Cybersecurity transformation: a new operating model for utilities

Utilities must become adaptive learners to effectively handle cybersecurity challenges and thrive in a world of constant change.

In brief

• Cybersecurity strategy in utilities has evolved from a focus on basic security and perimeter defense to an enterprise-wide approach addressing business risks.
• Utilities are encouraged to adopt a collaborative cybersecurity model that aligns with risk management and focuses on enabling all parts of the organization.
• The CISO role now requires a mix of strategic insight, soft business skills and leadership abilities, moving beyond just technical expertise.

This article is co-authored by:

• Laura Sciuto – Senior Manager, EY P&U People Advisory Services

An operating model is a representation of how an organization (or function) delivers value to its customers and executes its strategy – it connects strategy (why) with operations (how). But what if the function’s strategy evolves, leaving us with an operating model built for a world that no longer exists?

Cybersecurity strategy was born as a reaction to a new threat. It required an autocratic approach, and a rapid response to improve security hygiene. As the nature of cyber threats evolves and broadens, utilities must continue to refine their cybersecurity strategies. This goes beyond safeguarding IT infrastructure. It encompasses the protection of their entire operational framework. Such a dynamic environment prompts a critical reassessment: does our cybersecurity operating model remain the optimal approach for delivering value to the organization?

This article proposes a transformation of the cybersecurity function operating model to meet the demands of the modern era.

A collaborative operating model 

The time has come for utilities to adopt a more collaborative operating model for cybersecurity. This model positions the cybersecurity function as a business partner, integrating it into the broader risk management framework of the utility. It requires engaging with the business to explain threats and vulnerabilities, while also understanding the operational ramifications of security incidents.

This collaborative approach distributes the ownership of security risks across the utility. It ensures that cybersecurity considerations are integrated into digital programs from the outset, enabling secure delivery. By fostering a culture of shared responsibility, utilities can ensure that limited funds are allocated effectively, and that consensus is reached on the best strategies for mitigating risks.

The path forward 

To transition to this new operating model, utilities must:

1. Foster open communication between cybersecurity, IT and operations to align on strategic goals.
2. Educate all stakeholders on the evolving threat landscape and the importance of cybersecurity.
3. Integrate cybersecurity considerations into the planning and execution of all projects, not just IT initiatives.
4. Develop a risk-based approach to cybersecurity, prioritizing resources where they will have the most significant impact.
5. Ensure that cybersecurity professionals have a seat at the table in strategic business discussions, emphasizing their role as business enablers.

Cybersecurity as a business within utilities

As the cybersecurity landscape continues to change, so, too, must the approach of cybersecurity functions within utilities. These functions must evolve beyond policy enforcement, adopting a customer-centric approach that aligns with the strategic goals of the organization. With flat or declining budgets, the cybersecurity function is increasingly competing for funds against other risk management needs. The cybersecurity function needs to transform its operating model to better serve its customers — the organization — and manage resources more effectively.

1. Customer-centric collaboration

Cybersecurity functions should view the rest of the organization as their customers or clients, focusing on collaboration with business units, operating companies and other areas. The traditional view of the business as a passive entity that must comply with cybersecurity policies without question is outdated. Instead, cybersecurity should strive to understand the unique needs of each business unit and work together to find solutions that enable operations while managing risk effectively. Publishing a new standard or policy does not protect the organization — helping the business implement practices that achieve the objectives of the standard or policy does.

Implementing policies can sometimes be challenging for business units due to operational constraints or other factors. Cybersecurity teams must be willing to engage in dialogue, understand these challenges and work to find a risk-informed path forward. This approach ensures that cybersecurity measures do not hinder business operations and that the company is not exposed to undue risk. By fostering a collaborative environment, cybersecurity can build trust and demonstrate its value as a strategic partner in achieving business objectives.

2. Strategic planning management 

Cybersecurity functions must embrace strong strategic planning management. In the past, these functions may have operated reactively, addressing needs as they arose without a long-term plan. However, a more strategic approach is now required. Cybersecurity teams should develop a three-to-five-year roadmap, taking into account the ever-changing threat landscape and technological advancements.

This roadmap should be assessed for progress and relevance on a quarterly basis to ensure that the cybersecurity function remains aligned with the organization’s evolving needs. By being strategic in their planning, cybersecurity functions can prioritize projects, allocate resources effectively and stay ahead of potential threats.

3. Proactive budget management 

Historically, cybersecurity teams may have been granted significant latitude with their budgets, operating under the assumption that any expense was justified to protect the company. While this may have facilitated rapid response to emerging threats, it is not a sustainable approach for mature cybersecurity programs.

Cybersecurity functions must now manage their budgets proactively, aligning their financial requests with the company’s budgeting protocols. Requests for budget increases should be tied to strategically prioritized initiatives and subject to the same rigorous review by leadership as other business units. This ensures funds are managed wisely and cybersecurity initiatives deliver value for money.

By operating as a business within the business, cybersecurity functions can align more closely with the strategic goals of the utility and demonstrate their value as a key enabler of safe and reliable operations. A customer-centric approach, strategic planning and proactive budget management are the tenets of this new operating model. These practices will ensure that cybersecurity functions not only protect the company from threats, but also facilitate its growth and success in a risk-informed manner. As utilities continue to navigate the complex cybersecurity environment, adopting this business-minded approach is crucial for fostering resilience and driving innovation.

What does this mean for CISO skill sets and capabilities? 

As the cybersecurity landscape becomes more complex and integrated with business operations, the skill set and capabilities required of a CISO are expanding beyond technical expertise to include a broader range of soft skills and strategic competencies.

• Strategic leadership and advisory: A CISO holds a senior leadership role within the organization, responsible for managing the cybersecurity program and advising the executive leadership team and board of directors. This requires a shift from a purely technical focus to one that encompasses leadership, strategic thinking and an understanding of the business landscape. The CISO must be adept at safeguarding digital assets, maintaining customer trust and ensuring compliance with cybersecurity regulations, all while contributing to the strategic direction of the utility.
• Soft skills and business acumen: The importance of soft skills for a CISO cannot be overstated. Effective communication, negotiation and relationship-building are essential for educating and collaborating with business leaders on risk-informed decisions. A CISO must be able to articulate complex cybersecurity concepts to nontechnical stakeholders, ensuring that they understand the risks and trade-offs involved in different courses of action. Developing a strong understanding of the operations and assets within the organization is also crucial. By building relationships across the company, a CISO can better align cybersecurity initiatives with business objectives, ensuring that security measures do not impede operational efficiency or innovation.
• Risk-informed decision-making: A modern CISO approaches the role with the mindset of a cybersecurity service provider to the business. This involves working closely with business leaders to prioritize actions and develop pragmatic action plans based on a combination of cybersecurity intelligence and business impact analysis. The CISO must balance value, cybersecurity risk and cost, guiding the business toward decisions that enhance security without compromising business agility.
• Collaboration across disciplines: Proactive collaboration with the business unit leaders, senior management, CIO and the board of directors is key to implementing effective security practices. The CISO must integrate security considerations across various technology environments, including information technology, operational technologies, cloud and emerging technologies such as artificial intelligence (AI) and machine learning (ML).

The role of the CISO is evolving from a technical gatekeeper to a strategic business enabler. Technical skills remain important, but the ability to lead, strategize and communicate effectively is becoming increasingly critical. As cybersecurity becomes more intertwined with business operations, the CISO’s role will continue to expand, requiring a dynamic blend of expertise, vision and interpersonal skills to navigate the challenges ahead. The CISO of the future is not just a defender of the digital realm, but a visionary leader who can steer the organization through the turbulent waters of cyber risk while unlocking opportunities for growth and innovation.

The EY ‘three office’ model: a framework for service orientation

As utilities seek to modernize their cybersecurity functions, the EY “three office” model offers a framework that can guide their transformation. This model is designed to shift the cybersecurity function from a compliance-driven entity to a service-oriented business, aligning more closely with the broader needs of the organization. It encapsulates traditional cybersecurity requirements while integrating mechanisms for better business alignment.