Friday, August 30, 2013
The Things I've Seen Series: Part 1 - Utility Security Governance Boards
In the final moments of Blade Runner, Rutger Hauer's character, close to death, tells Harrison Ford: "I've seen things you people wouldn't believe."
Over the course of the next several posts I'm going to go through some of my sanitized field notes and let you see things you may or may not believe, some good, some not so good. Nothing quite as cosmic as what Hauer relates in his final moments, but probably should be interesting if you're in or work with the industry.
Let's start off the series on a positive note with the formation of Security Advisory Boards. Investor Owned Utilities (IOUs) typically have a number of boards: executive, safety, governance, audit & compliance, etc. However, you can dig through annual reports and review the investor information sections on company web sites for a long time and you likely won't find much if anything relating to cybersecurity risk strategies, concerns or activities.
Yet in visits to utilities over the past 2 years I came upon half a dozen or so that had either assembled a representative group of various executives and functional leads to talk about cybersecurity from an enterprise-wide perspective, or were getting ready to do so. Members tended to include the CIO, the head of cybersecurity, the head of physical security, leadership from different functional areas, and one or two more senior executives.
Some of the potential benefits include improved flow of communications between different parts of the company, more business input into security policy and planning, and better understanding across senior management about current security status, emerging requirements, and new threat types.
Perhaps some of these utilities made this move according to their own logic. Others, possibly, noticed a recommendation for standing up security governance boards in DOE's 2012 ES-C2M2, which you can download HERE.
My hunch is the percentage of utilities with security focused boards of any kind is in the single digits, maybe the low single digits. Nevertheless I am heartened by what seems to be a nascent trend. For utility CEOs or boards who want to respond to regulator calls for more oversight and activity on cyber, this is one inexpensive, non disruptive way they to begin.
Image credit: Assolutamente ma anche no Tumblr