There is little doubt that the CTO's of these organizations are highly skilled and technically very deep. But, given the nature of many of these cutting edge providers, they are much more likely to be schooled, and buried, in issues directly related to the functionality that they are attempting to provide. Security will necessarily be put relatively low on the priority list, particularly in the absence of any specific requirements or breaches as identified by others external to the company.
One phenomenon we noticed was that the impetus for people even having a name to assign to security is derived from more consistent utility behaviors in the area. Almost to a person, the interviews which we performed resulted in a statement about how the security resource was identified because the utilities demanded that there be a person with security responsibility in the vendor providers. Kudos to the utilities, and here's hoping that the security person in name will grow into a security resource in fact, as the requirements of their position be more fully articulated going forward.
This blog maintains that the great Smart Grid project could fail, or fail to thrive, largely based on its ability to get security reasonably right, and because adoption will be partially determined by industry and public perception of its safety. The finding that young Smart Grid companies, as represented here, have not prioritized security action, versus titling and responsibility, is a concern. Some of the firms like Itron and Gridpoint have taken time to articulate their security strategy, and that is definitely a step forward, but there is much work to be done by all, in describing, and demanding, a consistent security emphasis going forward.
We will continue to reach out to the CTO's in the coming weeks to better understand their familiarity and efforts in security, and will bring that to you here.