Our complex technology ecosystems are an increasing headache for all cybersecurity specialists. Cybercrime is now in the World Economic Forum’s Top 10 rankings of the most severe global risks over the next decade. The global cost of cybercrime is expected to top US$8 trillion in 2023.
But for the energy sector, the two-way flow of energy and information between renewable generators and batteries, solar rooftops and the grid, and a host of other connections, presents an enormous and exponentially increasing attack surface.
That “host of other connections” is particularly important. The global Internet of Things (IoT) market in the energy sector is expected to surpass US$700 billion by 2031, but around nine in 10 cybersecurity professionals say unsecured IoT devices are putting their organizations at risk of cyberattacks and data breaches.
Without smart technology, we are unlikely to achieve our global net-zero goals. But without a clear strategy to address cyber risk, energy companies cannot unlock the opportunities of smart technology.
Building a case for investment
If you’re not sure how to proceed, you are not alone. Earlier this year, EY teams asked 500 global cybersecurity leaders, nearly a quarter of those in Asia-Pacific countries, how they were navigating the complex cybersecurity landscape. Just one in five considered their cybersecurity effective today and well-positioned for tomorrow.
The EY 2023 Global Cybersecurity Leadership Insights Study revealed it takes 79% of respondents six months or longer to detect and respond to a cybersecurity incident.
We also found companies aren’t investing enough in their cyber defences, especially in Asia-Pacific. Cybersecurity budgets were a concern for 44% of Asia-Pacific respondents compared to 36% globally.
How do CIOs in the energy sector build an investment case? How do they create a compelling story around cybersecurity when the infrastructure is invisible, and the measure of cybersecurity success is “nothing happened”?
Speaking the language of business
As part of our research, and with the help of statistical modelling, we isolated the organizations, including those in the energy sector, with the most effective cybersecurity and identified several key characteristics they shared. We call this group “secure creators” because they have fewer cyber incidents, are quicker to detect and respond when they do, and have translated cybersecurity into a value creator rather than an inhibitor.
Secure creators behave (see Figure 1) differently in three specific ways. They are quick to adopt emerging technology and use automation to streamline processes. They have specific strategies to manage complex attack surfaces. And they build bridges across their organization – the C-suite, the cybersecurity team, and the broader workforce – by speaking the language of business.
Figure 1: Secure creators are more focused on technologies that enable automation
The most successful CIOs can tell a story that resonates with their business in terms of risk buydown, business impact, and value creation. We have seen some companies build actuarial models to quantify the risks of underinvestment.
If a threat materializes, what is the dollar impact of energy networks and systems going offline? How does that translate into lost customers, brand damage, regulatory fines, or lower transaction revenue?
From value defender to value creator
In the energy sector, the missed opportunity is far more than money – it is, potentially, safeguarding the future of the planet.
Done well, cybersecurity is not just about value protection. It is also about value creation.
What does this look like? Our research is clear. Secure creators move faster on the digital journey because their cybersecurity specialists are there from the beginning of every project.
Rather than retrofitting security tools around existing systems or ticking off items from compliance checklists, cybersecurity is embedded into every new initiative from the outset. We call this “Security by Design” – and this approach builds trust, which in turn creates new value.
This new value may come in the form of stronger relationships with customers, with new partnerships, joint ventures or participation in ecosystems, or through new products or services. Most valuable of all, secure energy companies will support the world’s transition to a zero-emissions future.
