The energy, utilities and commodities sectors have become one of the top targets of cyberattacks in recent years. In addition to a growing shortage in cyber talent, the mounting scale of cyber risks is underlining more structural and organizational issues for companies. In a previous HC Insider podcast, Simon Hodgkinson, bp’s former Chief Information Security Officer (CISO) discussed the impact of growing cyber risks. In this interview, he delves deeper into the effect on talent and offers possible solutions.
HC Insider: How has the threat of cyber-attacks evolved for oil and gas, energy, and commodity companies in recent years?
Simon Hodgkinson: There is a huge number of attacks from criminal gangs that are not specifically targeting the sector. Commodity companies are as likely to be attacked by these indiscriminate attacks as much as any organizations. Commodities companies are also subject to targeted attacks with sophisticated, state-sponsored actors being interested in disrupting the sector, especially given the current geopolitical environment. For example, organizations who are part of the supply chain for oil and gas should expect to be targeted by sophisticated cyber actors.
HC Insider: How is this risk – and the growing scale of it - taken on board and gauged by commodity companies?
SH: It depends on the organization. A lot of organizations are in a much better place with strong governance and risk management around cyber. For some, cyber security is one of the top risks. It gets the attention it requires at the board level and by the executive team. But some of the smaller houses are behind in terms of the maturity needed to manage cyber security. In many respects, this is down to the way cyber risk is articulated.
Many organizations see cyber risk as something special. It really isn't. It's just another risk that could cause an impact to the ability to deliver on the business outcomes, in the same way that you've got safety, market or credit risk. The accountability for cyber risk lies with the business and you need to apply the same risk methodology to cyber as one would for financial, operational or safety risk.
That also comes down to the maturity of the IT and cyber function and their relationship with the business.
HC Insider: What is the best approach for companies to fully embed cyber security capabilities, so this risk is not treated as an exception?
SH: Cyber security like any specialist discipline must be demystified. The role of the Chief Information Security Officer (CISO) or Chief Information Officer (CIO) is to talk about the risk in context of the impact to the business. It’s not about saying that the sky is falling because there are such and such vulnerabilities, or such actors are exploiting these weaknesses.
Their role is to talk as much as possible in quantitative, and qualitative terms, around the risk. How does the cyber risk impact the business’ ability to deliver its outcomes to customers or fulfill its legal and regulatory obligation? What is the appetite of the business to manage that risk? Because like anything else, risk management isn't about risk eradication. It's about understanding the appetite of the organization and how much risk they are prepared to take, and then actually making sure that the investment is made available to take the appropriate mitigation measures to match your risk appetite. Cyber risk needs to be discussed in the same way that safety, operational or financial risk would be discussed.
However, all too often the conversation is about deeply technical things that the board on the executive team can’t be expected to understand. The narrative must change to reflect business risk such that the executive team and the board level can understand and manage cyber risk.
HC Insider: From a talent and organizational perspective, what are the solutions that can and should be adopted?
SH: In many organizations where cyber risk management is immature, cyber risk is still managed by an individual or a team of well-meaning and talented people who are embedded in the organization’s infrastructure and often not even reporting to the Chief Information Officer (CIO), Chief Risk Officer (CRO) or Chief Operating Officer (COO). They are ‘buried’ within the organization and that to my mind is a huge mistake.
Given that an incident caused by a cyber-attack can lead to an organization being unable to deliver its business outcomes, whoever is responsible for cyber must have visibility at the top of the organization. This should be true for all organizations, whatever the scale.
This is what we did at bp; the CISO is a peer of the CIO/Chief Technology Officer (CTO)/Chief Digital Officer (CDO). Given the increasing importance of digital assets and digitalization to the outcomes of all businesses and the increasing cyber risk, I believe the Chief Information Security Officer will ultimately sit on the Executive Leadership team.
Equally, as with everything else, it comes down to relationships. I was blessed to have a hugely positive relationship with my CIO (I reported to him) who gave me open access to the executive team and board. We worked very well together.
Governance is equally important and cyber should have a regular cadence with the board, including the audit committee and for organizations with heavy assets such as refineries or manufacturing plants, the safety committee; cyber could be a trigger for a major accident.
HC Insider: What were the benefits of reporting to the CIO or the CTO?
SH: The downside of taking the management of cyber security out of the CIO, CTO’s remit, is that they are seen as outsiders. I found it hugely beneficial to be in the conversation with the CIO, getting visibility of what the business was doing, in terms of new country entry, new business or new technology.
Security must be embedded in all aspects of the business. Whether it is embedding cyber security engineers in digital transformation projects, experts on business leadership teams to advise on new business opportunities, experts on M&A teams to perform cyber due diligence, experts working with procurement on supply chain risks and experts in major construction projects such as rigs, pipelines, or wind farms. Retrofitting cyber security controls is incredibly expensive, and it is far easier and cheaper to do it right the first time.
The risk is so high, existential for some businesses, that it needs visibility throughout the business.
HC Insider: What would a successful talent strategy look like to ensure that a company has a solid cyber security risk policy?
SH: From a talent perspective, there is a huge issue in cyber security. There are reportedly three million vacancies globally and this is growing as organizations recognize the need to manage growing cyber risks. This has been exacerbated since the end of the pandemic with the so-called Great Resignation. There's a lot of senior cyber experts who are choosing to give up and do something else due to the extreme pressure of the role.
So, you've got not only this gap between supply and demand at the entry level, but also a gap throughout the hierarchy and now up to the very top of organizations, to C-suite levels where people are choosing to exit the market. This is a big problem building up.
HC Insider: How are cyber security skills evolving nowadays and how should they be deployed?
SH: First and foremost, companies need to get the right organizational structure in place. They need to recognize that this isn’t just about deeply technical people. This requires people who understand behavioral change from a cyber security perspective, governance risk and compliance, legal and regulatory implications across the globe and the technical competencies. You also need people who understand operational technology.
It's about valuing expertise across a diverse set of skillsets and of course that gives you access to a broader set of skills. It doesn’t have to be graduates coming out of university with a cyber security degree. That's one pool. It's a great pool and I encourage that.
HC Insider: What other talent options and pool should be considered for instance?
SH: Organizations now need to embrace things like apprenticeships and bringing people that maybe are not following or don't want to follow a purely academic path into universities and want to start on apprenticeship schemes. Certainly, in the UK there is amazing support from the government to do that.
From a diversity and inclusion perspective, there's an enormous opportunity to embrace neuro-diverse talent, after all the best teams are teams which have diversity of thought and especially in cyber security where you are often hunting for non-traditional patterns of behavior or data. However, to embrace neuro-diverse talent requires changes to our traditional recruitment processes.
First and foremost, we need a collective effort to educate children on cyber security to ensure they remain safe online. Then, by talking about cyber security and careers in cyber, we can hopefully encourage a new pipeline of diverse talent to address the supply of talent. I do career talks in local schools for an organization in the UK called Speakers for Schools.
You have got to take a broad view. Another challenge is that people are always looking for experience. In my experience, if you've got people with the right mindset, you can train them in cyber security.
There is equally an opportunity to leverage scale by using Managed Services, such as Managed Detection and Response (MDR) or Managed Security Service (MSS). This gives access to security experts deployed across numerous organizations and is often a great fit for small to medium organizations. One must remember however that we cannot outsource the risk – you are still accountable for the risk and must ensure it is appropriately managed and assured.
Embracing diversity and creating an inclusive environment where diverse talent can flourish is key for any organization’s success. This is critical to ensuring we can fill the gap between supply and demand in cyber talent.
I don't see the demand getting any smaller, there will be more and more demand for cyber talent and the gap is increasing. - FS
For any query regarding our activity and insight on cyber security in commodity companies, please contact Rick Lee, Portfolio Director of HC Group’s Commodities Technology practice.