CEOs have long treated security as a low-level business concern.
In the fall of 2012, the Department of Homeland Security summoned 80 top U.S. utility CEOs to a meeting at Peterson Air Force Base in Colorado Springs, Colorado. The department gave each of them a secret-level clearance for the day and briefed them on emerging cybersecurity threats. When it was over, a Homeland Security official at the time said he overheard one CEO say, “They’ve got my attention but to be honest, I don’t even know the name of our security guy … Seems I better get to know him and fast!”
Five years later, however, most large corporations—including those in the Fortune 1000—are still functioning as if cybersecurity is more of a nuisance than a strategic risk. Even as massive data breaches continue hitting the biggest corporations in America, many CEOs still downplay the fact that criminal hackers are getting more sophisticated and that cyberattacks pose an existential threat to their companies—not just costing them many millions of dollars but potentially their brands’ reputations and their own jobs.
This is true across the business world, but it’s especially the case among energy companies and other organizations that operate critical infrastructure, such as water treatment facilities and chemical plants. I know this firsthand as a senior cyber and energy security strategist for the Idaho National Lab, one of the nation’s foremost research centers focused on energy and national security. While a cyberattack on a bank could result in a significant loss of money and sensitive data, an attack on a power generation facility, hospital, or transportation facility could cost lives.