Webinar on Governance Policies and Procedures for Third-Party Cyber Security Risk Management

Introduction

This is the seventh webinar in a 10-part series on cybercity and digitalization, focusing on supply chain cybersecurity in the energy sector.
The webinar is organized by US Energy Association's AMP UP program, funded by USAID.
The series aims to discuss cybersecurity challenges in the energy sector amidst various transformations like integration of renewables, deployment of grid-edge technologies, etc.

Terry Khil: Senior Consultant at Amper Industrial Security and founder of Cyber Kaleidoscope LLC.
Roland Miller III: Ambassador for Cyber Florida, with extensive experience in securing national critical infrastructure.

Focus on governance policies, procedures, and best practices for third-party risk management.
Discuss organizational aspects and models for cybersecurity management.
Explore strategies for communication within organizations and with regulatory authorities.
Highlight the importance of cyber investments in capital and operational maintenance expenses.

Establish a governance framework with executive sponsorship, a director-level steering committee, and a working group of subject matter experts.
Develop a charter outlining responsibilities, scope, and objectives.
Implement a risk assessment process to identify and manage risks associated with third-party vendors.

Procurement Issues: Lack of centralized procurement can hinder third-party risk management. Ensure all purchases, including via credit cards or P-cards, go through a rigorous review process.
Cultural Alignment: Match cybersecurity initiatives with organizational culture to avoid resistance.
Third-Party Inclusion: Include third parties in discussions as stakeholders for better feedback and process improvement.
Executive Buy-In: Communicate the business impact and costs of cybersecurity risks to gain executive support.

Use models like ADKAR to manage change through awareness, desire, knowledge, ability, and reinforcement.
Regularly review and update policies and procedures.
Engage key influencers in the company to foster a culture of security compliance.

Establish a process for handling deviations from policies and standards with a clear risk register.
Ensure communication of risks to relevant stakeholders for informed decision-making.

Justify cybersecurity investments with clear business value and potential risks of inaction.
Plan for ongoing operational costs and headcount needs for sustained risk management.

Develop a culture of compliance and security across the organization.
Regularly assess policies to ensure they are effective and align with business objectives.

Emphasize the need for a solid foundation in policy management and exception handling.
Encourage ongoing learning and adaptation in cybersecurity practices.

Importance of mock audits and self-assessments to evaluate policy effectiveness.
Use of surveys to gauge organizational change management success.
Addressing IT and OT convergence for better security alignment.
Managing policies to avoid unintended consequences and maintain flexibility.

The next webinar in the series will focus on managing cybersecurity risks in a rapidly expanding electric grid, scheduled for April 11th.