We are dealing with some raw data here, but one thing jumps out after speaking with a dozen or so Smart Grid start-ups in the Exhibition area: few of the new startups employ a security professional. Some are flatfooted when asked about how and if their product is secured, some are more assured. But even in the latter case the answer tends to be that "the CTO handles security."
There is little doubt that the CTO's of these organizations are highly skilled and technically very deep. But, given the nature of many of these cutting edge providers, they are much more likely to be schooled, and buried, in issues directly related to the functionality that they are attempting to provide. Security will necessarily be put relatively low on the priority list, particularly in the absence of any specific requirements or breaches as identified by others external to the company.
One phenomenon we noticed was that the impetus for people even having a name to assign to security is derived from more consistent utility behaviors in the area. Almost to a person, the interviews which we performed resulted in a statement about how the security resource was identified because the utilities demanded that there be a person with security responsibility in the vendor providers. Kudos to the utilities, and here's hoping that the security person in name will grow into a security resource in fact, as the requirements of their position be more fully articulated going forward.
We will continue to reach out to the CTO's in the coming weeks to better understand their familiarity and efforts in security, and will bring that to you here.
1 comment:
Your post is very nice, it helped me to gather important and new information on cyber security SCADA. Thanks for sharing information
Post a Comment