Before a utility company establishes a new CSO position, fills a vacant role, or reorganizes its existing security function, it must understand the industry needs and expectations for the modern CSO. Unlike just 10 years ago, utilities have looked to a senior security professional to manage risk, harden infrastructure, and maintain compliance with regulatory security requirements.
The senior security professional, typically at the vice president or director level, now has direct access to the CEOand company boards of trustees, often to supply situational awareness of physical and cybersecurity issues. The CSO should have the ability to mold or shape policy from the boardroom or from the senior staff meeting. The good news for CSOs is that more board-level visibility can lead to more investment in security. Even the best CSO, however, cannot be successful without backing from senior executives. So, what makes a CSO worth their weight in gold?
The duties of the CSO have dramatically changed with the introduction of targeting electric infrastructure for attack, the advancement and reliance on cyber systems, and the job of ensuring compliance with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards. Likely the biggest responsibility is to create and foster a program that helps manage reputational risk. A security event at a company, whether physical or cyber, can quickly ruin any good standing in the community or industry. Whatever the range of duties, the security department's prime mission must always align with the company's. That means being a trusted partner.
The electricity industry is quickly moving away from security as an “addition duty”. Not so long ago, security responsibilities were typically handled by substation engineers, contract guards monitoring a few cameras and walking around looking for holes in the fence, and a select few managers unlucky enough to draw the “short straw”. Many companies also employed meter-readers that kept a watchful eye for electricity theft. At larger companies you might see a retired law enforcement officer looking to augment his pension by becoming the security manager, only to permanently retire a few years later. In contrast, most utilities today have dedicated security departments committed to the protection of company assets and personnel.
Today, largely due to the terrorism events of Sept. 11 and the politics of security in Washington, we see the position expertise shifting from investigations and theft to grid reliability and infrastructure protection. Coupled with the burden of regulatory security compliance and the targeted destruction of electric infrastructure, we see a modern CSO arriving on scene.
Integrating both cyber and physical security under one leadership post has its immediate advantages. The convergence of Information Technology (IT) security, Operational Technology (OT) security, and physical security under one department is a best practice which promotes situational awareness and enterprise-wide risk reduction, but is unfortunately rarely seen. This is primarily due to the vast differences in the security fields. If you ever see an individual who exhibits both cyber and physical security expertise, this is in fact a rare bird. As a result, the Chief Information Security Officer (CISO) and the CSO often find themselves under different leadership structures.
[ ALSO ON CSO: Who should the CISO report to? ]
The modern CSO is business savvy and fully understands the impact that security has with respect to “keeping the lights on”, business resiliency, reputational risk, and regulatory compliance. Today’s CSO must be an educator rather than an enforcer as he or she must be able to re-frame the security conversation away from mere loss avoidance and towards competitive advantage, efficiency, and risk reduction. The CSO must be technically adept, with an intuitive understanding of a company’s assets, how attackers might penetrate them, and how to defend against attacks. And because no company, no matter how invested it is in security, is fully immune from physical threats, the CSO must also understand how to deter, detect, and mitigate the attacks that do occur.
The required skills for this position have matured and evolved over the past decade. Former law enforcement officers continue to be the logical first pick for many utilities. However, very few investigations, domestic violence episodes, drug cases, or traffic violations occur at a utility. As most security professionals will attest, there is significant differences between physical security and routine police work. This is not to say that there is not transferable skills, because there is, however very few career police officers understand the basic principles of physical security.
Former military personnel remain an effective alternative, especially those with an antiterrorism and force protection background, but often times lack advanced degrees or corporate experience. Knowledge is key here!
CSOs must have an advanced understanding of how the electric grid works, including the essential equipment needed to move power and what generators and substations are absolutely critical to the business. Expertise only comes after spending time in the utility sector and understanding risk assessments and how to “harden” targets using deter, detect, and delay strategies to mitigate an attack.
The modern CSO understands the regulatory environment in which we live. Utilities may be faced with a multitude of regulations including the Maritime Transportation Security Act (MTSA), Chemical Facility Anti-Terrorism Standards (CFATS), and the NERC CIP Standards which all require physical security expertise. Whether we like it or not, security regulation is here to stay and the CSO will be on the front lines of keeping a company compliant and without financial penalties.
While tactical “boots on the ground” knowledge is necessary, the modern CSO must think macro, not micro. He or she must balance security needs with the organization’s strategic business plan, identify risk factors, and determine solutions to both. The CSO acts as the organization’s representative with respect to inquiries from customers, partners, and the general public regarding the organization’s security strategy.
The biggest mistake that CSOs make is when they become complacent and think they’ve solved the problem they are facing. In this business, you’ve never solved the problem. Instead, great CSOs are always scanning the horizon: They consider what mistakes they may be making and learn from the mistakes that others in their position make. So, the modern CSO must be a crisis manager, adept at handling the type of attack that spills onto the front pages while solving the problem, projecting calm, and keeping the public informed. Easy task, right?
This article is published as part of the IDG Contributor Network. Want to Join?