The Things I've Seen Series: Part 1 - Utility security governance boards
By: SGN Staff
By Andy Bochman
In the final moments of Blade Runner, Rutger Hauer's character, close to death, tells Harrison Ford: "I've seen things you people wouldn't believe."
Over the course of the next several posts I'm going to go through some of my sanitized field notes and let you see things you may or may not believe, some good, some not so good. Nothing quite as cosmic as what Hauer relates in his final moments, but probably should be interesting if you're in or work with the industry.
Let's start off the series on a positive note with the formation of Security Advisory Boards. Investor Owned Utilities (IOUs) typically have a number of boards: executive, safety, governance, audit & compliance, etc. However, you can dig through annual reports and review the investor information sections on company websites for a long time and you likely won't find much if anything relating to cybersecurity risk strategies, concerns or activities.
Yet in visits to utilities over the past two years I came upon half a dozen or so that had either assembled a representative group of various executives and functional leads to talk about cybersecurity from an enterprise-wide perspective, or were getting ready to do so. Members tended to include the CIO, the head of cybersecurity, the head of physical security, leadership from different functional areas and one or two more senior executives.
Some of the potential benefits include improved flow of communications between different parts of the company, more business input into security policy and planning, and better understanding across senior management about current security status, emerging requirements, and new threat types.