The right metrics empower energy company chief information security officers (CISOs) by validating cybersecurity investments amid scrutiny.
It’s a fairly common scene: While preparing for a board of directors meeting or other important management update, a chief information security officer (CISO) and another C-suite executive together scrutinize the cyber metrics and KPIs they’ll present. The two aren’t expecting perfection; instead, they hope for a healthy mix of positive and marginal results to demonstrate acybersecurityprogram’s success while showing that they’re also addressing areas of improvement.
Choosing cyber metrics
One of the best ways to demonstrate the effectiveness of key parts of a cybersecurity program is to establish metrics that are actionable, auditable, drive changes in behavior, and educate and enable leaders to make risk-informed decisions. Without the right mix of metrics, companies are just burning valuable staff capacity that could be used elsewhere. If this sounds familiar, know that many other cybersecurity leaders are struggling with the same issue.
Failure to prove a cybersecurity program’s effectiveness jeopardizes the CISO’s chances of gaining the necessary support to implement adequate measures. In a differentEY survey about how CISOs can adapt to enable a digital future, 50% of cybersecurity leaders in the power and utilities (P&U) sector said they were working with budgets that wouldn’t cover the costs of managing the cybersecurity challenges they encountered during the prior 12 months. The P&U sector was the most likely to have suffered a rise in the number of disruptive attacks such as ransomware (80%), while the oil and gas sector (79%) was the second most likely.
For energy board and operating committee reporting — and really any management-level reporting — the metrics should focus on simplicity and clarity (would most audiences easily understand what you’re measuring?), behavioral reach (how deep and far are the metrics driving good behavior inside and outside your organization?) and consistency (does the audience know what to expect month to month, quarter to quarter, with little to no “bringing up to speed” needed during ops reviews?).
Based on these tenets, we chose three areas you should consider reporting on that are critical to the success of any cyber program and, when healthy, indicate a healthy digital environment:
These three areas cover the three most exploited attack vectors and, between them, every business unit in the organization. The risk areas also align to all levels of responsibility within the energy company so that everyone feels like they own a part of the outcome. The last thing you want is to present risk reports to the board and have the CISO own every single output.
1. Vulnerability management
Cyber vulnerabilities have been multiplying in recent years, making speed to closure more and more critical to measure. One study showed energy firms were the most commonly attacked organizations in North America.² Gone are the days when it was acceptable to spend weeks or months before mitigating known vulnerabilities, especially those that could impact high-value assets or that have been known to be exploited. Being able to measure how nimble and attentive digital asset owners are toward exploits will drive asset owners toward action and prioritization.
It is a good idea to tactfully highlight the number of opened and closed (high or critical) vulnerabilities in the environment across all operating systems and platforms. Traditionally, the goal has been to keep them under 30 days as a measure, but these days the time frame is trending more toward a week or less. This can be broken down by operating system for a more technical audience, but for a board or operating committee, keeping it high-level and only addressing risks that directly impact business operations is important.
We also use this section of reporting as an opportunity to discuss what’s happening in the media around cybersecurity vulnerabilities affecting the energy sector. This is an especially timely topic amid wartime activities around the globe, as malicious actors could be targeting countries’ infrastructures, including utility companies, for potential cyber attacks.³ Additionally, highlighting geopolitical activities that could impact the likelihood of an attack is a great opportunity to showcase your team’s cyber intelligence capabilities, especially if you made a major investment in improving these capabilities. Taking the time to punctuate global headlines that savvy business leaders might have already read demonstrates that you are looking at the big picture.
2. Email security
According to one study, spear-phishing attachments were a top identified infection vector in incidents in North America, accounting for 20% of the incidents reviewed.⁴ However, it has been eye-opening to learn that many cybersecurity organizations have a mock-phishing program but do not use the results to drive changes in behavior!
World-class organizations publish the monthly click rates of each suborganization, benchmark against industry click rates and generate competition internally. Some teams even tie click rates to annual compensation structure — yes, bonuses tied to good or subpar clickers!
This section within the operating metrics tracks the monthly mock-phishing “click metrics” for the entire organization. It also tracks the “report rate” or what percentage of people actually report the phish to cyber (via a shared mailbox, an IT ticket or a report within an email application). And finally, the number of repeat clickers in the organization should be reported. These are the employees who just don’t get it; because they don’t pay attention, they pose a significantly greater liability.
Behind this section are typically more pages that are designed to provide details for each organization’s progress, allowing the business leaders to see their own organization’s performance and address issues or trends. If done properly, this can be a very effective tool and produce metrics associated with clicking on and/or reporting phishing emails.
3. Third-party supplier risk
Along with the increasingly global nature of the digital supply chain in the energy sector comes heightened risk as the reliance on lower-cost foreign software suppliers grows, according to the U.S. Department of Energy.⁵
The final, but very critical, portion of the management discussion is where we report on how manysuppliers were assessed by our third-party risk process, which usually includes a risk rating against an external tool, a tool or service that is often set up like a credit bureau for cyber risks and a Standardized Information Gathering questionnaire (commonly known as a SIG) to be sent tosuppliers to assess their security program.
More importantly, we also report how many high-risksuppliers are still being approved by business units each month. If a business unit is going to accept risk on behalf of the company despite there being a red flag warning them not to, the unit should have to explain why they approved the high-risk supplier.
The goal is for there to have been no high-risk suppliers that were approved — avoid doing business with them if possible. Any approval number above 0 triggers a very lengthy but fruitful discussion with those business units about that supplier, why it is critical to do business with them and what the viable alternatives are.
Developing support for your cyber program
Now more than ever, energy company CISOs need a persuasive case for their cybersecurity programs. Presenting the right cyber metrics or KPIs is a big step toward making that case.
Vulnerability management, email security andthird-party supplier riskare three areas where compelling metrics can be found to demonstrate the strength of a cyber program. These areas reflect three of the most exploited attack vectors and cover the entire organization.
In terms of developing the necessary support for cyber measures, communication is a key element. Effective CISOs keep the lines of communication open with all tiers of the organization so that cybersecurity is embedded throughout the organization. Success with a cybersecurity program can be hard to come by if not all parts of the business feel that they have a stake in the outcome.
In addition, when it comes to discussing program results with the board, energy company CISOs should avoid being too technical; instead, use business terms to emphasize how cyber measures — or a lack thereof — would impact the business and its ability to create value. When CISOs use business terminology to paint a clear picture of the need for cybersecurity, board members can better grasp the importance of these measures.
Achieving all of this is especially critical as the energy transition progresses. With a healthy cyber defense against ever-growing threats, a power or utility company can safeguard its business. It can also protect its ability to provide high-quality service that will satisfy customers — a key to the advancement of the energy transition.
