Man focusing on laptop screen displaying graphs and charts

Three approaches to drive cybersecurity maturity and success

The right metrics empower energy company chief information security officers (CISOs) by validating cybersecurity investments amid scrutiny.

In brief
  • In the energy sector, cyber risk is growing — and so is the need to cut costs and improve the customer experience as the energy transition progresses.
  • Making a strong case for cybersecurity programs has been difficult for many energy companies.
  • Demonstrating the effectiveness of cybersecurity investments means presenting positive results through metrics that cover certain high-risk areas.

It’s a fairly common scene: While preparing for a board of directors meeting or other important management update, a chief information security officer (CISO) and another C-suite executive together scrutinize the cyber metrics and KPIs they’ll present. The two aren’t expecting perfection; instead, they hope for a healthy mix of positive and marginal results to demonstrate a cybersecurity program’s success while showing that they’re also addressing areas of improvement.

How EY can help

  • Cybersecurity

    Cyber threats are evolving and escalating at an alarming rate for mining and metals, and other asset-intensive industries.

    Read more

This approach makes sense. It’s healthy and safe. But does it drive the right organizational behaviors?

 

As threats to the energy sector continue to escalate and regulators continue to drive changes in reporting, CISOs will feel more pressure to demonstrate the effectiveness of their programs. Whether the executives are standing up a new metrics program or tweaking priorities, making this case is an important part of incorporating cyber risk into an organization’s business strategy. But a recent EY survey found that energy companies in particular are struggling with cybersecurity, with only 35% of energy respondents saying their organization is well positioned to take on future threats, compared with 48% of all other industries. Only 22% are satisfied with their non-IT workforce’s adoption of best practices. They are more likely than other industries to take a “wait until technology is tried and tested” approach and point to not prioritizing emerging technology integration as the biggest internal cybersecurity challenge.

 

The justification of all investments has become especially crucial as the energy transition progresses. To stay on track during the transition and transformation, energy companies need to keep focus on the ultimate goal: providing an excellent customer experience. That requires them to offer affordable, reliable service and a seamless, integrated experience. But so far, rising costs have negatively impacted consumer confidence in the sector and may continue to do so if customer expectations aren’t met. A major cybersecurity incident would only compound the negative impact on consumer confidence already present. The last thing the sector needs is a loss of consumer confidence, which could stall the energy transition.

Choosing cyber metrics

One of the best ways to demonstrate the effectiveness of key parts of a cybersecurity program is to establish metrics that are actionable, auditable, drive changes in behavior, and educate and enable leaders to make risk-informed decisions. Without the right mix of metrics, companies are just burning valuable staff capacity that could be used elsewhere. If this sounds familiar, know that many other cybersecurity leaders are struggling with the same issue.

Failure to prove a cybersecurity program’s effectiveness jeopardizes the CISO’s chances of gaining the necessary support to implement adequate measures. In a different EY survey about how CISOs can adapt to enable a digital future, 50% of cybersecurity leaders in the power and utilities (P&U) sector said they were working with budgets that wouldn’t cover the costs of managing the cybersecurity challenges they encountered during the prior 12 months. The P&U sector was the most likely to have suffered a rise in the number of disruptive attacks such as ransomware (80%), while the oil and gas sector (79%) was the second most likely.

For energy board and operating committee reporting — and really any management-level reporting — the metrics should focus on simplicity and clarity (would most audiences easily understand what you’re measuring?), behavioral reach (how deep and far are the metrics driving good behavior inside and outside your organization?) and consistency (does the audience know what to expect month to month, quarter to quarter, with little to no “bringing up to speed” needed during ops reviews?).

Based on these tenets, we chose three areas you should consider reporting on that are critical to the success of any cyber program and, when healthy, indicate a healthy digital environment:

These three areas cover the three most exploited attack vectors and, between them, every business unit in the organization. The risk areas also align to all levels of responsibility within the energy company so that everyone feels like they own a part of the outcome. The last thing you want is to present risk reports to the board and have the CISO own every single output.

1. Vulnerability management

Cyber vulnerabilities have been multiplying in recent years, making speed to closure more and more critical to measure. One study showed energy firms were the most commonly attacked organizations in North America.² Gone are the days when it was acceptable to spend weeks or months before mitigating known vulnerabilities, especially those that could impact high-value assets or that have been known to be exploited. Being able to measure how nimble and attentive digital asset owners are toward exploits will drive asset owners toward action and prioritization.

It is a good idea to tactfully highlight the number of opened and closed (high or critical) vulnerabilities in the environment across all operating systems and platforms. Traditionally, the goal has been to keep them under 30 days as a measure, but these days the time frame is trending more toward a week or less. This can be broken down by operating system for a more technical audience, but for a board or operating committee, keeping it high-level and only addressing risks that directly impact business operations is important.

We also use this section of reporting as an opportunity to discuss what’s happening in the media around cybersecurity vulnerabilities affecting the energy sector. This is an especially timely topic amid wartime activities around the globe, as malicious actors could be targeting countries’ infrastructures, including utility companies, for potential cyber attacks.³ Additionally, highlighting geopolitical activities that could impact the likelihood of an attack is a great opportunity to showcase your team’s cyber intelligence capabilities, especially if you made a major investment in improving these capabilities. Taking the time to punctuate global headlines that savvy business leaders might have already read demonstrates that you are looking at the big picture.

2. Email security

According to one study, spear-phishing attachments were a top identified infection vector in incidents in North America, accounting for 20% of the incidents reviewed.⁴ However, it has been eye-opening to learn that many cybersecurity organizations have a mock-phishing program but do not use the results to drive changes in behavior!

World-class organizations publish the monthly click rates of each suborganization, benchmark against industry click rates and generate competition internally. Some teams even tie click rates to annual compensation structure — yes, bonuses tied to good or subpar clickers!

This section within the operating metrics tracks the monthly mock-phishing “click metrics” for the entire organization. It also tracks the “report rate” or what percentage of people actually report the phish to cyber (via a shared mailbox, an IT ticket or a report within an email application). And finally, the number of repeat clickers in the organization should be reported. These are the employees who just don’t get it; because they don’t pay attention, they pose a significantly greater liability.

Behind this section are typically more pages that are designed to provide details for each organization’s progress, allowing the business leaders to see their own organization’s performance and address issues or trends. If done properly, this can be a very effective tool and produce metrics associated with clicking on and/or reporting phishing emails.

3. Third-party supplier risk

Along with the increasingly global nature of the digital supply chain in the energy sector comes heightened risk as the reliance on lower-cost foreign software suppliers grows, according to the U.S. Department of Energy.⁵

The final, but very critical, portion of the management discussion is where we report on how many suppliers were assessed by our third-party risk process, which usually includes a risk rating against an external tool, a tool or service that is often set up like a credit bureau for cyber risks and a Standardized Information Gathering questionnaire (commonly known as a SIG) to be sent to suppliers to assess their security program.

More importantly, we also report how many high-risk suppliers are still being approved by business units each month. If a business unit is going to accept risk on behalf of the company despite there being a red flag warning them not to, the unit should have to explain why they approved the high-risk supplier.

The goal is for there to have been no high-risk suppliers that were approved — avoid doing business with them if possible. Any approval number above 0 triggers a very lengthy but fruitful discussion with those business units about that supplier, why it is critical to do business with them and what the viable alternatives are.

Developing support for your cyber program

Now more than ever, energy company CISOs need a persuasive case for their cybersecurity programs. Presenting the right cyber metrics or KPIs is a big step toward making that case.

Vulnerability management, email security and third-party supplier risk are three areas where compelling metrics can be found to demonstrate the strength of a cyber program. These areas reflect three of the most exploited attack vectors and cover the entire organization.

In terms of developing the necessary support for cyber measures, communication is a key element. Effective CISOs keep the lines of communication open with all tiers of the organization so that cybersecurity is embedded throughout the organization. Success with a cybersecurity program can be hard to come by if not all parts of the business feel that they have a stake in the outcome.

In addition, when it comes to discussing program results with the board, energy company CISOs should avoid being too technical; instead, use business terms to emphasize how cyber measures — or a lack thereof — would impact the business and its ability to create value. When CISOs use business terminology to paint a clear picture of the need for cybersecurity, board members can better grasp the importance of these measures.

Achieving all of this is especially critical as the energy transition progresses. With a healthy cyber defense against ever-growing threats, a power or utility company can safeguard its business. It can also protect its ability to provide high-quality service that will satisfy customers — a key to the advancement of the energy transition.


Summary 

Never has the need for CISOs to justify their cybersecurity efforts been so strong, especially in the energy sector. To do so, they must highlight progress using the right metrics or KPIs. Vulnerability management, email security and third-party supplier risk are high-risk areas where CISOs can find these metrics to prove their cybersecurity program’s strength. The energy transition has made this even more critical. How cybersecurity is handled can impact energy consumer confidence, which must stay high for the energy transition to proceed.

Related articles

How utilities digitize operations securely

The utilities industry needs to confirm that the digitization of operations is being done securely — and they need to address this now. Read more.

31 Jan 2023 Matt Chambers

Does cyber risk only become a priority once you’ve been attacked?

Cyber threats are evolving and escalating at an especially alarming rate for asset-intensive industries such as mining and metals (M&M).

08 Mar 2022 Paul Mitchell

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.