Tuesday, June 12, 2012

Talking Back to the CMU/Cylab Report's Energy Sector Findings

The report in question is the CyLab 2012 Report - Governance of Enterprise Security: How Boards & Senior Executives Are Managing Cyber Risks. Posted on this report recently, HERE, which includes links to it.

Have gotten some less-than-happy feedback from a number of readers, so in the interest of giving you access to additional points of view, here's a bulletized critique from a concerned utility industry professional:
  • Survey size is too small to produce meaningful results/findings (e.g. 108 respondents, with only 14 or so in the "utility/energy" category)
  • Not sure what types of companies fell in the “Energy and utility companies” bucket. It's unclear if many or any are electric power
  • In addition, the survey was global, with a minority of respondents (40%) based in North America and it's unclear whether there were any energy/utility co's from North America
  • The survey states opinion (vs. evidence) concerning the adequacy of corporate board and senior executive review of risk
  • The survey makes erroneous judgments about an organization’s ability to manage cyber security and privacy risks regarding the presence or absence of corporate officers with particular titles or the composition of corporate audit/risk committee structure
I found many of these points well founded and worthy of airing here. In order to provide valuable insights for our sector, and particularly for the US and North America, one would want hundreds if not thousands of data points. That, I'm afraid, was beyond the budget, scope and/or timeline of the team doing this research.

That said, I will now critique the final one or two critiques and wax forth from there.

From both an efficacy point of view as well as how it affects perceptions, I think corporate structure matters. As long-time (aka long suffering) readers of the SGSB may recall, we often advocate on the behalf of electric utilities appointing and empowering increasingly senior (org-chart-wise) cybersecurity professionals to executive positions. We did so HERE a few months ago, for example.

While there are many ways to skin a corporate function cat, certain established patterns and best practices have emerged that, by consensus, we've agreed get the job done. Having a CEO, CFO and an independent board, for example.

Hence in almost every large-to-medium company you'll find these positions filled. Having these positions is no guarantee that the company is running optimally or even well, but you can be pretty sure that vacancies in these positions will be an impediment to sustained success.

And now that cybersecurity has become an elevated concern to almost every utility company stakeholder and oversight organization, that's the lead in for the case for establishing a senior level position to serve as focal point for determining cybersecurity requirements and executing on them, enterprise-wide.

I could go on, but readers appreciate short posts and so do I.