Conference Alert: EnergySec and NESCO Town Hall next Week

Ok, so usually I'm giving a heads-up about some conference or seminar you might want to know about, or even attend. But this time I'm saying that, but also revealing I'll be there too.

And I note, in the town where Peyton Manning recently threw 7 TD passes in one game and one can easily procure Rocky Mountain Oysters, I'll be joining luminaries from industry and a number of utilities too.

Here are the deets:

• Where: Magnolia Hotel, Denver, CO
• When: 17 - 19 September, 2013
• What: Lots of stuff. Agenda HERE
• How: Easy. You can still register HERE

For your edutainment, I'll be moderating a town hall style discussion about the current state and future of the cyber security workforce in the energy sector. We'll be considering full life (as in human life) cycle issues, from birth to tablet training, from kindergarten to college curriculum, from entry level security practitioners to ICS forensics wizards and all the way up the managerial stack to CSOs and CISOs.

Hope to break some new ground and capture some new ideas we can share with all and will do here on the SGSB during and/or right after. Will also tweet whenever possible using the hashtag #ess13.

Hope to see some of you there!

Photo credit: Daily Mail online

Announcing the First Electric Sector CSO List

You've been holding your breath for this, I know, so I'm happy to announce you can resume normal respirational activities. As the title says, this post begins the process of assigning kudos to utilities who've been so bold and proactive as to appoint and empower a senior professional to run cyber security across their organizations.

By this I mean a senior business (more than a technical) professional charged with developing, promulgating and enforcing security policy across operational and information technology boundaries, across all lines of business.

IBM CISO Study as Predictor of Future Electric Sector Cyber-Security

IBM recently interviewed security leaders in a bunch of companies, recorded their responses, and teased out findings that I think you'll find interesting.

Respondents ultimately fell into one of three categories: Influencers, Protectors and Responders. I can't say how many electric sector professionals were queried, but there's a callout box featuring an anonymous VP of IT who is quoted as saying:

Security leaders are becoming more closely integrated into the business – and more independent of information technology.

Right on, and from my interactions with the community, that statement holds true for a small but growing number of utilities.

Electric Sector Not Alone in Moving Slowly re: Security Leadership and Governance

This CMU report came to me yesterday via Ernie (he's everywhere) Hayden. At 3 pages, it's short enough to consume with one cup of coffee, and its cross-sector findings jump out with alacrity:

• "Today, cyber attacks have moved to a new level: corporate data is at a higher risk of theft or misuse than ever before, and the systemic nature of recent attacks has alarmed both industry leaders and government officials around the world. These issues now require active oversight by boards and senior executives"
• New SEC guidelines require public co's to disclose cyber risks that "materially affect products, relationships, services, relationships with customers or suppliers ...."
• CISOs and CSOs report that they "cannot get the attention of their senior management and boards and their budgets are inadequate"

The first two points I already knew, but that last one is a wake-up (for me, at least). Clearly, in other sectors, simply designating someone as a CSO or CISO isn't a cure-all for security governance. In fact, much depends on to whom the CSO/CISO reports, and clearly, whether the board sees security and privacy as strategically importance or not.

There are signs of slow progress worth checking out, as well as concluding recommendations. I'll give you one of them here:

• "Establish the “tone from the top” for privacy and security through top-level policies"

Yes, that's leadership and culture change. What Lou Gerstner says in his account of how he turned around an foundering IBM in the early nineties, was by far the hardest thing he tried to do. Also the slowest. Also something that can't be changed by a CEO.

Lou said (and I'm paraphrasing here) that he and other senior execs could help create an environment that would promote or allow for change, but that ultimately it was up to the employees themselves to make it happen. Yet it was also, in retrospect, the biggest difference maker of all his initiatives.

Stay tuned, a more detailed version of this report will be made available shortly.

Photo courtesy of bradipo on Flickr.com

Do Utilities need a Security Operations Center (SOC)?

Of course, it's presumptuous for me to presume to know what work be best for any given utility. I can only work from generalizations of the industry as a whole, so please don't take this the wrong way.  

But yes, I most certainly think they do. And a CSO as well. I support anything that can make security a more tangible, centralized, measurable and manageable enterprise function. But of course you already know that.

However, it's not just me. Read THIS, from Dark Reading. Before that, though, a couple of snippets you may find useful.

After you decide to create a SOC ...

A good next step is to create the position of chief security officer or chief information security officer to place responsibility in a single executive-level employee, says Doug Graham, a senior director of information risk management for EMC. Putting the responsibility for security in a single position can help focus an organization's security efforts.

And according to Nicolas Fischbach of London-based Colt Telecom Services ...

As the security initiative develops, a company will typically seek out better visibility into what is going on in its network. Many companies do not have a full inventory of their information assets, and embarking on a program to create a security operations center can be enlightening.

Fischbach also offers this zinger, which may be counter intuitive to some folks:

The first reason to have a SOC is not to do security enforcement, but to get visibility into your environment.

After all, you want to know your weaknesses before others find them ... which can lead to unhappy things like THIS.