CYBER GUARDIANS OF THE GRID3All companies face risks—this is fundamental to business. Cyber risk,however, differs from business or financial risks caused by economicchanges or poor investments. Cyber risk’s nefarious nature makesit especially onerous. Hacking attempts, computer viruses, andtechnological vulnerabilities constantly target computer networksand servers—just recall “Heartbleed,” a major security vulnerabilitythat reportedly affected as many as two-thirds of all websites in 2014,including several major social media and retail sites.The US power grid is a frequent target of cyber and physical attacks.These occur once every four days or so, according to an analysis byUSA Today, which noted that the small-scale incidents could indicatebroader security problems that potentially could lead to a sweepingoutage that affects millions of people for days or weeks (Reilly 2015).“Cyber risk is very different because it could rear its ugly head at anytime—this afternoon, tomorrow morning—and lead to an immediatecrisis,” a utility board member commented.US cybersecurity regulations have been imposed in the US electricitysubsector since 2008 under the Critical Infrastructure ProtectionReliability Standards approved by the Federal Energy RegulatoryCommission (FERC). Regulatory compliance, however, is insufficientgiven the gravity of cyber threats. Admiral Michael Rogers, director ofthe National Security Agency (NSA), told lawmakers in November 2014that China, as well as one or two other countries, had the capabilities tosuccessfully launch a cyber attack that could shut down the electric gridin parts of the United States (FoxNews.com 2014). Recent events haveonly heightened concerns: In December 2014, the South Korean stateownednuclear plant operator, Korea Hydro and Nuclear Power Co. Ltd.,reported that its computers were hacked, resulting in a leak of internaldata, including reactor blueprints (Kwaak 2014).
4CSO and CISO roles emerge.As cyber threats grow more sophisticated, organizations must be more vigilant and savvier indetection and deterrence. As industry insiders note, protecting critical infrastructure takes amultifaceted approach—prevention, detection, and response—to uncover hidden threats andmitigate their impact (Dumoulin-Smith 2015).The need to respond to escalating cyber risks has sparked the emergence and prominence ofCSOs and CISOs in recent years, including among utilities and other companies that are part ofthe nation’s critical infrastructure. “It’s a changing field. Anybody who is in it today is going towatch it truly change over the next five years,” an industry insider commented.While security roles are common within organizations, what differentiates the CSO and CISOroles is responsibility for cybersecurity and the growing risk from nefarious online threats.These emerging C-level executives also work closely with other senior leaders, such as thechief risk officer as well as CIOs and CTOs, who are attuned to specific risks.For CSOs and CISOs to be effective, a risk mindset is a must. Equally important is that thistalent must have deep understanding of the business and be able to communicate effectivelywith senior management and the board about the nature and extent of risks. This meansconnecting the dots from risks and potential threats to the enterprise’s operations. SomeCSOs or CISOs have backgrounds in law enforcement, military, or intelligence, making themexcellent at identifying and mitigating risks. But coming in at such a senior leadership levelwithout corporate tenure may mean this individual needs mentoring on how to operate withina corporate environment and how best to communicate clearly with the senior managementteam in language that nontechnical people can understand.The CSO or CISO must be “somebody you can put in front of the board, somebody who cango and give them confidence,” one board member commented. “You can’t have somebody upthere who is stumbling. You can be the smartest person, but if you can’t communicate, it’s notgoing to help you. This person has to be able to talk to your senior leadership and your board.”Candor is also vital so executives and boards understand it is impossible to eliminate riskcompletely, though it can be mitigated. “They need to understand what is the open risk still outthere, what types of threats are you most vulnerable to, and what’s the level of risk associatedwith that threat even after you’ve done your mitigating actions,” the board member continued.CSOs and CISOs who possess all the needed attributes—risk/security, technical, and businessexperience—are increasingly in demand among utilities and other enterprises considered to becritical infrastructure. To meet the increasingly strong demand for talent, organizations mustassess and develop their teams so they have strong candidates within the ranks to step upeventually into the CSO and CISO positions.
CYBER GUARDIANS OF THE GRID5CSO and CISOs as leaders.Given their responsibility for identifying risks, assessing threats, and deployingsolutions, CSOs and CISOs need deep knowledge and expertise in areas related tosecurity (physical and cyber), intelligence gathering and analysis, and technology.Other desirable skills for CSOs and CISOs as leaders include:G Executive presence: the ability to influence others, particularly senior leaders.G Business savvy: making connections between cybersecurity and the business.G Interpersonal skills: building relationships across the enterprise to collaboratewith other leaders, especially those in corresponding departments such asinformation technology; also building relationships with external parties, suchas for sharing information about threats.G Communication skills: helping senior leaders and board members understandrisks in the context of the business, addressing highly technical issues withnontechnical people, and making a cogent argument with language thatothers can understand.G Team building and managing: empowering teams of people with diversebackgrounds (security, law enforcement/military, technology), managingcomplex projects, and delegating to others to achieve successful results.G Learning agility: adapting previous experiences to new and first-timechallenges and situations; for CISOs and CSOs who have military, lawenforcement, or intelligence backgrounds, learning agility will likely helpthem succeed in the new operating environment of a large corporation.
CYBER GUARDIANS OF THE GRID7Resource deployment decisions require a strategic view of the business—theability to draw parallels between a risk-threat assessment and the impact onthe business. Without this understanding, it is difficult for the organization’sleadership to make cost-effective decisions to mitigate risk and improvecybersecurity while also ensuring the business does not suffer. An organizationmay identify a potential threat that could have a huge impact if it materialized;the probability of such an occurrence also may be negligible. Given the highimpact but low probability, to what extent should the company prepare?“How do you prioritize your resources against your greatest risk when itcomes to assets?” a utility executive asked.Probability and consequence are not synonymous; each vulnerability doesnot become an imminent threat. Potential risks still need to be identifiedand assessed. To ensure this occurs, CSOs, CISOs, and their teams should beinvolved in the board’s audit and risk committees, giving presentations andsharing information. It then becomes the responsibility of the CSO or CISO toensure that the committees, the full board, and senior management understandcybersecurity issues, both internally and among third parties with which theorganization does business.Cybersecurity concerns have prompted many utilities to participate voluntarilyin industry-wide initiatives to share information about threats and improverisk identification and mitigation. The Cybersecurity Risk Information SharingProgram (CRISP), for example, is such a program to facilitate the exchangeof cybersecurity information among electric utilities, the US Department ofEnergy, and other entities. The program deploys passive sensors, so-called“information sharing devices,” to collect, transmit, and analyze cybersecurityinformation and intelligence across the electricity sub-sector (NERC 2014).Through CRISP, one utility executive observed, “We have the ability to tap intowhat other utilities are seeing.”
8Cybersecurity needs tobecome part of the culture.As CSO and CISO roles emerge and become more defined, theseexecutives more often report to the top of the organization. Whilerisk management may also be tasked to the general counsel or CFO,and the CIO or CTO may also be part of the reporting structure, CSOsand CISOs work directly with senior management. These reportingrelationships reveal how much attention enterprise risk has earned inrecent times within the organization, particularly at the top.“Cybersecurity isdefinitely coming up tothe CEO level and theboard level as well.”—Utility senior executiveCybersecurity also has become an organization-wide issue in alldepartments, from technology to finance and from marketing tosales. Besides greater awareness of the need to improve safety,leaders and their teams are undergoing training to think about risks,particularly those regarding technology. While many companiespush for access to networks and data on virtually any device at anytime of day, 24/7 off-site access can create other vulnerabilities, forexample, meaning convenience and cybersecurity can be at odds.Devising workable solutions requires education across the enterpriseand developing a culture of security and awareness. “Protectingassets is a shared responsibility for all employees,” a utility executivecommented.Establishing a cybersecurity culture begins at the top with theCEO. This leader must understand the risks and vulnerabilities in anorganization and be committed to educating people about theseissues. Converting awareness into action requires a proactive CSOor CISO who not only knows the security side but also understandsthe business and its needs so risk mitigation does not come at theexpense of growth—or vice versa.
CYBER GUARDIANS OF THE GRID9ReferencesDumoulin-Smith, Julien. Feb. 23, 2015. “US Electric Utilities & IPPs, Cyber-Security Spend: Is theThreat Contained?” UBS Securities LLC.FoxNews.com. Nov. 20, 2014. “NSA Director: China can damage US power grid.”Korn Ferry. 2014. Korn Ferry Market Cap 100: “Adding cybersecurity to the board’s risk portfolio.”Kwaak, Jeysup. Dec. 22, 2014. “South Korea Nuclear Plant Operator Hacked.” The Wall Street Journal.North American Electric Reliability Corporation (NERC). July 15, 2014. “Cyber Security RiskInformation Sharing Program (CRISP) Overview, Budget Projection and Proposed FundingAllocation.” NERC 2015 Business Plan and Budget Addendum.Reilly, S. March 24, 2015. “Bracing for a big power grid attack: One is too many.” USA Today.Zezima, K. Feb. 12, 2015. “Obama signs executive order on sharing cybersecurity threat information.”Washington Post.
CYBER GUARDIANS OF THE GRID10AuthorsAileen AlexanderCo-leader, Cybersecurity+1 (202) email@example.comMark CiolekUS Utilities Sector Leader+1 (312) firstname.lastname@example.orgJamey CummingsCo-leader, Cybersecurity+1 (214) 954 email@example.com
About Korn FerryAt Korn Ferry, we design, build, attract, and ignite talent. Since ourinception, clients have trusted us to help recruit world-class leadership.Today, we are a single source for leadership and talent consultingservices to empower businesses and leaders to reach their goals.Our solutions range from executive recruitment and leadershipdevelopment programs, to enterprise learning, succession planningand recruitment process outsourcing (RPO).About The Korn Ferry InstituteThe Korn Ferry Institute, our research and analytics arm, was establishedto share intelligence and expert points of view on talent and leadership.Through studies, books and a quarterly magazine, Briefings, we aim toincrease understanding of how strategic talent decisions contribute tocompetitive advantage, growth and success.Visit www.kornferry.com for more information on Korn Ferry,and www.kornferryinstitute.com for articles, research and insights.www.kornferry.com© Korn Ferry 2015. All rights reserved.CGOGL2015