Tuesday, August 27, 2013

Declaration of Independence and Intent

I've been warming up and working in this space for years now, and if you've been a Smart Grid Security blog subscriber or an intermittent visitor, you may have noticed an evolution in cyber security thinking of sorts. Well, with changing the world as my goal, it's time to stop treading water and start swimming like I mean it. I just left IBM in order to bring a new type of security advisory service to energy sector organizations. Here’s a brief version of the concept:
You often hear that culture change is the hardest thing to accomplish in an organization. That may be, but to help put our sector’s cybersecurity preparations on a better course, I’m developing an approach focused on increasing organizational awareness and improving internal communications about the security issues that matter. It begins with senior leadership, extends throughout the enterprise and doesn’t stop until it reaches service providers and the supply chain. Most engagements will begin with an in-depth orientation briefing for senior stakeholders, followed by periodic meetings and dedicated hours of access so that I can be a resource whenever my input is needed.

You may already know how much I like measurement. Well, I also like forecasting the future, and when we're several years into this campaign, you'll be able to measure its success by the growing number of cybersecurity-engaged CEOs and Boards in our sector. You'll see them take steps to bridge the culture and communications gap with their increasingly senior security leadership, who themselves will be eschewing technical jargon for the lingua franca of business. You’ll also see more state regulators able to credibly fulfill their cybersecurity oversight roles and responsibilities.

You might ask: Is this a formula for guaranteed success? How hard will it be to to pull this off? To which I turn to Niccolo Machiavelli, a friendly Italian man to whom I was introduced during my professional military studies at the Air Force Academy long ago:
"There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things."
So in case I haven't made it perfectly clear yet, the bar by which to measure success for this enterprise is extraordinarily high: setting into motion a new order of things in utility cyber security awareness and communications, as well as in the organizations that regulate them.

I left IBM just over one week ago after a great four year run. We parted on good terms and I maintain excellent collaborative relations. I left to to pursue something I can only fully do with the freedom of being on my own. But of course I can't really do all of this by myself. I'm going to need all kinds of partners, helpers, advocates, and clients to sustain this mission. Improving cybersecurity awareness and communications in our sector promises to be difficult but immensely satisfying work. Please join me.

No comments: