Tuesday, June 5, 2012

More Datapoints on the Current State of Electric Sector Cybersecurity Governance


In March we covered the preliminary CyLab report on the state of cross sector Security governance and one of the things it taught me was that electric sector cybersecurity professionals are not alone in their quest to improve/increase the level of interaction and communication with senior executives in their companies, including the CEO and Board of Directors (BoD).

Other than financial services sector companies, whose reputation for being in the lead on security and privacy governance matters is corroborated, none of the other sectors covered (IT/Telecom, Energy/Utilities, Industrial) fares particularly well.

Well, the final Carnegie Mellon/CyLab report is out now, and it provides a lot more detail into which to sink one's teeth. You can begin with the press release HERE, or move straight into the 28-page full report HERE.

But with your limited time in mind, electric sector reader, I've cherry picked a few salient nuggets for your more rapid consumption. First, an opening statement:
Interestingly, none of the energy/utilities sector respondents indicated that they have a Chief Risk Officer (CRO) even though their risks are high. The energy/utilities sector also places a much lower value on board member IT though their risks are high. The energy/utilities sector also places a much lower value on board member IT experience than the other sectors, which is puzzling since their operations are so dependent upon complex experience than the other sectors, which is puzzling since their operations are so dependent upon complex supervisory control and data acquisition (SCADA) systems.
Interesting: connecting IT experience with a foundation for grasping control systems security fundamentals. Certainly better than having no information systems background. And I didn't know CRO's where rare in large utilities. Maybe the utilities that participated in this survey are not representative of the larger population for some reason. But I would have thought CROs were commonplace, even if their attention wasn't trained on cybersecurity risks.

Now lets go straightaway to electric sector conclusions:
  • The energy/utilities and IT/telecom respondents indicated that their organizations never rely upon insurance brokers to provide outside risk expertise, while the industrials sector relies upon them 100%
  • Energy/utilities and IT/telecom sector boards are not adequately reviewing cyber insurance coverage
  • The energy/utilities sector places a much lower value on board member IT experience than financial, IT/telecom, and industrials industry sectors
And let's conclude with this recommendation, since it squares so nicely with one of the oft-repeated themes of this blog:
Review existing top-level policies to create a culture of security and respect for privacy
This CyLab report is an interesting complement to the recently release IBM CISO Survey, the results of which were discussed HERE last month. I'm always glad to add others' takes on how our sector is faring, even if the findingss are less than glowing. The truth, as they say, and presuming it's present to some degree in these reports, will set you free. Hopefully free to make things better.

Image credit: Magnetbox at Flickr.com