Monday, April 23, 2012

Time for the Electric Sector to Measure Up on Security

Let me begin by saying I'm so sick of alarmists. We are implored to "Constant Vigilance!" by Mad Eye Moody and to constant vigilance we at the SGSB are committed. But not to constant cowering.

OK, that said, you may recall I have a jones for business metrics. So much so that lately I've been suggesting them to the DOE Electric Sector Cyber Risk Management Maturity folks for inclusion in the Program Management part of their model.

Amidst the latest spate of Smart Grid security fear and loathing (documented here and here last week, and earlier here and here and etc.), maybe what Congress, FERC, utility boards of directors, consumer protection groups, and the man on the street need is evidence that we're making progress on protecting the grid and its constituent elements from the various forms of lurking badness out there.

Maybe that evidence, to be readily consumed by all of the above, needs to be communicated in plain language. Let's agree that business language is plain language.

So let's begin with Enernex CEO Erich Gunther's GridSec 2012 monster keynote preso Pragmatic Approach to Utility Cyber Security and one slide in particular "Approaches that Fail". These should all be quite familiar to y'all by now:
  • Attempting to explain the situation technically
  • Overwhelming with statistics – number of attacks, names and types of attacks, enumerating systems potentially affected
  • Using the “sky is falling approach” – we’re doomed!
  • Depending on government and regulation to “fix it”
For me, this outstanding presentation was an expertly crafted electric sector extension of Gartner Group analyst Jeff Wheatman's seminal 2011 paper: "Why Communication Fails: Five Reasons the Business doesn't get Security's Message".  I'm going to grab one of Erich's "Pragmatic Conclusion" bullets to segue to the next piece:
  • We need to be more well versed in the disciplines of the core businesses we are trying to protect
By apparently Divine intervention, Robb Reck's article, Making Security Metrics that Matter (to Business) was just published on InfoSec Island, where I found it this morning. The morning of the same day (today) I actually needed it.

Robb begins by asking security folks:
What are the strategic goals for your organization in 2012? Can you recite them off the top of your head? If you can't, you're not alone. The inability of enterprise security teams to answer those questions is one of the biggest obstacles facing our discipline today, and it's the biggest reason current [overly technical] security metrics do not grab the attention of organization leaders.
He provides some excellent large and small company examples and begins his conclusion with:
Gone are metrics like “vulnerabilities found” and “patch level.” In their place are metrics that directly address the priorities of the business. By crafting the metrics in the language of our business leaders, we are demonstrating the value of their security investment in a way that matters to them.
I'll begin and finish my conclusion with the one security business metric that rules them all: the appointment and empowerment of a Chief Security Officer (CSO), with purview across the entire enterprise, and the authority to set and enforce security policy in both the IT and OT realms.

Show the man on the street and others an expanding list of utilities with CSOs as described above, and you can bet they'll all be sleeping better at night. And maybe we can all get up before the next alarm goes off.

Photo credit: mnapoleon at