Monday, September 30, 2013

Putting all our Cybersecurity Eggs in Technology Baskets

Attackers perform discovery, surveillance, intrusion, denial of service and exfiltration with software tools. Defenders defend with tools of their own in the domains of network security, system security, application security, data security. The "good guys" also:
  • Encrypt data in hopes it will remain secret in transit and at rest
  • Patch and patch and patch and patch applications ond OSs
  • Pen test to see if they can find and fix weaknesses before the attackers do
  • Monitor and inspect network traffic and analyze logs for abnormalities
  • And oh so much more ...
Organizations spend millions on defensive technologies, purchasing and/or subscribing, deploying, integrating, updating and yet CISOs still have no dependable process for demonstrating to senior utility leadership the amount of cyber protection they're adding, or put another way, the amount of business risk accepted.

Recently we've seen the DoE and NRECA announce seed grants to help suppliers perform R&D for new technological solutions to cybersecurity challenges facing utilities. Some of these may prove useful to utilities, suppliers, and their services organizations.

Now I almost never use bold, italics or underlining for emphasis. Prefer to let the right words do the work.

But none are likely to substantially address the fundamental issue that cybersecurity threats are a hard-to-quantify risk to business, have human origins, and that improved human awareness and behavior can drive better outcomes in ways everyone can see and understand.

NERC CIP-004: "Cybersecurity - Personnel and Training" calls for humans who have access to critical cyber assets (CCAs) to have appropriate security training and awareness. But the CIPS cover only a very small part of the grid, and as we've seen, it's not just the folks who touch CCAs who can cause significant damage to an organization through their wrong actions ... or wrong inactions.

There are technology products that aim to effect improvements in human behavior (e.g. PhishMe). And there are universities and training organizations galore, some of them even beginning to add industry-specific operational technology (OT) content to their cybersecurity instruction.

And yet many utilities and the government organizations that seek to guide them continue to look almost exclusively to technology to save the day.  Here are two things you can do to begin to flesh out the people pieces:

1) Look at the org chart.  Look at how involved and cyber-aware are the board, the CEO, CFO, GC, etc. You could certainly argue they have bigger (or at least other) fish to fry, but if they knew a little more they might well move cyber threats a bit higher up on their ladder of strategic risks to reliability.

2) See how the CISO is empowered, where he/she sits in the organization, how often he/she briefs the board and corporate officers, and whether he/she has authority to set and enforce security policy enterprise-wide.

There's a lot more of course, but the closing pedantic message of this post, before it sprawls too long, is: don't short the human part of the cybersecurity equation. Humans are the problem, and humans can and should be a  much bigger part of the solution.

Photo credit: JS @

1 comment:

Nancy Jorden said...

This is very helpful for those that are trying to have a good site security . This is awesome. Thank you.