WAES Cegal magazine 2024 events 2024 events
Malcolm Norman - CISO of Wood, warns energy industry of cyber threat

Malcolm Norman - CISO of Wood, warns energy industry of cyber threat

 

Malcolm Norman has had what can only be described as a portfolio career. Firstly, he was a Teacher, then he spent 20 years in the Army working his way up from Junior Officer to a Senior Executive within the Ministry of Defence. Whilst serving, he also completed an MBA and a MA in Defence and International studies. Malcolm then took over the reigns as Global Chief Security Officer of a Fortune 100 Corporate, before becoming Managing Director of a Risk Consulting Firm and now Malcolm is the Global Chief Information Security Officer (CISO) at Wood, one of the most successful global engineering and construction management companies in the world.

Rather uniquely, since the recent acquisition of Amec Foster Wheeler by Wood, Malcolm’s biggest challenge as Wood’s CISO has been the design and delivery of a standard, consistent and repeatable approach to Cyber Security across a new and developing landscape.

Indeed, the creation of the single new business entity, has provided Malcolm the opportunity to utilise a ‘best of both worlds’ approach to create a Cyber Security Framework across the integrated business. This has been achieved through a focus on getting the basics right across the working environment, both from a technical perspective and applying a renewed vigour with respect to the cyber security education of Wood’s 60,000 strong workforce.

Malcolm warns: “Cyber security is (or should be) a concern for all organisations and the Energy sector is no different. The intersection of significant technological advancements and digital connectivity in the Energy industry and the corresponding increase in the targeting of that ever-expanding digital footprint by threat actors has rightly raised cyber security to a strategic, board level risk that is no longer just an IT issue. It has shifted as a topic from the ‘Basement to the boardroom’ with the security experts advising on and managing cyber risks and being required to make a similar shift in focus, reporting, language and exposure.”

“Given that the Energy and Utilities sector forms such a key part of critical national infrastructure, it is not surprising that it has become the focus of greater regulation and specifically the directive on security of network and information systems (NIS-D). NIS-D sets out the requirement for operators of essential services as below: -

  • Take appropriate technical and organisational measures to secure their network and information systems (applies to both IT and OT and IOT)
  • Take into account the latest developments and consider the potential risks facing the information systems.
  • Take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity.
  • Notify the relevant supervisory authority of any security incident having a significant impact on service continuity.”
  • “Due to the speed of change, traditional cyber security measures have been found wanting, as evidenced by the growing level of cyber breaches reported in the energy sector. In turn this has led to a revision of the historical approach of ‘Protect by any means’, to a shift towards detection and response.”

“Energy companies must get used to the fact that cyber security now poses the same kind of risk to infrastructures as a flood or a fire. The nature and changing risk profile of the cyber threat, from economic espionage to disruption of production, demands a cross-sector based risk approach from businesses and governments around the world. The porous nature of an organisation’s environment success is now measured in terms of the speed of detection, response and recovery rather than an ill-advised announcement that it an environment is ‘Breach-proof’. “

A recent survey of security professionals in the utilities, energy, health and transport sectors spanning six countries, including the UK, was recently conducted by the Ponemon Institute. Starkly, it found that 90% had been hit by at least one successful attack.

It follows then that the Energy Sector needs to accept that it is a target of skilled, motivated and well-resourced attackers and it needs to start to resource its Cyber Teams to address that threat and capability.

Malcolm continues: “At present there is a well-publicised lack of cyber security professionals across the corporate, public and charity sectors. Such a gap is growing and is leading to an extremely fluid market with the average CISO allegedly remaining in post for just over 36 months.”

“This attrition rate is being driven by a number of factors, including:- the search for the next salary increase, a lack of an embedded security culture within an organisation which demotes the relative importance of cyber security, a lack of investment in the cyber security program and the fear of failure as a result of a cyber incident where the incumbent feels they did not have the proper support.”

“It follows that the skills shortage in this area is going to magnified in those industries where cyber security is not seen as central to its culture, investment strategy and organizational structure – so the energy sector need to refocus their attention in this area now!”

“The internal security team is now, more than ever, required to be a ‘Battlegroup’ of capability, knowledge and experience; an integrated cybersecurity workforce capable of designing, developing, implementing and maintaining defensive and offensive cyber strategies that merges technical and non-technical roles.”

“This mirrors the military concept of a ‘Team of teams’, each with a specific and well-defined role but with the training, tools and process to synthesise their activities to identify, protect, detect, respond and recover to cyber threats.”

“As a CISO, one of the most significant tasks is to identify, recruit, develop, and retain cybersecurity talent – it doesn’t just happen!”

Malcolm’s approach has been influenced by The US NIST Special Publication 800-181, National Initiative for Cybersecurity Education (NICE), Cybersecurity Workforce Framework which outlines an approach that advises companies to: 

  • Inventory and track their cybersecurity workforce to gain a greater understanding of the strengths and gaps in knowledge, skills, abilities and tasks performed.
  • Identify training and qualification requirements to develop critical knowledge, skills and abilities to perform cybersecurity tasks.
  • Improve position descriptions and job vacancy announcements selecting relevant KSAs and tasks, once work roles and tasks are identified.
  • Identify the most relevant work roles and develop career paths to guide staff in gaining the requisite skills for those roles.
  • Establish a shared terminology between hiring managers and human resources (HR) staff for the recruiting, retention and training of a highly-specialized workforce.


Whilst Malcolm has to concede that at present, the Energy sector is playing “Catch-up”, he also feels that it is an amazing opportunity for those starting a career in the cyber security sector.

“The demand for Cyber security skills is high, pay is good and improving all the time. The challenge of addressing an adversary attempting to breach, disrupt or destroy your environment is a stimulating, intellectually taxing and rewarding endeavor.  There is a need for continuous development and professional learning that balances technical and non-technical skills and you are training in an industry that will always need your skills!”

“When hiring, the Cyber Security Industry should not just rely on technical graduate entry alone and should also ensure that diversity of thought, attitude, approach and passion are present, as although difficult to measure, they are as important as a qualification – in many instances we need to think like a thief to catch one!”

Malcolm Norman – CISO of Wood, will be speaking alongside other Cyber Security experts at the OSP Cyber Academy event “Scotland’s Cyber Summit” in Aberdeen on Thursday May 2nd at the Hilton Treetops hotel.

If you work in the Energy Industry and are interested in learning more about Cyber Security, please register at www.ospcyberacademy.com/scotlands-cyber-summit

Published: 18-04-2019

OGV Energy will use the information you provide on this form to be in touch with you and to provide updates and marketing. Please let us know all the ways you would like to hear from us:

OGV Magazine 78 wellpro

More news

Regional

How and why big oil is strengthening its oil and gas exposure
Regional

Ithaca hails ‘transformational’ deal with Italy’s Eni
Regional

NEO fined £100,000 for breaching its vent consent
Regional

Hess signals Exxon arbitration could push a sale into next year