It is that time of year once again when many people make bold proclamations of their intent to change certain aspects of their lives. In that spirit, I’d like to propose that organizations within the electric sector consider similar action, resolving to do one thing that can improve the long term reliability of our power grids: Develop a culture of security.
The obvious question here is, “what exactly constitutes a culture of security?” That question is the focus of the blog entry. An organization with a culture of security is one in which security is a core value that is recognized throughout, from top to bottom, side to side, and end to end. In such organizations, security sits alongside veteran values such as safety, customer service, financial integrity, and product quality. Security is viewed not as an external mandate, or an unfortunate but necessary obligation, rather it is seen as a necessary and desirable contributor to the overall success of the organization. Allow me to suggest three ways in which such a culture might manifest itself.
Secure is the default
Organizations should be secure by default. No, this is not a technical statement, it is cultural. Secure by default means that security is an unspoken assumption. It is unspoken because the alternative is so obviously incorrect that nobody would ever think to ask the question, in the same way that no employee has to ask their manager whether the organization is going to commit fraud or behave honestly and legally in their transactions. The answer, with rare exceptions, is always obvious.
Admittedly, security choices are seldom as well defined, but the point should be clear. The choice to be secure is the default choice, and any decision which opts for lesser security should be backed up by sound information and good business judgement. This means that the burden of proof is on those advocating against a given security program, policy, or technology, not the other way around. This is the complete opposite of how most organizations operate today.
The second area in which a security culture might manifest itself is in recognizing the need for continuous improvement. In other words, the job of security is never done. This does not mean that specific security related projects can’t have completion dates, rather, that security as a whole is something that will always require diligence and effort, just like other important areas of operations.
A corollary to this point is the recognition that a need for improvement is not a sign of failure, nor is it a sign of impending doom. Part of the clamor around the security of our power grids represents an immaturity which is incapable of distinguishing immediate threats from longer term risks. This can result in a “sky is falling” approach which ultimately does more harm than good. Mature security cultures can appropriately distinguish between issues requiring immediate action, and those that can be properly addressed in the intermediate or long term. Such cultures recognize security as a process, and build long term road maps to continuously improve. This ultimately results in more secure outcomes than can be accomplished by knee-jerk reactions to breathless proclamations of doom.
People not products
Finally, I would suggest that organizations with strong security cultures recognize that security requires people not products. This does not suggest that security can be accomplished without technology, rather, it recognizes that technology alone cannot do the job. Moreover, security cannot be achieved solely by a silo’d group of security specialists. Security requires an appropriate level of active involvement from all members of an organization based on their particular roles and responsibilities. Security is not a bolt on technology anymore than it is a bolt-on department. Security must be embedded into everything an organization does, and everyone who does it.
This is not intended to be a comprehensive list of attributes associated with a strong security culture, but I hope it can become a starting point for discussion and self assessment. Feedback is encouraged. I can be reached at: steve at energysec dot org