Economist on Data Breaches in US and Europe: As Always, Leadership is What's Needed

I've brought The Economist into the SGSB fray before and I'll do so again now.  There's a short piece just posted on one of their online nodes that talks about two recent studies on data loss and how it might best be averted.

Here's an excerpt:

[Out of 600 European businesses surveyed] more than half thought that technology can solve the problem. Only 1% of the businesses surveyed believed it concerned all employees—and thus required a change in behavior. 

I'm no technophobe, but neither am I a technophile, at least not from a cybersecurity point of view. For me the lion's share of the most effective security and privacy solutions focuses on the humans, and one particular type of human is a must if we're ever going to get in front of these problems: the leader.

Symantec’s study found a correlation between having a senior executive in charge of information security and lower costs of data breaches. “It has to start at the top,” says Marc Duale, Iron Mountain’s head. 

You can read the whole thing HERE ... it's pretty short, and makes an interesting comparison between American and European approaches.

Photo credit: SteFou! on Flickr.com

California Shows the Way with Customer Electricity Usage Data Security & Privacy Ruling

Show me another state (or country for that matter) that's doing this much. The California Public Utilities Commission (CPUC)'s proposed decision became a decided decision while I was away, so if you haven't had time to check it out yet, here's a good short summary from IDC's Usman Sindhu.

In play are:

• HAN networks (for real)
• Real-time pricing signals for consumers
• 3rd party access to usage data with customer consent
• New security and privacy rules for the big 3 CA IOU utilities with CPUC oversight

But if you insist on reading the entire ruling, then by all means, click HERE for it. I won't try to stop you.

From the Left Coast comes Big News on Smart Meter Data Privacy Regs

No time to pontificate on this now, but wanted to make sure you saw the news. CPUC's formerly proposed decision has just become a decision. One, the implications of which, could ripple across the US and impact future Smart Meter and Smart Grid deployments. See the Jesse Berst quick take on it HERE.

Common Sense and Common Knowledge

At the 2010 RSA Conference in London this week, long-established security visionary Ira Winkler was giving a speech entitled "If you tweet what you had for lunch, you deserve to be robbed". It was a very entertaining presentation about the amount of information people are unintentionally sharing into a public environment that is populated with both well-meaning and ill-intentioned folks. Perhaps a summary would be useful here, but that isn't really the point of this piece.

During Ira's presentation, he discussed the linked concepts of "common sense" and "common knowledge". In the social networking community, a lack of knowledge among many, particularly the young, about how all of this sharing could really hurt them, leads to decisions that we see as stupid, as lacking any sort of common sense about privacy, propriety, and personal space. As he was describing the disconnect between these adult values and the narcissistic need to share, I started to think about the challenges we are seeing in achieving a real and consistent set of common goals or methodologies as we work to secure the Smart Grid.

We see some organizations expressing security in terms of reliability, others in terms of privacy, still others in terms of financial justification and utility viability. A quick couple of keystrokes brought up some examples:

• NRECA has provided some content that is customized and adapted to various smaller utility newsletters that talks about "Balancing Smart Grid Buzz with Common Sense". It presents a view of the coming Smart Grid in more conservative terms, tamping down some of the projected customer enthusiasm about new features with a strong dose of cautionary logic. The Dawson Public Power version of the piece closes with:

  "There’s a big difference between being on the cutting edge or the bleeding edge of technology. Dawson Power wants neither. We want the “proven edge”..."



• On the other hand, common sense means something very different to some Smart Grid deployers in Texas. According to an article in Electric Light and Power, It is about evolution and revolution:

  “Texas is the one I always point to, and the main reason, I would say, is they are taking a very common sense approach,” [eMeter chief regulatory officer Chris] King said. “The legislature passed a law saying, ‘We want smart meters.’ They didn’t spend 10 years trying to boil the ocean. They have home area network interfaces in the meters, as does California, but in Texas they’re already live. California is a year away, maybe two."
  
  “Texas knows they’re making mistakes—they’re small—and they make a fix.”



• In April, the New York Times carried this thought on a differing style of Smart Grid common sense:
  

  ...Ralph Izzo, chairman and CEO of New Jersey's Public Service Enterprise Group, said better marketing may not be the answer to addressing the gap in consumer understanding of electricity use or changing consumer behavior.
  
  "I think we tend to overstate the contribution that sophisticated technology can and should make," Izzo said.
  
  "I feel like just shouting, 'Stop. Apply some common sense,'" he said. "Before we start championing multibillion-dollar investments in smart grids that control set-back temperatures on refrigerators because there is or isn't going to be a Super Bowl ... we need to get folks to caulk around their windows,"
  

So what do we do with all of this?

The fact of the matter is that there does not exist a common base of knowledge, objectives, or outcomes, that can be applied to the megalithic, polymorphic, thing we think of as the Smart Grid. This means that individual organizations, regulators, customers, and implementers will likely have a different basis from which to develop appropriate solutions and timetables. As so often happens, the definition of common sense is not so common. That isn't because the concerned parties aren't sensible, it's because they are highly sensible to their own uncommon needs.

This teaches us a new lesson, that solutions and proposals need to be very specific in their goals and rationales, and organizations must establish a common base of knowledge for discussions on any proposal's merits. Only with that shared understanding can we rely on the "common sense" of good people to create solutions that will ultimately make sense for the common good.

Image courtesy of Casey Brown

Without Further Adieu: Smart Grid Security Data Security Deck

For those of you who are regular or occasional readers of the SGSB, you may have noticed our day-job commitments occasionally impede our aspirations for posting material in a snappier manner on the blog. Nevertheless, we have just made last month's Powerpoint deck available for viewing and downloading here.

Also want to let you know we'll be handling upcoming webcasts a little differently, with videos covering designated Smart Grid security subjects posted on or about the days in brackets below:

• IT System Security Challenges and the Smart Grid (June 30)
• An introduction to Smart Grid-related Standards and Regulations (July 28)
• Understanding the SoftGrid: Assuring security and privacy for your Customer Portal and other new applications (Aug 25)
• Approaches to securing AMI (Sep 29)
• Security and Privacy from the Customers' Point of View (Oct 27)
• Understanding and Empowering a Smart Grid CISO (Nov 24)
• Violable but Reliable : Preparing for the inevitable break down in Smart Grid security (Dec 29)
• All the places we have been: A 10th Session Recap of Smart Grid Security (Jan 26)

If you have questions you'd like to see addressed in any of these, particularly the June 30 presentation on IT Systems Security (initially addressed in a recent post here), please submit them ahead of time to our our email address. OK? Au revoir ... for today.