Make your security strategy good for business.
By David Weisong, CIO at Energy Solutions
Utility companies are, like just about all industries, increasingly concerned about cybersecurity—and for good reason. A malicious actor successfully infiltrating utility systems could potentially interrupt power delivery or critical processes, doing the kind of costly damage leaders in the industry have nightmares about. At the same time, utilities also face more mundane but no less threatening cybersecurity risks, including potential breaches of customers’ sensitive personally identifiable information (PII) and location data.
Recent increases in the quantity and, even more dangerously, in the quality of maturing cyberattacks on utilities have leaders tightening security across their ecosystems. This includes requirements that external partners must prove security best practices via third-party validation. Utilities raise the bar on these requirements each year, and rightfully so: any shortcomings in the security regimens of the businesses they rely upon can ultimately leave their own systems and data exposed. Our consulting firm is one of those companies that work closely with utilities and often handles their sensitive data to implement market-facing energy efficiency and demand energy response programs. In the face of our customers’ ever-escalating requirements, we made the business decision to lean deeply into security, rather than merely keeping pace with necessary practices.
What we’ve found is that committing to modernized cybersecurity has unlocked a key competitive differentiator for our business, driven by our ability to demonstrate holistic protections, check every box on validation tests, and remove any doubt in the minds of utility leaders that we’re the most secure partner they could choose.
You don’t want to overspend on security (on duplicate technologies, for example), but the risks of not having a robust security strategy implemented are just too big to ignore. There’s the financial cost of a data breach, and then there’s often the bigger cost: long-term reputational damage. Those factors alone would have been enough to get the C-suite buy-in required for security modernization at our firm, but the other big variable was that a revamped cybersecurity stack would enable us to gain more clients. While that may not be true for every organization, it was a clear path for us and certainly made it an even more clear case that cybersecurity changes were going to be well worth the investment.
Here are three key steps we took on our road to implementing the cybersecurity practices that have driven business growth for our firm.
1) Start with an existing and proven cybersecurity framework.
Rather than reinventing the wheel when it comes to structuring a cybersecurity stack that achieves holistic protections, we found it far more effective to begin by using SOC 2 Type 2 certification as our framework. SOC 2 Type 2 certification is designed to require service organizations like us to properly secure access to clients’ data and systems. It specifies security controls to assure that client data is secure, available, and private, while also carefully safeguarding processing integrity and user confidentiality. By enforcing SOC 2 Type 2 compliance as our own standard, we have an organized structure for methodically providing any security protections our utility customers could need.
2) Introduce encryption and access controls aligned with your framework.
In our case, our existing encryption and access control tooling and practices weren’t up to modern standards—a fact that’s true of most vendors in our industry and beyond. Pursuing SOC 2 Type 2 certification meant replacing implementations of our Microsoft BitLocker and Apple FileVault encryption key management tooling. While BitLocker and FileVault are capable of effectively securing data at rest, they have a relative lack of management options and require a high degree of manual effort to operate.
We launched a search for encryption and access control that could provide finer control and robust automation to make our security protections more proactive and effective. In our case, we landed on BeachheadSecure, which takes a zero-trust approach to delivering encryption and access control. We now prepare automated responses to myriad risk conditions that might arise, so that we have an action plan already in place. For example, any PC, Mac, phone, tablet or USB device that holds our customers’ data will have access automatically removed if it leaves an approved geofenced location, or if a pre-set number of failed logins occurs. Importantly, we also now have automated compliance reporting whenever our security practices are audited.
3) Secure endpoints with modern protections.
To defeat both file-based and fileless script attacks upon our clients’ endpoints, we leveraged several Webroot security products including Webroot SecureAnywhere. To prevent inbound malware and other DNS-based attacks, we chose Webroot DNS protection to provide threat intelligence and filtering automation that block risky domain requests. Finally, Datto RMM equips us with efficient remote device monitoring and management across the cloud. Remote endpoint security capabilities now allow us to deliver more effective security management and support.
Better security can grow your business
With the right security strategy in place, we are able to meet—and, importantly, exceed—the security mandates that many of the utilities required of us. Utilities regularly update their cybersecurity requirements and questionnaires to account for the latest protocols and an ever-changing IT environment. We have little, if any, influence to modify any client requirements to be considered a vendor. You must either accept and meet the full scope of the heightened security standards, or seek business elsewhere. Our cybersecurity investments aligned us squarely with the former, and the ROI case for doing so has been stellar.
Out-securing the competition has given us a distinct advantage in securing new customers, and our path is one that others can follow. Do so, and customers will regard your business as a singular source for their complete technology and security requirements, and one worthy of a long-term partnership.
About the Author
David Weisong is the CIO at Energy Solutions, a clean energy solutions firm. Energy Solutions combats climate change through market-based, cost-effective energy, carbon, and water management solutions that make big impacts. For over 25 years, Energy Solutions has been pioneering end-to-end, market-driven solutions that deliver reliable, large-scale, and cost-effective energy savings and carbon reduction to our utility, government, and private sector clients across North America. David can be reached via LinkedIn (https://www.linkedin.com/in/davidweisong/) and at https://energy-solution.com/.