As a consultant now, after 10 years as a CISO, my clients are typically service providers and vendors. My experience is valuable to them because I can align requirements for products and services with CISO management strategies. Of course, I find it ironic that people pay me for advice that they would rarely take for free when I was a CISO. Then, I was hearing the common refrain, “But we have a very large and important user community, and no other company needs the product to have the feature you requested.” Frustrated, I chaired several industry-wide CISO committees in an attempt to persuade vendors that we all, indeed, had the same basic requirements. We all just had different custom work-arounds and compensating controls in place in order to make their product work within our unique security management frameworks.
Then, as now, the role of a security professional in the vendor review process is to help identify which vendors are “critical” to the security of information assets, and to then perform due diligence to ensure that the critical vendors are capable of providing required levels of confidentiality, integrity and availability. Vendor security was lacking, and vendor due diligence was typically an iterative cycle of review, gap analysis, promises and follow-up review. Where we were indeed the only company asking for some security features, we had little clout. But where I was able to gather other customers in the same industry to chime in, our chances of seeing improvements with each iteration increased considerably.
Today, we have a situation where we are all customers of one industry in particular that has continually turned a blind eye to information security issues. Moreover, all information handling is critically dependent on this industry. However, it has not yet felt the force of the CISO review cycle because it does not hold or process any information.
The industry is the U.S. energy industry and the critical asset on which we are all dependent is the nation's power grid. Internet attacks were a well-understood threat long before the power companies ever became dependent on the internet. Private telecommunications lines do not present costs that are beyond the reach of the U.S. energy industry. As Illena Armstrong exclaimed in her editorial last month, “It has become obvious that these organizations' leaders are grossly negligent in properly safeguarding these critical operations.”
As with any critical vendor, an appropriate CISO response is to band together. If every CISO who reads this column immediately places their energy providers on the top of their queue for third-party due diligence reviews, collectively we can train the energy industry on how to meet security requirements.
Jennifer Bayuk was formerly CISO at Bear Stearns.
