Tuesday, May 22, 2012

WSJ on Speaking Cybersecurity Truth to Power

This is a short post with a security message that appeared in a prominent place, a message worth repeating.

In the Wall Street Journal's relatively new CIO Journal, editor Michael Hickins highlighted recent statements from a local Boston-area healthcare CIO, and pointed to preliminary findings in a Carnegie Mellon cyber security and corporate governance report.

In "Speak Cybersecurity Truth to Power", Hickins said:
Boards of directors are clueless when it comes to cybersecurity — and that’s a great opportunity for CIOs to prove their worth. John Halamka, the highly regarded CIO of Beth Israel Deaconess Medical Center in Boston, tells CIO Journal that “cybersecurity is a great way to stay in touch with the board because there’s high visibility.”

Claiming that the evidence shows most boards are ought of touch on security matters, Hickins notes:
They might pay more attention if they realized the average cost of a data breach was $5.5 million in 2011, and they’d certainly pay more attention to you if they realized you understand the business implications as well as the technological underpinning of security.
This Journal article provides additional background for his remarks. Remember, he's talking about CIOs here, not CSOs. In our sector, to get a better handle on security, privacy and compliance matters, we need CSOs as well as lower ranking utility security chiefs capable of establishing the kind of BoD access and rapport being described here.

Maybe NBISE, in addition to creating a better breed of cybersecurity practitioner, can help define and grow a corps of energy sector security executives comfortable with working at the BoD and C-suite level. Mike Assante and team, would you mind adding this to your to-do list? Before one can speak truth to power, one has to be able to speak to power.