No Match Found
As part of the PwC 2023 Global Digital Trust Insights Survey, we interviewed Joe Doetzl, Global CISO at Hitachi Energy Ltd. In a talk with Urs Küderli, Partner and Leader Cybersecurity and Privacy, PwC Switzerland, Joe Doetzl explains the advantages and what a privilege it is to build a new IT infrastructure from scratch with security in mind and why preventing cyber attacks often is simple, but not easy.
“As with most security organisations, our number 1 priority is maintaining business continuity and protecting sensitive data. From a tactical perspective, our focus is to have complete visibility of all our business assets. This allows us to ensure that protections are in place and to rapidly respond and recover from attacks when they occur.”
Urs Küderli: What is your top initiative in terms of cyber transformation, and what has been its impact?
Joe Doetzl: Top cyber initiatives may vary by specific industry and business. Our business is in a massive transformation, and after the acquisition of ABB’s former Power Grids business, we are now Hitachi Energy. Hitachi Energy needed to build a completely new IT infrastructure, and we are migrating our applications and systems from ABB to the new infrastructure. Fortunately, we were able to take some fundamental steps, especially concerning cybersecurity and privacy.
Please tell us the two most important things you did.
For the first time in my career, we had the opportunity to build from scratch. The first step was to build the team. Finding diverse, passionate, capable team members for the most important roles was a critical first step. Secondly, as part of the migration to our new infrastructure cloud, we got the opportunity to touch every application and system that makes up Hitachi Energy. During this process, we were able to build a completely new and modern IT infrastructure and, as we migrate, we can update everything to the latest technology, make sure that we have advanced security monitoring, address compliance issues that were difficult to handle on legacy platforms, and install a state-of-the-art security system. This is a rare opportunity, of which we take advantage from a security perspective. It will also allow us to take a fully integrated approach to cybersecurity across the entire value chain and not in silos.
Was this initiative driven by the top management?
It is a business-driven initiative. Our executive team recognises the critical nature of our deliveries and that cybersecurity is part of our license to operate.
What does state-of-the-art mean in cybersecurity?
There are fantastic and innovative technology providers across the cybersecurity space. Generally, this means that we have better visibility and ability to maintain a secure state of operations than ever before. We can almost instantaneously detect variances in our preferred configuration and fix them. We also have great visibility into the security of our endpoints and of our core systems in the cloud. By maintaining secure configurations, we can prevent many attacks, with visibility giving us advanced detection. But, at the same time, we accept that we cannot prevent all attacks. Since attackers are persistent, we must be able to rapidly detect any cyber event, to respond immediately and recover promptly.
Was it easy to convince the management to adopt the cybersecurity strategy and to implement a new architecture, or was it still a fight?
We have the mandate to do what is right for our business and for our customers. We know our role in supporting critical infrastructure and that the installations we provide and support – and our customers operate – are amongst the most critical in the world. People need safe and reliable electricity in everyday life. And that’s what Hitachi Energy helps our customers deliver. While our products, services, and solutions reflect our pioneering leadership, our cybersecurity must reflect the critical nature of our business.
As with any business transformations, there are pain points. There are practices that we need to change, which is common throughout the energy industry. We have energy systems that were deployed decades ago and are still running reliably. However, we must act carefully to secure them, because stability and availability of such systems are paramount, and any change, including a security change that could be positive, cannot interrupt the availability of these systems.
“It’s much easier to teach an electrical engineer cybersecurity skills than to teach a cybersecurity person to be an electrical engineer.”
To future-proof any business, a skilled labour force is important. What kind of new capabilities does your company need?
At Hitachi Energy, we are advancing a sustainable energy future for all. We believe that diversity + collaboration = great innovation and we strive to create an environment in which our people and business can thrive. This helps us attract passionate and diverse employees, consistent with our work in all areas of diversity, equity, and inclusion – Diversity 360, and supported by Our Leadership Pillars. Our employees are very capable, and they have a strong skill set regarding energy and engineering. From a security perspective, knowledge across that spectrum is needed. Security architects, security incident responders and other specialists are in high demand globally, and we need to have such expert knowledge in our organisation. We have a solid employee base though and can equip our engineers with the skills to also implement cybersecurity solutions.
Do you rather follow the strategy of upskilling employees in-house than finding them on the market?
It’s much easier to teach an electrical engineer cybersecurity skills than to teach a cybersecurity person to be an electrical engineer. We have been successful in attracting the talent we need based on our mission and our quality as an employer. Is it hard? Yes, it’s hard and takes consistent effort, and it will remain a challenge. We will continue to upskill the people we have.
Hitachi Energy is a global technology leader that is advancing a sustainable energy future for all. It serves customers in the utility, industry and infrastructure sectors with innovative solutions and services across the value chain. Together with customers and partners, Hitachi Energy pioneers technologies and enables the digital transformation required to accelerate the energy transition towards a carbon-neutral future. It is advancing the world’s energy system to become more sustainable, flexible, and secure whilst balancing social, environmental, and economic value. Hitachi Energy has a proven track record and unparalleled installed base in more than 140 countries. Headquartered in Switzerland, Hitachi Energy employs around 40,000 people in 90 countries and generates business volumes of approximately $10 billion USD.
“We must frame those conversations in the context and risk landscape of the business. That is a skill set many security executives are missing.”
What do cyber executives need to pay attention to? Where should they concentrate efforts?
Cybersecurity executives have been arguing for the last 15 or 20 years: “We need a seat at the table. We must be included in board and executive briefings.” We are getting it now. That also means we need a different set of skills. Executives do not want to hear about firewalls, antivirus, proxy servers, etc., although these things are fundamentally important. We must frame those conversations in the context and risk landscape of the business. That is a skill set many security executives are missing. They should not just be specialising in technology and in cybersecurity aspects but understand the context in which their business operates and be able to communicate with the other executives in an understandable way.
Do you expect the recent increase in ransomware attacks to continue?
Unfortunately, yes. The attackers are sophisticated, they run ransomware as a business and sell it as a service. The defensive aspects for companies are not complicated, but they require discipline in implementation. The blueprints on how to avoid them are out there. The Center for Internet Security has estimated that 85% of all attacks can be avoided with 5 key security controls. It’s simple, but it’s not easy. When my doctor tells me to eat right and exercise, it’s a simple advice. But it’s not easy for me to do it. It takes rigour and discipline every day. The same is true for preventing ransomware. There are controls that we know we need to implement, but we must do it everywhere and we have to be diligently monitoring those controls.
Should ransomware one day be on the downward trend, what is the next big thing companies must prepare for?
The next big thing is already here – supply chain attacks. We know that attackers who wish to disrupt critical infrastructure aspire to do so by compromising suppliers first.
“A rising tide lifts all boats – and that’s what regulations tend to do.”
Another force in cybersecurity is the regulator. Is it helpful to be more regulated?
A rising tide lifts all boats – and that’s what regulations tend to do. In the US, we’ve had mandatory, enforceable cybersecurity standards for the electricity industry since 2008. That has driven improvements across the board. As a global company we now see initiatives in all regions. We advocate that regulatory approaches are aligned with existing standards.
Which two pieces of advice would you give companies with a lower cybersecurity maturity?
Some companies might get lost at the beginning – where should they start? In addition, budgets are usually limited, and there is fierce competition for resources. You therefore need to prioritise. At Hitachi Energy, our number 1 priority is ensuring that we have 100 percent visibility of all our business assets. With total visibility, you can rapidly detect a possible attack and recover. Should you be completely lost, go to your national cybersecurity agency, e.g., CISA in the US or NCSC in the UK for blueprints on how to improve your cybersecurity.
Joe is the Global Chief Information Security Officer (CISO) at Hitachi Energy, and before that he was Head of Cyber Security at ABB Enterprise.
He has more than 20 years of IT and cybersecurity experience. Joe has created and led cybersecurity and compliance programs for multiple electric utilities. He has audited multiple North American utilities for compliance to the NERC CIP standards. Throughout his career, he has been active in multiple regional and national forums dedicated to critical infrastructure protection.
Joe specialises in the design and implementation of enterprise-wide Information Security and Compliance Programs. Further, he has extensive knowledge and experience in network security architecture, firewall management systems, intrusion detection, securing industrial control systems, disaster recovery procedures, security event monitoring, incident response, vulnerability assessment, patch management, and security awareness training.
Joe has previously served as President, and Secretary of the Kansas City Infragard Members Alliance. Joe is a Certified Information Systems Security Professional and has a Master of Science, Computer Science from the University of Colorado and a Bachelor of Science, Mathematics and Computer Science from Marquette University.
Trust in a team that truly helps your organisation transform by designing, implementing, and continuously monitoring the right cybersecurity solutions. Together, we create sustainable value and trust – now and in the future.