Earlier I pointed out some misrepresentations of the new DoE Model.
I read the DoE report, called “Electricity Subsector Cybersecurity Capability Maturity Model, Version 1.0,” and I did not find very strong language about a senior executive. In fact, the term CISO (or CSO) does not appear anywhere in the document. […] Likewise the term vice president is only mentioned as a side-bar within the 92 page document.
I can imagine why someone might try to treat the side-bar example as a call for executive leadership in security but that’s not really a fair represenation of the document. It’s a minor and passive point compared with everything else put forward in nearly 100 pages.
But I just found the misrepresentation happening again, this time on Law.com in “Cybersecurity Becoming No. 1 Concern for GCs and Directors”
…the Department of Energy is encouraging electric-power companies to adopt a separate board altogether that’s just devoted to cyber-risk governance, as Network World reports. Under the recommendation, outlined in new guidance [PDF], a “cybersecurity governance board†would “develop a cybersecurity strategy for the utility and recruit a new vice president of cybersecurity to implement a program based on the strategy.â€
The quote used by Law.com is from a side-bar to the document clearly labelled “example”. While it may illustrate a model it is neither a requirement a recommendation or encouragement. The actual statement of the model is this:
A cybersecurity program may be implemented at either the organization or the function level, but a higher-level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise.
I rank the phrase “may benefit” somewhere below encouragement and definitely below recommendation.
The DoE obviously has left open the possibility that implementation of the program with an enterprise viewpoint also may not benefit the organization…
I don’t necessarily agree with the DoE’s language, but I also don’t want to misrepresent it and overshadow the rest of the document.