Insight

Mixed signals for cyber security priorities in energy

Perspectives on cyber cost optimization

Michael Gomez

Michael Gomez

Principal, Cyber Security, KPMG US

+1 202-533-5007

Christian Kon

Christian Kon

Manager, Advisory, Cyber Security, Energy & Natural Resources, KPMG (US)

+1 407-921-3429

COVID-19’s impact on the Energy industry has been pronounced, and many Energy companies have had to navigate severe cash-flow challenges. Hardest hit have been Oil & Gas companies, who have had to contend with both demand shocks (as economic activity has stalled) and plummeting prices. Amidst the fighting for survival, Energy executives have typically focused their attention on immediate cash-flow concerns, blind-spotting the rapidly expanding cyber risk.

Despite the above, there is cause for optimism, proactive Chief Information Security Officers (CISOs) in the Energy industry have been prompted by the current economic climate to streamline their cyber programs. We have seen Oil & Gas CISOs eliminate unnecessary expenses that have accumulated over time, and Power and Utilities CISOs have exerted a renewed scrutiny on program efficiency. While the road ahead may appear daunting, initiatives such as these are critical to achieve longer term efficiency, agility, and sustainability. Organizations which move beyond merely ‘surviving’ COVID-19 will position themselves to thrive in the ‘new reality’ phase with a greater ability to keep pace with continuously evolving business needs and cyber risk exposures.

Energy’s cyber security faces a hard reset

Many Energy companies will be forced to cut their cyber security program budgets. To accommodate this without inadvertently creating additional risk exposure; CISOs need to proactively manage their finances. Across various Energy organizations, KPMG has witnessed:

  • Immediate defunding of projects and capital expenditure that do not address or support immediate business viability;
  • Budgetary scrutiny, return on investment re-computation, and ultimately cuts across operating expenditure impacting headcount, technology, and supplier arrangements;
  • Rapid acceleration of programs which either help expedite the recovery or free-up working capital throughout the crisis period.
  • Creative usage of remote working enablers, eliminating travel budgets and reducing office rent and other on-site related costs; and
  • Executive, shareholder, and program budget sacrifice to minimize personnel reduction.

The ever shifting landscape

To further complicate matters, Energy organizations are experiencing unparalleled change within their business and technology operating models. From the shift to renewable energy sources, to the exponential uptake of Internet of Things (IoT) technologies, Energy companies are transforming at prodigious pace. As a result, operational technology is becoming increasingly susceptible to cyber attacks. Cyber vulnerabilities in Energy companies are prime targets for sophisticated (including state-sponsored) adversaries and the ramifications of an incident can be severe.

Given the threat landscape facing Energy companies, Energy regulators are increasing their focus on cyber security. Cyber security regulations becoming enforceable worldwide include the North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) and the Network and Information Systems (NIS) Directive. CISOs need to evolve. Demonstrating compliance with these requirements requires CISOs to make additional investment in maturing their security programs.

Adopting an innovative and agile mindset

A key skill for Energy CISOs will be the ability to articulate their program’s value and prioritize security initiatives in business terms, against a continuously evolving business (and threat) environment. Cyber cannot afford to be misunderstood or a ‘catch-all’ term, but instead must be detailed in terms of cost, risk exposure, and return on investment. Initiatives which drive innovation across tooling, process automation, and the use of scarce cyber security personnel will be critical to the next wave of cyber security leaders.

Energy CISOs should drive agility through their organization through embedding lean initiatives. Our experience is that the “80/20” rule, wherein 80 percent of value can be realized with only 20 percent of effort (and cost), holds true for security organizations. By definition, the majority of value is derived from the “crown jewel” assets, and focusing on protecting and enabling these should be the organization’s primary focus.

In practical terms, CISOs can return to their risk matrix, thinking through the following:

  1. In the current context of cost pressure, which controls do not prevent immediate monetary loss?
  2. Which controls provide the ‘biggest bang for the buck’ reducing risk while not costing too much?
  3. Can the scope of controls be temporarily reduced or refined to focus on “crown jewel” assets?

It is likely that the outcomes will identify a narrower set of critical assets and cyber hygiene controls which cannot be ignored without creating a significant risk exposure. These assets should then become the company’s prioritized ‘red lines’.

With these prioritized ‘red lines’, CISOs can clearly see where spending must occur first before utilizing any left-over. The difference between these newly defined ‘red lines’ and the pre-crisis scope is limiting the potential ‘security debt’ – items needing to be tracked and addressed in the long term with reduced monitoring and management in the short to medium term. With any potential left-over budget, CISOs can use agile methodologies to iterate the prioritized programs into scope one at a time.

Actionable Activities

With agile and innovation in mind, Energy CISOs may consider these activities available to help realize immediate and longer term cost savings.

  • People – Rather than performing sweeping cuts on personnel when most security programs are already struggling with attracting talent, explore options of temporarily shifting non-critical security personnel part-time to other high value open positions. While it is not ideal to stretch resources too thinly, in these times, it may be acceptable to have more tasks performing at half capacity.
  • Process – Operating procedures evolve over time and are often not critically evaluated for ‘bloat’ costing resources in both time and effort. Now is the time to engage staff to identify areas where tasks seem meaningless or low value, and identify whether short-term gains can be made in efficiency. Some non-critical personnel may be perfect for handling the improvements.
  • Technology – Revisiting the technology cost, capability, and usage is always a worthwhile exercise, particularly as the functionality and abilities of these evolve over time. CISOs should be mindful of functional overlap and redundancy, and proactively look to identify tool consolidation opportunities. Do multiple asset databases and change ticketing systems inhibit process performance and efficiency? Have you tasked your procurement professionals to (re)negotiate the most favorable licensing terms?
  • Innovation and automation – Encouraging and rewarding innovation during these times may yield unexpected results. Teams are going to be stretched as we move into a ‘new reality’, and opportunities to automate, streamline, or change operations should be sourced from across the security organization, from grassroots upward. A ‘no idea is a bad idea’ culture will empower employees to actively participate in the future success of the organization.

Conclusion

There are many nuances to how COVID-19 has impacted companies operating in the Energy industry. One common thread, however, is the need to rapidly activate change capacity within the security organization, and with this to make some critical strategic decisions. Successful CISOs should prioritize protecting the company’s “crown jewels” and enable their employees to identify innovative approaches to improving efficiency while reducing risk and security debt. It is said that the strongest steel is forged in the hottest fire, so let this crisis be the heat necessary to forge stronger, more efficient, and more innovative cyber security programs.