Do US Power Companies Need a CISO?

IT World reports that the Department of Energy has released a new document that advocates for a senior security executive of security in power companies.

It calls for electric-power companies to appoint a senior executive for cybersecurity that will report to the companys board.

The IT World report also provdes the following analysis.

Senior management doesnt have a very good understanding of their security posture, says Andy Bochman, whose job as IBMs Energy Sector Leader in the IBM Security Systems Division grants him insight into how the whole U.S. power grid works.

Unlike other types of enterprises, many utilities today –whether its their enterprise business side or their industrial-controls systems side–do not have a chief information security officer (CISO) or a chief security officer (CSO) at all, says Bochman. But the evolution of the electric grid, especially as the so-called smart grid takes shape with more interactive information collection and management with consumers, means they need a CISO or CSO more than ever. He says they need an individual acting as a vice president of security who can report directly to the company CEO or board of directors. He adds its better here not to report directly to the CIO but go directly to the top of the company.

That sounds very strongly worded. I read the DoE report, called “Electricity Subsector Cybersecurity Capability Maturity Model, Version 1.0,” and I did not find very strong language about a senior executive. In fact, the term CISO (or CSO) does not appear anywhere in the document. This sentence on page 43, for example, is about the closest thing to advocating for a senior role.

A cybersecurity program may be implemented at either the organization or the function level, but a higher-level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise.

“…enterprise viewpoint may benefit the organization…”

Likewise the term vice president is only mentioned as a side-bar within the 92 page document. You will find it in the “Example: Cybersecurity Program Management” section on page 44.

Anywhere Power decided to establish an enterprise cybersecurity program. To begin, it has formed a board with representation from each of the functional areas. This cybersecurity governance board will develop a cybersecurity strategy for the utility and recruit a new vice president of cybersecurity to implement a program based on the strategy. The vice president will also report to the board of directors and will work across the enterprise to engage business and technical management and personnel to address cybersecurity.

It’s a nice example, but only an example and not a requirement or even recommendation.
And then we have other examples like Google that keep security at the Director level (no VP, CISO or CSO) and do not even mention security on their Management team page.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.