Security and Smart Grid Startups: The Job You Can’t Afford Not to Fill

Jack and I have been examining patterns that emerged from our talks with Smart Grid startup booth reps at last week’s GridWeek 2009 conference. We noticed that few of the startups have a dedicated security professional on staff, but had merely tasked an existing player (CTO, Application Engineer, etc.) with the responsibility.

Other exhibiting companies (Capgemini, Cisco, GE, ABB, Siemens, etc.) had booths too, but it seemed crazy to ask them if they employed dedicated security professionals —because of course they do, both for their internal operations as well as for their client-facing products and services.

But when it comes to the startups, I have some questions to pose:

• In a domain where security rigor is universally regarded as essential, how much security thinking is going on within these startups, and how long will the present level be enough?
• Put another way, when you're a small but growing company in the Smart Grid software or hardware space, how long can you hold out before adding a full-time security professional to your team?
• Do you hire a security staffer once your development team reaches a certain size, say a headcount of ten?  Or should you put the security pro in place up front to help define the development process before you start writing real code?
• Given the amount of innovation required in most of these companies, how reasonable is it to expect that the CTO can juggle all the technology balls he or she is responsible for, and do a good job on security tasks (which will often seem like a distraction) at the same time?

I liken this to the situation that faced large and medium companies approximately ten years ago:  It became clear that as they embraced the Internet for new capabilities, they were inadvertently bringing a whole host of new risks and vulnerabilities on board. This is from CSO Magazine in 2001 on why to hire Corporate Security Officer and what he or she can do for you:

“A core responsibility of the CSO will be vulnerability assessment and risk management. Therefore the CSO should report to the COO or CEO. After all, the CSO will evaluate the technology environment and audit the security measures implemented by the CIO. It is in the company's and the CIO's best interest to have the CSO perceived as an impartial assessor of the technology environment instead of a possible rubber stamp.... Think of the CSO as the head of quality assurance for security.”

In startup land, there is no real need for C-level titles beyond CEO. But ignoring the titles, the functional benefits of a dedicated security staffer are clear, no matter what they're called. In other markets we have seen them labeled Security Architects, Information Security Officers, Security Managers, Security Officers, Information Security Managers, etc. Depending on the offering and the market strategy, there's a mix of roles that these folks may fill, including ensuring the security of the company (its systems, processes, and people) and the security characteristics of its products (hardware, software or both).

Hyperbole aside, we all know that the Smart Grid is an area of growing and inevitable security risk. If I'm a utility, and as such am a prospective new customer for a startup, and I'm held accountable to the highest security standards by those who regulate me, I'm going to be damned sure that I put prospective vendors through the ringer before bringing their technology in house. And if I'm a startup? Although having a qualified security person on my staff is no silver bullet, our guess is they'll be more than worth their salary as the regulators press their security cases and the utilities/customers get more and more savvy about risk.

Jack Danahy and Andy Bochman are authors of the Smart Grid Security Blog.

   Email Andy Bochman

   CSO Magazine article “A Must-Hire”