P&U CEOs sharpen their focus on cyber defenses
In an era where cyber incursions are a virtual inevitability, cyber security for power and utility (P&U) organizations now extends beyond IT and security professionals and well into the realm of C-level executives and boardrooms.
P&U executives both in Canada and around the world are stepping up to the challenge, but feeling the pressure. About half of global P&U CEOs surveyed in KPMG International’s Global CEO Outlook showed concern that becoming the victim of a cyber-attack is a matter of “when” and not “if”. And not all CEOs are well-prepared to manage such a potentially crippling event. And so the story goes in Canada, too.
“The digital era has fundamentally transformed all sectors of the economy, including the utilities sector. Technology-driven opportunities have fueled innovative new strategies and business models, but they have also opened the door for significant risks as cyber criminals are becoming more sophisticated and organized,” said Jeff Thomas, Partner for Risk Consulting with KPMG in Canada. “The cyber threat is very much alive as organizations have seen enough high profile breaches around the world. It is critical that P&U companies fortify their defences and connect all areas of the enterprise under an integrated cyber defensible position.”
Too few organizations are fully prepared for the increasing risks of today’s interconnected world. This is true for North American utilities, as well, which score comparatively low on the Information Security Forum’s Benchmark for Cyber Maturity. Indeed, gone are the days where cyber security was viewed narrowly and firms simply needed to buy cyber insurance or conduct phishing awareness training. Cyber resilience now extends to the operational side of the business, and organizations need to take the necessary steps to better protect their systems and sensitive assets.
Thomas adds, “Power and utilities executives need to adopt a holistic security and controls framework and an enterprise risk management mindset to adequately address evolving cyber risks. Organizations who develop robust in-house cyber defense programs that bridge the gap between the operational side and the corporate data side will better positioned to meet potentially crippling cyber threats.”
As CEOs navigate around these cyber issues, they are starting to see the importance of new workforce capabilities in supporting their organizations’ future growth. P&U organizations are constantly pursuing talent who can not only maintain a high level of cyber preparedness, but also help drive digital transformation. They must also continually adapt their culture and values to cultivate an environment that is attractive to this new breed of talent.
The demand for new tech talent is high in all industries in Canada and, indeed, internationally. KPMG’s CEO Outlook asked corporate leaders which specialists they required for future growth. Their top three responses were: emerging technology specialists, scenario- and risk-modeling specialists, and cyber security specialists. These are the experts that will help guard against virtual incursions.
In a highly customer-centric industry such as P&U, CEOs also understand the importance of protecting customer data. Nearly two-thirds of all CEOs in the aforementioned global KPMG survey said that protecting customer data is critical to enabling growth in their future customer base.
“CEOs need to make sure cyber investments are not just focused on incremental innovation but that they are also investing in business model innovation which will ultimately help future proof an organization against disruption,” says Thomas. “Technology is not a ‘one-time’ event. Companies that see the big picture and take a holistic business-wide approach to cyber security will be poised to win in the digital era.”
Five key takeaways to help create an effective cyber risk management strategy:
- Identify your ‘crown jewels’ and use common language to describe the business impact of a breach.
- Make business decisions about what level of risk is tolerable, and fund the implementation of controls and processes to manage risk to a tolerable level
- Monitor your environment and your controls to ensure they are working and get regular independent validation for controls protecting your crown jewels.
- Be prepared to respond, and practice your response: technical incident management, business continuity, communications, and legal.
- Cyber security is everyone’s responsibility; train each of your team members how to be cyber security aware.
For more information please visit: https://home.kpmg.com/ca/en/home/insights/2018/12/2018-kpmg-ceo-outlook-power-utilities.html
Jeff W.G. Thomas
KPMG in Calgary