In an open letter to directors, IBM’s energy security lead recommends appointing a senior executive with authority to effect cultural change.
Andy Bochman is energy security lead at IBM.
Dear Mr. or Ms. Director:

Cybersecurity measures and risk management aren’t new concepts for utility companies. The company whose board you serve has implemented strategies to protect the organization. However, from what we have seen in the market, more needs to be done.
IBM is taking a fresh look at the organizational structure and accountability within utilities, and considering how lessons learned in other industries can help utilities address the risks inherent in modernizing their business operations with advanced IT and communication technologies.
One key lesson stands out: some industries, such as financial institutions and communications service providers, have created internal organizations with the authority and resources to meet their heightened cybersecurity challenges. In these companies, most often, the person charged with overall cybersecurity responsibility for the company is a corporate executive who is designated the chief security officer (CSO) or chief information security officer (CISO).
This approach shouldn’t be limited to banking and telecom sectors.