Cybersecurity and Physical Security

Bringing your board onboard with your cybersecurity strategy

You need to implement appropriate security controls to protect your utility’s critical systems and sensitive data from increasing cybersecurity threats. However, this requires resources and support from your utility board and leadership team. Not an easy feat, considering all the competing interests the board must attend to. How do public power leaders address this issue?

Public power utilities involved with the American Public Power Association’s Cybersecurity Roadmap Advisory Council offer three key suggestions:

1. Keep it simple

When presenting to the board, keep your message simple. State the issue in high-level, non-technical terms and the solution in a few, simple objectives such as compliance, monitoring, and response. Be sure to start with the basics. What is cybersecurity? Why is it important? Why does IT/OT need a strategy for security?

Not getting into the weeds will keep things clear for your board members and help underscore the key messages you’re trying to convey.

2. Have a plan

The conversation with your board members will go a lot further if you start with a plan that has been reviewed by key staff members. Then constructive discussions about budgets and funding can follow. Your plan could include:

  • Milestones to help set concrete goals (short-term and over the next 2-3 years).
  • Metrics to help measure and provide an accurate picture of progress.
  • An employee engagement strategy.
  • Criteria for identifying risks.
  • Methods to prioritize risks.

While discussing the plan, define a pace of implementation that is appropriate for your organization. For most, it’s a measured approach that takes one step at a time, prioritizes the needs of your utility, and is implemented over a medium- to long-term horizon. Look for “quick wins” that can be addressed early on to show value to the board.

Board members will have more confidence in your plan if they know that you’ve done your homework. Consider reviewing existing guidance, frameworks, and policies such as the American Public Power Association’s Cybersecurity Scorecard, the full Cybersecurity Capability Maturity Model included in the scorecard, the Association’s Cybersecurity Roadmap, and the Large Public Power Council’s Cybersecurity Principles.

Look at similar programs being implemented at other public power utilities so you’re prepared to answer the question, “Where are we compared to our peer utilities?”

3. Bring employees into the loop

You can’t fully realize or implement a cybersecurity strategy without the support of your employees. Unless employees are trained and attuned to possible risks, breaches can persist  —or even worse, increase. Your plan should include an employee engagement strategy and build a culture of cybersecurity.

You may already have training and incentive programs for your employees to help safeguard against cyber attacks. If so, highlight for your board the program metrics — such as the percentage of employees who have participated in training modules — and explain planned exercises and incentives.

Don’t have an employee engagement strategy? Download the Association’s cybersecurity video library to start an awareness campaign. Now is the time to bring employees into the fold and make them a focal point of your plan.

Remembering to keep it simple, have a plan, and involve your employees will put you on the right track to gain the support of your board members. They will appreciate your holistic approach to cybersecurity. And remember that you are not alone in this – the Association’s Cybersecurity Scorecard and Cybersecurity Roadmap are valuable resources you can count on.