As the Chief Information Security Officer (CISO) of the US Department of Energy’s Oak Ridge National Laboratory (ORNL), Kevin Kerr oversees security for some of the world’s most powerful supercomputers as well as the technology used by more than 2,600 scientists and engineers.
His mission: Protect the flow of ideas and data
The algorithms, ideas and data flow from across the Internet and private networks of the world’s leading enterprises to the supercomputers to do everything from modeling nuclear reactions used in clean energy to helping scientists create lighter materials for cars and airplanes. Faced with protecting such critical assets, how does Kerr approach his role as a security leader?
Like many of his colleagues across government, academia and industry, Kerr has to blend the skills of a business strategist with a deep technical understanding of security. He must in order to anticipate and react to evolving cybersecurity threats. He shared his expertise and perspective during a July 2014 workshop on Cybersecurity Leadership and the Smart Grid, jointly organized by George Mason University, the National Science Foundation and IBM.
Kerr’s comments highlight four major challenges that IBM Center for Applied Insights uncovered during its 2012, 2013, and 2014 CISO Assessments that helped to define the emerging role of the CISO across public and private sector organizations:
1. Establish a security culture
Kerr noted that collaboration with management and others in the organization must be more than just a formal process of meetings and check-ins. The CISO must try to see the world from the point of view of the end user, understand the user’s pain points, and even bring the conversation down to a personal level.
The goal should be to develop a security culture that can move security conversations to a proactive discussion of risks and trade-offs, not a reactive scramble after a security incident.
The Center’s 2012 CISO Assessment identified key traits of organizations that are leading the way in developing a security culture. “Influencers”, the most mature security organizations, are four times more likely to focus on improving enterprise-wide communication and are twice as likely to provide education and awareness as “Responders,” less mature security organizations.
Indeed, other research by the Center identified that in the next three to five years, security leaders will be looking to increase cybersecurity training and education across their organizations as well as developing the leadership acumen of their own security professionals. This detail suggests that organizations seeking to effectively address cyber threats should focus on laying the foundations of a security culture through educating users and developing security staff.
2. Collaborate on security issues inside and outside the enterprise
As a government security leader that engages private industry partners, Kerr must take an ecosystem approach on security, balancing aspects that he can directly control while assessing how to leverage trust with internal teams and his broader community of contractors and partners.
But this work is only beginning to be formalized within both government and private industry. In its 2014 Assessment, the Center found that even though 62% of security leaders surveyed strongly agree that their organization’s risk level was increasing due to increasing number of interactions and connections outside of the enterprise, less than 42% of organizations are members of formal industry-related security groups.
Congress is trying to formalize this process by adopting cybersecurity legislation (currently under consideration) that would make it easier for companies to share cyber-threat information with the government without facing legal liability.
3. Meet current government compliance standards but partner for the future
Since he’s charged with protecting national resources, technology and applied innovations housed at ORNL, compliance and Federal oversight are knitted into the fabric of Kerr’s security organization and guide his risk management approach. Federal standards help to maintain “cyber hygiene” and create a common platform for industry and government to develop security solutions.
Yet inside and outside of the Federal government, security rules and procedures are constantly being refined and sometimes rewritten as new technologies are introduced and new threats discovered. The result, as the Center’s 2014 study found, was that even though organizations surveyed indicate that the time they spent on addressing government compliance was second only to that spent on external threats, few security leaders are partnering with legal and compliance officers extensively. Elevating compliance issues to the senior leadership team can help organizations better plan in a fluid regulatory environment.
4. Tie security value proposition to the organization’s overall performance
Finally, as Kerr noted, the work of the CISO is rarely seen as core to the mission of the organization. In ORNL’s case, risks must be assessed and tradeoffs analyzed to reach a decision on the best allocation of funding between the core mission of research and that of security. Therefore Kerr must move the conversation on security investment away from a perceived “zero-sum game” and towards demonstrating the value of security to the Lab’s overall mission. To be most effective, he focuses on educating the research staff on how an appropriate level of security protects and ultimately improves the effectiveness and integrity of the Lab’s research.
Kerr’s challenge highlights the struggles that many security leaders face. In the 2013 Assessment, the Center found that two-thirds of leaders surveyed do not translate security metrics into financial results, often because “they lack resources or the business requirement to do so or because it’s just too complex to calculate.”
Failure to quantify risk or demonstrate value of security investments can constrain security leaders’ ability to communicate with key mission leaders which makes it harder for them to effectively and accurately represent the condition of the organization internally.” Therefore, a common set of value-focused security metrics is essential for the CISO to be effective across the enterprise, particularly with executive management.
Extending leadership lessons to secure the Smart Grid
Even as the workshop’s proceedings moved into more technical discussions of the challenges of managing the new Smart Grid, security leadership was not far from the conversation. In particular, a discussion of the role of the CISO within the broader risk management organization highlighted how CISO and C-Suite collaboration as well as overall governance is vital to defending critical infrastructure such as the electric grid.
Perhaps even more important is the role of technical standards in cybersecurity. Participants commented that the slow time to market of technical standards (on average five to seven years) exposes the grid to cyber risks. As noted above, the Center found that standards are a concern across industries as organizations struggle to innovate and that participation in industry groups is vital to developing effective standards and policies.
This long view of the electric power industry led Annabelle Lee, Senior Technical Executive at the Electric Power Research Institute, to identify several key lessons for utility CISOs including:
- Recognize that cybersecurity is key to both the privacy and reliability of the Smart Grid
- When delivering security measures in systems, focus efforts around confidentiality, integrity and availability
- Don’t forget to learn from more than 40 years of IT security developments
- Realize compliance does not equal security
Moving towards Smarter Security Leadership
- Focus on building a security culture.
- Collaborate on security inside and outside the organization.
- Meet today’s compliance needs while partnering for the future.
- Measure security outcomes in the context of the organization’s mission.
These principles will serve leaders and their organizations well even as new security challenges emerge.