Have gotten some less-than-happy feedback from a number of readers, so in the interest of giving you access to additional points of view, here's a bulletized critique from a concerned utility industry professional:
That said, I will now critique the final one or two critiques and wax forth from there.
From both an efficacy point of view as well as how it affects perceptions, I think corporate structure matters. As long-time (aka long suffering) readers of the SGSB may recall, we often advocate on the behalf of electric utilities appointing and empowering increasingly senior (org-chart-wise) cybersecurity professionals to executive positions. We did so HERE a few months ago, for example.
While there are many ways to skin a corporate function cat, certain established patterns and best practices have emerged that, by consensus, we've agreed get the job done. Having a CEO, CFO and an independent board, for example.
Hence in almost every large-to-medium company you'll find these positions filled. Having these positions is no guarantee that the company is running optimally or even well, but you can be pretty sure that vacancies in these positions will be an impediment to sustained success.
And now that cybersecurity has become an elevated concern to almost every utility company stakeholder and oversight organization, that's the lead in for the case for establishing a senior level position to serve as focal point for determining cybersecurity requirements and executing on them, enterprise-wide.
I could go on, but readers appreciate short posts and so do I.
- Survey size is too small to produce meaningful results/findings (e.g. 108 respondents, with only 14 or so in the "utility/energy" category)
- Not sure what types of companies fell in the “Energy and utility companies” bucket. It's unclear if many or any are electric power
- In addition, the survey was global, with a minority of respondents (40%) based in North America and it's unclear whether there were any energy/utility co's from North America
- The survey states opinion (vs. evidence) concerning the adequacy of corporate board and senior executive review of risk
- The survey makes erroneous judgments about an organization’s ability to manage cyber security and privacy risks regarding the presence or absence of corporate officers with particular titles or the composition of corporate audit/risk committee structure
That said, I will now critique the final one or two critiques and wax forth from there.
From both an efficacy point of view as well as how it affects perceptions, I think corporate structure matters. As long-time (aka long suffering) readers of the SGSB may recall, we often advocate on the behalf of electric utilities appointing and empowering increasingly senior (org-chart-wise) cybersecurity professionals to executive positions. We did so HERE a few months ago, for example.
While there are many ways to skin a corporate function cat, certain established patterns and best practices have emerged that, by consensus, we've agreed get the job done. Having a CEO, CFO and an independent board, for example.
Hence in almost every large-to-medium company you'll find these positions filled. Having these positions is no guarantee that the company is running optimally or even well, but you can be pretty sure that vacancies in these positions will be an impediment to sustained success.
And now that cybersecurity has become an elevated concern to almost every utility company stakeholder and oversight organization, that's the lead in for the case for establishing a senior level position to serve as focal point for determining cybersecurity requirements and executing on them, enterprise-wide.
I could go on, but readers appreciate short posts and so do I.
