Nick Santora is a certified cybersecurity expert (CISA, CISSP), who spent nearly a decade working for the federal government in critical infrastructure protection before founding Curricula to make security awareness training fun so employees actually learned the skills needed for cybersecurity.

Q: What are some best practices for ensuring organizations are in compliance?

A: When it comes to being in compliance with NERC CIP, there is a lot of ground to cover to meet all the regulations. But these rules were crafted for a reason. Consider for a moment: what is the right order of operations for People, Process, and Technology?

There are so many experts spouting that people are the biggest vulnerability when it comes to meeting compliance requirements but those people have to know what to do. For even the most entry-level employees working in utilities, they’re responsible for protecting the most critical infrastructure by following NERC’s rules. You understand how essential it is for everyone to follow the processes to meet compliance requirements.

And as a certified information security systems auditor, I put on my analyst hat to take a step back and take the time to really analyze these three things — People, Process, and Technology. We hear these terms all the time, but are we sure which order they’re supposed to follow in, especially when it comes to being in compliance with NERC?

Q: Risk assessment always remains an issue. Where do utilities begin here with conducting and implementing these       kind of assessments, and how can they ensure it will be satisfactory if/when an auditor ever comes knocking?

A: As a cybersecurity auditor, I built my career around understanding how people play a role in processes and technology when it comes to critical infrastructure protection. In my years of experience, I’ve seen firsthand how these three elements can function well when they all work together (or don’t).

And ultimately, it all comes down to process and how a person should follow an order of operations with information security. Potential security missteps happen because a person wasn’t following a process, or the technology was not in place (or working properly) that was supposed to support those operations. Just look at what happened to Colonial Pipeline.

That’s when an auditor usually steps in to look at the root cause of why this hiccup happened, and it almost always has to do with someone not paying attention or not having the right technology. The organizations that got it right always were always sincerely focused on educating their people and having the right technology in place, not just meeting compliance requirements.

Great organizations implement the motto of people come first, understanding how processes are built with people, and technology is integrated with the process we’ve defined and people we’ve aligned.

Q: How can utilities do better here?

A: This is one of the main reasons you see everyone talking about building a culture of security where their people are trained, then they know what to do to be in compliance with NERC, and have technology in place to support that process of security awareness and threat mitigation.

Higher-ups who understand the importance of security awareness training also recognize the potential for compliance violations, and those are the organizations that often have the least hiccups in their processes, and the least confusion among their people of why they’re doing these things to protect their patients’ information in the first place.

The goal is to get every single employee to understand their role in security. A simple discussion with each department head is a great place to start getting everyone aligned around protecting your organization.

Q: Where are the common missteps related to security and how do you correct?

A: Large enterprise organizations often fumble here because it’s easy to mess up. The bigger your team, the more opportunities for operational inefficiency. If you have a bunch of things in place only to meet compliance and don’t focus on the people involved in helping to meet those standards, there’s a strong likelihood for human error that exposes a vulnerability in your system.

When considering potential pitfalls, sit down with your information security team and various department leaders to review all the facets outlined for security management standards including:

If you look at those areas, their implementation specifications, and find technology that helps you to do these things for certain thresholds, then you can make sure everyone is aligned on what actually needs to be done for security, plus go beyond checking the box for compliance.

Q: How can utilities ensure they get the policies and procedures part of compliance requirements right?

A: Let’s take it back here starting with the need – protecting sensitive information. This is a great example of remembering your ‘why?’ Why is this so important to you, and organization itself? Before you even start, remember the reason, and document the mission you’re on — which in this case, it’s keeping your data safe.

At the end of the day, we have to make sure everything regarding security has a process developed around the routine with specifics. Processes are there to guide us into routine behavior. It’s about an order of operations to follow for even something as simple as setting up a password.

Technology always comes last because if you haven’t nailed the people or the process, the technology implementation isn’t likely to happen or to be successful. You can’t implement a technology without having the process to follow.

To recap these points, it starts with a Process (why you’re doing something to meet requirements), then People (put them in place) as our people are our standard, and then Technology to support the mission and goal. Having a detailed procedure of how to get these things done for compliance will help build a culture around the role all your employees play in security.