Tuesday, May 15, 2012

Announcing the First Electric Sector CSO List

You've been holding your breath for this, I know, so I'm happy to announce you can resume normal respirational activities. As the title says, this post begins the process of assigning kudos to utilities who've been so bold and proactive as to appoint and empower a senior professional to run cyber security across their organizations.

By this I mean a senior business (more than a technical) professional charged with developing, promulgating and enforcing security policy across operational and information technology boundaries, across all lines of business.

Though I'm sure there's no one magic formula, IMHO the ideal is a Chief Security Officer (CSO) reporting directly to the COO, CRO or CFO. Of course, some companies haven't formalized the position yet, but have an individual with a lesser title who has the functional authority and executive backing to get the job done. Others are part-way there, designating a CISO reporting to the CIO. This is promising, but suggests that at least half the company, significantly, the operational half, has no such formal cyber security leadership.

A big part of naming a C-level or VP in charge of security is what it communicates to the employees of that company ... how it moves the culture to consider security a strategic concern. Of course, other key audiences are the various external stakeholders and oversight bodies. As we said in an earlier post, it's possible Congress might feel less compelled to add another layer of security legislation to the sector if it saw more utilities self-organize around security objectives, independent of fines and other punitive compliance actions.

As frequent readers will note (or lament), we've promoted the concept of elevating security responsibilities to the highest levels of the corporation about a septillion times on the SGSB, including most recently HERE and HERE. But from this vantage, it's easily the #1 organizational security maturity metric.

In practical reality, a lot depends on to whom the security chief reports. A highfalutin title, reporting to a QA associate would defeat the intent of this round-up. But some of those org-chart details are going to remain opaque, at least in the earliest phase of this effort.

Now without further delay, here's a most-definitely incomplete list drawn from my own experience and input from a few others in the industry. There seems to be a good number of Directors, and that's a good sign I think. But with a short list to start, I'm including CSOs, CISOs and VPs of things that sound like cybersecurity:

  • National Grid: Robert Coles, CISO & Head of Digital Security and Risk
  • DONG Energy: Hans Lund-Andersen, Group CISO
  • OGE Energy: Larry Saxon, CISO
  • Entergy: Chris Peters, VP of Critical Infrastructure
  • TVA:  David Jolley, VP of Security & Emergency Management
  • AEP: Michael Assante, CSO
  • PG&E: Dave Tyson, CISO
  • Seattle City Light: Ernie Hayden, CISO
There are thousands of utilities in the US alone and I've just ID'd a handful of senior security leaders. So I've definitely missed some folks here. I'm sure I've missed folks. Please respond by email if you have an addition or correction. I plan to publish an updated list periodically, and may create a survey at some point to get at some of those reporting chain details. Andy over & out.

Image credit: can't find one, so let's just say "The Internet"