There is a growing call to increase levels of awareness and investment that improves the security and resilience of our most critical utility infrastructure in the face of growing and more sophisticated cybersecurity attacks. With so many competing investment priorities for Asian utilities, how can providers of water, power, and oil and gas justify capital investment to reduce these risks?
Mature regulation in the United States, alongside a number of voluntary standards, continues to drive many of its utility security investments. In Asia, similar localized regulations and applicable standards are nascent and continue to formalize, although the upcoming Cybersecurity Act in Singapore may create new urgencies to invest in utility security initiatives domestically as well as in the surrounding region.
The Investment Dilemma
Security investments, of themselves, don’t provide the typical types of returns that other types of investments deliver. This creates a dilemma. With investment in security, you are typically not driving revenue or decreasing costs. What you’re really doing with your investment is buying a reduced level of risk.
In order to be satisfied that your security investment will be effective, a systematic framework approach is required. Three foundational steps must be in place (none of which are particularly trivial to execute):
- Understand your current levels of risk.
- Set your target risk levels.
- Measure ongoing risk levels to prove your investments are having the intended effect.
Today’s security concerns go beyond the IT department of utilities and as a result accountability is split across multiple functions and turfs. Stakeholders are dispersed across operations, IT and finance, giving few clear lines of sight for budgeting. The organization turf battle underlines the need for an enterprise approach to managing security risk.