This article is part of a special CXO Report on the cybersecurity talent pipeline. Read the entire report.
In the fall of 2012, the Department of Homeland Security summoned 80 top U.S. utility CEOs to a meeting at Peterson Air Force Base in Colorado Springs, Colorado. The department gave each of them a secret-level clearance for the day and briefed them on emerging cybersecurity threats. When it was over, a Homeland Security official at the time said he overheard one CEO say, “They’ve got my attention but to be honest, I don’t even know the name of our security guy … Seems I better get to know him and fast!”
Five years later, however, most large corporations — including those in the Fortune 1000 — are still functioning as if cybersecurity is more of a nuisance than a strategic risk. Even as massive data breaches continue hitting the biggest corporations in America, many CEOs still downplay the fact that criminal hackers are getting more sophisticated and that cyberattacks pose an existential threat to their companies — not just costing them many millions of dollars but potentially their brands’ reputations and their own jobs.
This is true across the business world, but it’s especially the case among energy companies and other organizations that operate critical infrastructure, such as water treatment facilities and chemical plants. I know this firsthand as a senior cyber and energy security strategist for the Idaho National Lab, one of the nation’s foremost research centers focused on energy and national security. While a cyberattack on a bank could result in a significant loss of money and sensitive data, an attack on a power generation facility, hospital, or transportation facility could cost lives.
One common-sense solution for ensuring security gets the attention it now requires is for organizations to appoint and empower a true chief security officer (CSO), at the VP level or higher, with purview over IT and operational technology (OT) assets, including cyber and physical security systems and networks. At a time when corporate dependency on digital technologies is now nearly complete, sticking with a business-as-usual structure is outdated and unwise. It’s no longer good enough to have a so-called chief information security officer (CISO) buried in the organizational hierarchy under the chief information officer (CIO).
“It’s time for organizations to appoint CSOs with both technical and business leadership attributes,” says Michael Assante, director of critical infrastructure and industrial control systems at the cybersecurity training organization SANS Institute and former CSO of American Electric Power. “Most CISOs are far too pigeonholed to effectively deal with the material nature of attacks and help CEOs navigate these turbulent times. Yesterday’s governance models don’t live up to today’s business realities.”
Today, no one needs regular and completely candid communications on cyber risks more than the CEO. Forrester Research recently published a report based on a survey of Fortune 500 companies and found that just 4 percent of executives responsible for security were at the SVP level and 27 percent held VP titles. The rest we can assume are directors and even managers — and that’s at companies with revenues of no less than $5 billion dollars in 2017.
According to research from CIO magazine, 70 percent of organizations are content having their highest-ranking security employees report to the CIO. And that’s a problem. It means that the organizations’ top cyber watchdogs are a long throw from their ultimate bosses — boards of directors — and the other key business leaders responsible for mitigating strategic business risks. Even companies that claim to have a CISO aren’t really focused on the problem at the highest levels because that individual is still reporting to the CIO. That means they are typically no higher than a director or senior manager and aren’t a member of the C-suite, nor a corporate officer.
Three glaring problems arise from this anachronistic approach to security governance:
- Inevitable conflicts with their boss (the CIO), whose principal job is to deploy new technologies that drive profits and efficiencies.
- CISOs under CIOs aren’t in the position to align security priorities with the company’s other strategic business goals.
- CEOs and board members need constant and regular interaction with their company’s cybersecurity expert to build trust and rapport. They don’t get that from people far down the organizational chart.
To Assante, and many other working CSOs, resistance to elevating the CSO position flies in the face of what he sees happening all around him: namely, recent multi-hundred-million-dollar breaches at companies such as Merck, Maersk, and Equifax. But there are signs of improvement. After a major cybersecurity incident a few years ago at Iberdrola USA (since renamed Avangrid), the Rochester, New York-based electric utility company promoted Keri Glitch to vice president and CSO reporting directly to the CEO. It’s a trend Glitch is noticing at other utility companies. At her current job with the Midcontinent Independent System Operator (MISO), she was hired directly into a true CSO position, responsible for securing an electricity transmission system spanning 15 states that run north to south, from Michigan to Mississippi.
There’s an important caveat here: Glitch never lobbied for the new position at Iberdrola; it was entirely the CEO’s call. In fact, in almost all cases where manager- or director-level CISOs have made the case for the elevation of the top security position, it was seen as mere self-promotion and quickly denied.
The current approach to cybersecurity isn’t working. In fact, only 15 percent of corporate boards are completely satisfied with the level of cybersecurity reporting they’re getting from management, according to the National Association of Corporate Directors. It’s not difficult to imagine why. Most haven’t reorganized their company’s management structures to confront today’s growing cybersecurity risks. Times have changed, and the change needed to confront real and pressing digital threats needs to come from the top of every organization.
Andy Bochman is senior grid strategist for Idaho National Lab’s National and Homeland Security directorate. Prior to joining INL, he founded a strategic energy sector security consulting firm, was an advisor on energy security matters at the Chertoff Group in Washington, D.C., and was the security lead for IBM’s global energy and utilities business. Follow Andy on Twitter @andybochman.