The Cyber Startup Observatory

The Global Cyber Innovation Network

Leave a Comment

Rosa Kariger

Cyber Security Leaders - Rosa Kariger, Global CISO @ Iberdrola Group

Rosa KarigerRosa Kariger is the Global CISO of the Iberdrola Group, one of the world’s biggest electricity utilities and a leader in clean energy and smart grids.

From this position she leads the cyber security strategy, governance, intelligence and oversight for both the IT and OT environments in all countries where the Group operates. She is also responsible of ensuring compliance with applicable Privacy and Data Protection regulations in all countries.

Rosa holds a master’s degree in Industrial Engineering by the Polytechnic University of Madrid and has participated in the Executive Development Program from IESE Business School, and the Global Leadership Program from IMD Business School.

With more than 20 years of experience in the electricity sector she participates in several international expert groups for cyber security in the electric industry and is co-chair of the World Economic Forum “Systems of Cyber Resilience: Electricity working group”.

What do you see, if any, as the gaps in current practices around cyber security risk management?

In my opinion, the biggest gap is the approach to cyber security risk management itself. In most companies, cyber security is still seen as a technical issue and is being managed by technical experts in disconnection with the risk owners: the businesses, who in turn are the ones leading the innovation and digitalization of their processes, with no proper understanding or responsibility over the underlying cyber security risks.

Cyber security experts have an important role in implementing and operating technical solutions to mitigate the risks and in detecting and responding to cyber threats. But they usually are not involved in the company’s decision-making processes and their goals are not necessarily aligned to the goals of the business. In most cases they don’t even speak the same language. This makes it difficult to justify the budget required for cyber or the need to deploy cyber security solutions that are a nuisance for the business.

In this situation, many cyber security managers are asking for a seat in decision making, a direct report to the CEO to get more power and in general more ability to influence the businesses. But is this the right approach?

Let’s ask ourselves these questions: Why would a sales manager be willing to accept the risk of not being able to serve his customers? Why would the responsible of a manufacturing plant be concerned to have a production shutdown due to poor maintenance or component failure, but not due to a cyberattack?

The only possible answer is due to a lack of understanding of how cyber security risks can affect their goals, or a false sense of security that there is already someone else taking care of this risk (one that’s very complicated to understand anyway…)

In my opinion, the only way to properly address cyber security risk is by handing over the responsibility to the risk owners, the business managers, with proper training and support of the technical experts and sound coordination and oversight mechanisms by the Cyber security Leader.

The role of the CISO should be to lead this cultural transformation in the company and to build a bridge between the business managers and the technical cyber teams, to enable the company’s digital transformation with the proper (risk based) level of security and compliance.

As a CISO how do you communicate the seriousness of cyber risk to the board?

I think that nowadays boards are already aware that cyber is a serious risk, but in an abstract way. They hear about hackers and cyberattacks in the news and know that their company could also be affected, but not exactly how or how likely it is.

Boards want essentially to know if “we’re secure”, but this question can’t (and shouldn’t) be answered with a yes o no. Presenting them frightening metrics of the millions of events detected by the SIEM or the number of companies that have suffered (and payed) ransomware attacks, does not help increasing their understanding, nor does it talking about multi factor authentication or encryption.

First, they must understand that cyber is just an operational risk more, one derived from digitalization, and as with any other risks, it can be mitigated and even eliminated. It’s a common saying that there’s no such thing as zero risk, but it’s not true. Risk is inherent to doing business and you can achieve zero risk by not doing business at all. And we could always go back to manual operations… or not?

So, it’s a matter of risk appetite. Cyber must be an enabler -not a stopper- of digital transformation and focus on what really matters: the business-critical processes and the technology supporting them.

When reporting to the board, I use to present the key risks to the businesses, describe how we’re progressing in our strategy to embed cyber security into business decision making processes, and the results of assessing the level of security of our critical processes. And about our preparedness to withstand a cyber incident, minimizing the impact to the company’s goals and reputation.

How can a CISO ensure that staff get behind the idea of a security culture in the company?

Having a sound cyber security culture in the company is key to mitigating the risks. Most cyber incidents are caused by human misbehaviour, if not all, if we consider as such failing to decide on implementing proper cyber security measures due to lack of awareness or understanding of the risks.

It is important to train and raise awareness among all employees on how to navigate securely, detect and report phishing, protect their devices or make a proper use of technology. Staff operating and maintaining IT or industrial control systems, or with high risk roles also require specific cyber training.

But employees are not only users of the technology, they’re also professionals that make decisions that have an impact on the company’s technology ecosystem. And they need to be aware of the risks that these decisions entail and of the rules and procedures they must follow to mitigate them.

In my experience, the most effective way to raise awareness of risk is to experience a cyber incident. But we don’t need to wait for this to happen. The cyber security training & awareness program should include simulations and role plays based on realistic scenarios.

You know that you’ve reached an adequate level of cyber security culture, when the CISO is seen as an ally in understanding and mitigating cyber security risks and not as the sole responsible for cyber security or a cop who you should try to hide from.

What particular security challenges does your industry face?

To be able to respond to the challenges of the energy transition, the electricity industry is undergoing a deep transformation based on the decarbonization and decentralization of production, that has to be supported by new renewable energies, more and smarter grids, and a rapid digital transformation. In operational environments, these new technologies must coexist with legacy systems with very long life cycles that were not designed to face the digital challenges.

New actors are entering the electricity ecosystem and connecting to the physical grid with the potential to create cascading effects in case of compromise. Utilities are also highly dependent of product manufacturers that are not subject to any cyber security regulation or certification requirements, and in general, exposed to an increasingly complex supply chain with diverse cyber security maturity.

From a threat landscape perspective, as operators of critical infrastructures and providers of a service that is essential to society, we are not only subject to fraud, espionage, or hacktivism, but also to terrorism and geopolitical threats.

Overall, we are facing a rapid growth of the complexity of our ecosystem and the threat landscape, that makes it increasingly difficult to properly oversee cyber-risks and requires a holistic and systemic approach to mitigating them.

 
PLATINUM
Innovators
Innovators
 

How do you prioritize what risk is acceptable or not in a highly innovative business environment?

First of all, I’d like to clarify that it’s not me who can accept or not a risk to the business. Only the risk owner can do it, the one that will suffer the consequences in case the risk materializes. My role is to make sure that the one making the decision has a very good understanding of the risk.

Of course, there are certain red lines drawn by our cyber security rules. The strongest requirements are set for systems and infrastructure supporting critical infrastructures, highly sensitive information, and business critical processes. Trespassing them, even temporarily, requires not only very strong justification, but also alternative mitigation measures and approval at the highest level.

But in general, it should not be necessary to hinder innovation due to cyber security risks. It’s just a matter of time and budget. And most of the times, the conflict arises only if cyber security considerations are not being included from the design phase.

Having cyber security embedded in any innovation process is key to maintain the necessary speed and cost without putting the company in danger.

How important is information sharing within the sector to keep abreast of new threats and cyber security best practices?

Collaboration is undoubtedly one of the key pillars to ensuring that we are up to the growing challenge we face as individual companies, in the increasingly complex electricity ecosystem and in society as a whole.

There have to be strong collaboration mechanisms within the company (IT, Businesses, Security, Legal, etc.) and also with regulators, government agencies, our supply chain, and other companies and actors within our sector and the broader ecosystem.

There are multiple collaboration groups in place, at a sector, country or even global level, like the World Economic Forum’s “Systems of Cyber Resilience: Electricity working group” that I have the honour to co-chair. These groups are usually focused in sharing risk mitigation strategies, best practices in governance or technical solutions, and approaches to regulation and certification.

We also have several networking groups of CISOs, were we are exchanging information and threat intelligence in a trusted and informal environment. When it comes to cyber security, there is no competition.

This collaboration is key to enhancing systemic resilience, but we need to go a step further and implement platforms to share real time information about threats and attacks in order to increase collective intelligence, and establish formal protocols to provide mutual aid in case of a crisis.

Closing Statement

Cyber security is or should be inherent to digital transformation and the use of new technologies. It can’t be delegated to the cyber security team, it’s a responsibility of the entire company and the key to mitigating the risks are a sound security culture and senior management support.

The company’s cyber security strategy should be designed to drive the cultural and organizational shifts required to enhance cyber resilience within the company and throughout the broader ecosystem.

The role of the CISO is to lead this cultural transformation, providing clear rules and guidelines and expert support to the businesses, coordinate and oversight the progress of the cyber security maturity within the company, and promote ecosystem wide collaboration.

Follow Us

  Rosa Kariger
>
Send this to a friend