Fortinet looks to strengthen OT business with free OT maturity assessment tool

OT is already a significant part of the company’s business, but the new tool, available now in Canada for the first time, will give end users the ability to see weaknesses and lead to channel opportunities to address them.

Foad Godarzy, Senior Director of Operational Technologies at Fortinet Canada

Cybersecurity vendor Fortinet has reached out to the Operational Technology [OT] component of their customer base, with the announcement of a free online tool that lets organizations assess the cybersecurity maturity level of their OT environments in Canada, and which provides a comparative evaluation of their efficiency.

The OT business is a substantial part of Fortinet’s revenues.

“It is a big portion – about one third,” said Foad Godarzy, Senior Director of Operational Technologies at Fortinet Canada. “It’s one of the things globally we are focused on, in trying to bring more value to the industry and protect more critical infrastructures across the board.”

Godarzy said that the key thing for their customers in the OT space, regardless of their size, is their need for visibility.

“For them, OT is the money maker and IT is the expense centre,” he indicated. “They come to us and initiate conversations of how to protect their market, which is why we came up with this free tool, for customers of any size. Most of our OT customers are mid-sized and larger enterprises, although some are small manufacturers that are in the global supply chain of bigger brands. As well as global manufacturing, some are also big energy companies and health care providers across Canada and globally.”

This OT initiative made its way to Canada and the North American market from other geos.

“It started first in EMEA, and we then followed it up in LATAM, where they changed it from Excel to a Web-based service,” Godarzy said. “This is really the 2.0 version of the tool, although it is the one where the Canadian team got involved and aligned.”

The operational environments and critical infrastructure security assessment consists of ten questions and is available in English, French, Spanish and Portuguese. Its cybersecurity maturity assessment model is based on industry frameworks like NIST, CMMI, and ARC.

Ten questions is not a lot, but past experience led Fortinet to conclude that a short questionnaire is likely to produce results than a longer one.

“We had another version in Canada that was specifically focused on Canadian OT market challenges, but that was a much longer one,” Godarzy stated. “I came from the customer side, where my job was to keep 15 power plants up and running in Canada, so time was definitely a consideration. In addition to making it a lot shorter, we also enhanced the math behind it to provide a better report at the end to our customer.”

Godarzy said that they know with only 10 questions, Fortinet had to make sure that the ones included covered as much as possible.

“We try to put great questions in place, but with only ten questions,  it’s hard to get to 100% of the environment and have great gap coverage,” he indicated. “The questions touch different areas like visibility and segmentation – a couple in each  area – and based on those we try to rank them. The result is a Web-type image that shows the customer where they need to focus.”

For example, one of the common issues around segmentation is a lack of segmentation.

“Based on the answer, we get to the extent of segmentation, and we can understand how deep the segmentation is – from no segmentation to a very layered segmented network,” Godarzy indicated. “We then rank them from 1-5. It’s important to have segmentation in layers, like an onion, so the crown jewels can be kept deep down and protected.”

At that point, particularly if the customer sees that they are far behind the baseline, Fortinet can provide free individual consulting to identify risks and best practices to raise the level of protection of OT environments.

So where does the channel fit into all of this?

“Fortinet is trying to help the industry, and we are the playing role of trusted advisor, but we always sell through a channel,” Godarzy said. “If the customers want to engage more, they will need to go through one of our partners. These tools are something which we are doing to assist partners and make their lives easier.”

Fortinet’s channel is already substantially converged around both IT and OT.

“Most of the big partners provide service to both, although we have dedicated channel and OT partners as well, with the majority being IT converged,” Godarzy indicated.