I read an article the other day titled, “Global utilities lacking basic cybersecurity practices.” Although the article was focused on utilities, the guidance applies to every industry, so I will touch on a few recommendations that could be useful to you as well, regardless of industry.
The article was based on an interview with Rafael Narezzi, Chief Technology Officer at CF Partners. In the webinar, Narezzi urged energy companies to increase investments in cybersecurity and be proactive. In addition to investments, he encouraged companies to make cybersecurity a main driving force of the business.
Let’s reflect on this statement; it says to increase investment in cybersecurity, which would be wise for any organization; however, increasing investment without a strategy would be detrimental to any business, especially small to medium-sized companies. Perhaps I’m taking this statement out of context, and Narezzi’s audience knew what he meant with it, but let me be explicit in my analysis. You need to understand your business objectives, services, products, and every revenue stream, keeping the company financially viable because your cybersecurity investments must protect those products, services, and business objectives.
The other part of the statement was to “make cybersecurity a main driving force of the business.” It should be a business pillar but not necessarily the “main” driving force, even for a utility. It should be baked in every product, service, and company project, but not the business's main force. The business should be delivering quality and secure products and services to the customers and focusing on maintaining and acquiring new customers while protecting competitive advantage.
Narezzi also mentioned that executives lack cybersecurity knowledge and do not know how to act. Many executives are not aware of the steps they should take to address the growing vulnerabilities of grids to cyberattacks. Again, considering the focus was utilities, specifically distributed renewables, which are usually small organizations, his statement makes sense. However, an organization's first action facing these challenges is to hire an experienced CISO and educate the executives and board members by leveraging the National Association of Corporate Directors (NACD), which has published guidance on cybersecurity.
He also said that more regulation is needed to support cybersecurity frameworks; however, my concern with that approach is that regulation usually drives a compliance mindset, and organizations will implement the minimum requirements to be compliant with the framework and nothing else.
Links mentioned on the show:
Article: Global utilities lacking basic cybersecurity practices says expert (powerengineeringint.com)