Back to the startups. As you know, we like to pose questions ... so here are a few:
- In a domain where security rigor is universally regarded as essential, how much security thinking is going on within these start-ups, and how long will the present level be enough?
- Put another way, when you're a small but growing company in the Smart Grid software or hardware space, how long can you hold out before adding a full time security professional to your team?
- Do you hire a security staffer once your development team reaches a certain size, say a headcount of ten, or should you put the security pro in place up front to help define the development process before you start writing real code?
- Given the amount of innovation required in most of these companies, how reasonable is it to expect that the CTO can juggle all the technology balls he/she is responsible for, and do a good job on security tasks (which will often seem like a distraction) at the same time?
I liken this to the situation that faced large and medium companies approximately ten years ago, when it was becoming clear that as they embraced the Internet for new capabilities, they were inadvertently bringing a whole host of new risks and vulnerabilities on board. This is from CSO Magazine in 2001 on why to hire Corporate Security Officer and what he or she can do for you:
... a core responsibility of the CSO will be vulnerability assessment and risk management. Therefore the CSO should report to the COO or CEO. After all, the CSO will evaluate the technology environment and audit the security measures implemented by the CIO. It is in the company's and the CIO's best interest to have the CSO perceived as an impartial assessor of the technology environment instead of a possible rubber stamp .... Think of the CSO as the head of quality assurance for security.In startup-land, there is no real need for C-level titles beyond CEO. But ignoring the titles, the functional benefits of a dedicated security staffer are clear, no matter what they're called. In other markets we have seen them labeled: Security Architects, Information Security Officers, Security Managers, Security Officers, Information Security Managers, etc. Depending on the offering and the market strategy, there's a mix of roles that these folks may fill, including ensuring the security of the company (its systems, processes and people) and the security characteristics of its products; hardware, software or both.
Hyperbole aside, we all know that the Smart Grid is an area of growing and inevitable security risk. If I'm a utility, and as such am a prospective new customer for a startup, and I'm held accountable to the highest security standards by those who regulate me, I'm going to be damned sure that I put prospective vendors through the ringer before bringing their technology in house. And if I'm a startup, while having a qualified security person on my staff is no silver bullet, our guess is they'll be more than worth their salary as the regulators press their security cases and the utilities/customers get more and more savvy about risk.