Calls for Enhanced Enterprise Security Governance Starting to Steamroll

Though I've been approaching this issue from a sector-specific perspective for years, lots of what's been in the news lately (and I mean lately) is intended for all technology-enabled sectors. Which pretty much means every business and every organization that intends to maintain consistent and reliable operations in the near and mid-term future.

First off, and with origins that predated the Target breach that's credited with generating most of this activity, was DOE's Energy Advisory Committee giving thumbs up in May to a paper on this topic on Security Governance. It proposes that DOE pursue potential upgrades to how energy companies organize and run themselves from a security perspective. Titled: EAC Recommendations for DOE Action Regarding Implementing Effective Enterprise Security Governance - Outline for Energy Sector Executives and Boards, among other things, this paper lists the following "Characteristics of Effective Security Governance":

• Clearly defined responsibilities from the board of directors to senior leadership to employees 
• Presence of an active Security Governance board comprised of senior stakeholders from across 
• the company 
• An executive owner of enterprise security: with purview over IT, OT and physical security policy designated CSO or similar 
• Striving for 100% alignment with of security with business/mission 
• Using measurement of key indicators to increase awareness and drive improvement (with 
• maturity tools like DOE's ES-C2M2) 

Security Governance Ripples from Target Breach

You know the saying, if you want a different result, best not to keep doing the same thing. In this case, the result was the massive data loss breach involving loss of the records of 40 million customers at mega retailer Target.

In its wake, CEO Gregg Steinhafel stated that he is "elevating the role" of its chief information security officer and hiring outside the company to fill the position.  According to this NY Times article from early March, bringing on a new CISO will help Target centralize the company's security responsibilities.

And while the timing is coincidental, I owe Schweitzer Engineering Laboratories' Sharla Artz thanks for pointing out that Wisconsin based electric utility Alliant Energy Corp just made a similar move. For me, there are several promising parts to Alliant's announcement at the recent EnergyBiz conference that it had just:

Created an executive-level opening ... for overseeing cyber and physical security. The position was designed to bring cyber issues out of the weeds of the IT shop, where CEOs generally don't tread.

What I like best about this is:

• The company didn't have to endure a huge security incident to justify this change to the org chart
• The position is clearly not going to be buried in an IT silo, so it should have authority to set security policy across IT and OT
• Reflecting a convergence that's happening in many energy enterprises, this new security exec will oversee both cyber and physical security

Hopefully we'll see more utilities make similar moves ... and soon.

Image credit: Michael Durham at fineartamerica.com

Singer & Brookings on the Security Governance/Ownership Vacuum

Analyst and author Peter Singer of the Brookings Institute has a new book out intended for everyman. And everywoman. To include particularly those types who consider themselves non technical, or as I've heard cyber folks in DOD refer to them - tech immigrants (vs. typically younger tech natives).

The net he casts is wide enough to captures senior government and business leaders too.  Below are excerpts from a recent interview with CNN/Fortune that really resonated with me, with particular applicability to our sector:

"Stop looking for others to solve it for you, stop looking for silver bullet solutions, and stop ignoring it." 

Moving Beyond Technical: Use Security Governance Strategies to Integrate Security with the Mission

If like me you've come to the conclusion that a tech-centric strategy can only get us so far in energy sector cyber risk management, then you might want to see some of the source materials I've come across in my explorations.

The two I'll point to in this post are from Carnegie Mellon University's CERT program and PricewaterhouseCoopers' cybersecurity consulting practice.  What they have in common is that they are both several years old.  This is not VC or DARPA-funded cutting edge stuff.  It's human behavior stuff, and as such, it's not on an upgrade path anything like iOS, Android, or "Next Generation" firewalls. But neither are these concepts rapidly deployable, as you'd be hard put to find them put into practice widely at many utilities in 2013.

Putting all our Cybersecurity Eggs in Technology Baskets

Attackers perform discovery, surveillance, intrusion, denial of service and exfiltration with software tools. Defenders defend with tools of their own in the domains of network security, system security, application security, data security. The "good guys" also:

• Encrypt data in hopes it will remain secret in transit and at rest
• Patch and patch and patch and patch applications ond OSs
• Pen test to see if they can find and fix weaknesses before the attackers do
• Monitor and inspect network traffic and analyze logs for abnormalities
• And oh so much more ...

Organizations spend millions on defensive technologies, purchasing and/or subscribing, deploying, integrating, updating and yet CISOs still have no dependable process for demonstrating to senior utility leadership the amount of cyber protection they're adding, or put another way, the amount of business risk accepted.

Recently we've seen the DoE and NRECA announce seed grants to help suppliers perform R&D for new technological solutions to cybersecurity challenges facing utilities. Some of these may prove useful to utilities, suppliers, and their services organizations.

Now I almost never use bold, italics or underlining for emphasis. Prefer to let the right words do the work.

But none are likely to substantially address the fundamental issue that cybersecurity threats are a hard-to-quantify risk to business, have human origins, and that improved human awareness and behavior can drive better outcomes in ways everyone can see and understand.

NERC CIP-004: "Cybersecurity - Personnel and Training" calls for humans who have access to critical cyber assets (CCAs) to have appropriate security training and awareness. But the CIPS cover only a very small part of the grid, and as we've seen, it's not just the folks who touch CCAs who can cause significant damage to an organization through their wrong actions ... or wrong inactions.

There are technology products that aim to effect improvements in human behavior (e.g. PhishMe). And there are universities and training organizations galore, some of them even beginning to add industry-specific operational technology (OT) content to their cybersecurity instruction.

And yet many utilities and the government organizations that seek to guide them continue to look almost exclusively to technology to save the day.  Here are two things you can do to begin to flesh out the people pieces:

1) Look at the org chart.  Look at how involved and cyber-aware are the board, the CEO, CFO, GC, etc. You could certainly argue they have bigger (or at least other) fish to fry, but if they knew a little more they might well move cyber threats a bit higher up on their ladder of strategic risks to reliability.

2) See how the CISO is empowered, where he/she sits in the organization, how often he/she briefs the board and corporate officers, and whether he/she has authority to set and enforce security policy enterprise-wide.

There's a lot more of course, but the closing pedantic message of this post, before it sprawls too long, is: don't short the human part of the cybersecurity equation. Humans are the problem, and humans can and should be a  much bigger part of the solution.

Photo credit: JS @ Flickr.com

Cyber Achilles Heal Afflicts Electric Sector (and other) Senior Leaders

Just for fun, let's begin with a few quotes from an article in yesterday's Wall Street Journal of the mind-blower variety:

Executives are disconnected from reality when it comes to IT and security.

Top leaders seem particularly inclined to do things their IT departments warn against, such as opening email from unfamiliar senders, or clicking on links.

During ... simulated attacks, top executives are 25% more likely to click on the links that in a real attack could install malware. One reason ... is that most senior leaders skip company programs on developing cautious email habits.

You can visit this WSJ page below for the full article and attribution.

But wow. What a cyber Achilles Heal we've got if the folks with access to the most important, most sensitive info in our companies are the easiest to scam into coughing it up.