downtime or disruption. the shareholder value erodes, and I have seen organizations, uh, uh, complying with IEC 6443 without any regulatory pressure. Of course, there are, um, there, we, we have, uh, for the North America, we have, uh, something called NERCSEP. For the, uh, the electrical power generation, distribution transmission. um, in, uh, Europe, we have the n in Australia and every other country has some kind of regulations in place, but it's good to see various organizations starting to comply, uh, with, uh, uh, 6 0 4, 4 3 or the NIST cybersecurity framework.
Question two, where, how, like, how we have, uh. Uh, information security management system or ISMS based on ISO 27001. Similarly, have seen organizations starting to develop, uh, OT specific cybersecurity management system and this is In the right direction.
Absolutely. And I mean, something that I would also be curious to have your feedback on is. Zero trust. I think zero trust is one of the biggest buzzwords we have been hearing in the cyber security area, potentially for the last three to five years, uh, before the AI hype. So if you can explain to us a bit, what are the fundamentals of zero trust, uh, of the zero trust architecture to be quite precise?
And do you believe that this is something that works well or could work well in the OT security field? Mm.
Um, yeah. Um, yes. Uh, the zero trust architecture, I think it is, uh, it's phenomenally growing. um, but, uh, it has its own set of challenges and, uh, uh, Uh, uh, the, the key principle here is never trust, always verify, right? And, uh. Um, this is something like, internet has kind of, uh, uh, has been a precursor, right?
Like, as I mentioned earlier
Mm-hmm
my previous, uh, podcast that it's a trust deficit world. And, um, uh, we speak about ZTA, it's a framework that actually is designed to enhance the security, uh, by eliminating implicit. Trust within the, uh, uh, our, uh, infrastructure or the network. And
Mm-hmm
when we speak about, uh, the OT, the approach is where we have the traditional perimeter differences. They're kind of inadequate due to the, uh, various, uh, Various issues like remote working, use of cloud applications and services, interconnected devices. These are some challenges that OT faces. So when we speak about zero trust, the least privileged access, monitoring and validation, micro segmentation. Segmentation is something that I touched upon earlier. Network segmentation is very important. And here. the micro segmentation, right, like, uh, it basically divides the network into smaller segments and trust architecture limits the lateral movement within the network. And this means that even if an attacker gains access to one segment, they cannot easily move across the network.
And
Mm-hmm
one other aspect is something that's not very well spoken is the comprehensive security policies, right? Like, when we have an effective implementation of zero trust, it basically involves Uh, establishing a clear security policies basically that governs the various access controls. Um, and which again is function and job role specific. are the user role? What are the device types? And what, where does the request comes from? Like, what are the origins? So, yeah, so I, there are definitely a lot of benefits of using Zero Trust in OT security. it helps in improved incident response and enhanced protection against stress. And the most important is the possibility to adapt for the evolving threats, right?
Like threats are continuously evolving as we speak. And there's always some kind of vulnerability out there in the wild. People are discovering zero day vulnerabilities and selling it in the black market. So, we need a robust protection against these kind of new vulnerabilities and new kind of attack methodologies that, uh, these, uh, hackers do now.
Yeah. And I think if I understand you also correctly, one of the, the aspect that is quite important is to, to manage actually also the pace, uh, because technology, and especially information technology is. Growing so fast and rapidly, um, we are right now seeing a huge hype around generative artificial intelligence.
I'm pretty sure you also have seen news around deep seek coming also now from China, uh, which is, uh, the big response to all AI technologies we have seen so far, but if we would tailor this a bit to the OT security context. What are your learnings to still stay up to date to ensure that you have proper upskilling that you would like to share with us?
