As a “kick off” to the 2012 RSA conference, CyLab performed an analysis of how boards and senior executives are governing security and privacy of their digital assets which include networks, systems and data. What struck me profoundly is that the key conclusion in this report was: “…boards and senior management are still not exercising appropriate governance over the privacy and security of their digital assets.” This is especially interesting – and troubling – in light of the continuing cyber attacks on enterprises and governments that are often discussed in the news and analyst reports in Australia.
It also reinforces my current call for an increased “security conscience” from the executive management and designated security executives in today’s companies and utilities in Australia
Unfortunately there are several reasons that lead me to believe that major utilities in Australia are generally not ready for secure electric grid deployments. One reason is that the culture of security tends to be a “gotta do” to satisfy the regulators rather than being an imbued cultural norm from the CEO down to the field technician.
Another reason is that the focus on security in the AU electric utility space tends to focus on the financial penalties for not complying with the National Standards rather than on the benefits of a strong security program for both the company and the neighbouring – and connected – electric utilities.
A final reason why security tends to be given lower tier status is that utilities are missing a key component. They are missing a leader who sustains and espouses a culture of cyber security throughout the organisation. In other words they are missing an assigned cyber security leader who is a “security conscience” for the organisation. They are the champion to push the security agenda upwards to the executive management and Board of Directors as well as push down to the field workers and general staff.
How do you get this culture established? How is it groomed? The first step is the CEO needs to be the key advocate for a security mindset. The CEO needs to proclaim their expectation for an effective security program that first and foremost protects the company’s data and assets.
Secondly, the CEO needs to appoint and empower a senior security executive with adequate experience, credentials, technical skills and leadership capabilities to be the “security conscience.” This security executive should be permitted to “…ask the hard questions…” and ensure that security is part of the corporate culture and mindset. They should also have the ability to stop work – just like a Quality Assurance Manager – should security not be included in application code or program implementations. Of course, the security executive will need a team to help him with his charge and again, qualified, experienced staff should be part of the security team.
Finally, I am not advocating that security be a huge cost centre. But, I can also say that some studies have shown that by “bolting security on” to systems after they have been deployed can cost up to three times more than the original expense of including security in the initial design of your systems, processes and programs. Hence, your higher expenses – which you avoid with a solid security program – can be avoided and in turn help pay for part of the security organisation – and save you money in the long run due to more secure operations.
One final critical element is for the leadership of the numerous global companies to imbue staff with the knowledge that security and effective risk oversight and governance is good for the company, for the customers and for the employees. Given what’s at stake it is well worth the effort.
Ernie Hayden is the managing principal, energy security at Verizon Energy & Utility Practice