As more equipment and systems generate data and rely on IT, data security becomes increasingly critical to operations. It’s worth noting that security leaders have become more entwined with business functions, something that’s certainly true of Mike Phillips, chief information security officer with Cheniere Energy Inc., the first company to export liquid natural gas (LNG) from the contiguous US.
Phillips not only spends his days safeguarding data and systems but also helps business people understand cyber risks and navigate regulations. The work of the data-security function has changed markedly since Phillips began his career in 1995 with utility Pacific Gas & Electric. In those pre-9/11 days, security was rather lax compared to today, he recalls, noting that cybersecurity is now a forefront consideration when assessing business risk.
Phillips is immersed in digital-rights management, risk assessment of new technologies, explaining risk mitigation to investors and insurance companies, and helping attorneys and operational leaders understand new regulations.
“The biggest change over the past ten years is that the security group no longer says ‘no’ to everything,” Phillips says, noting that his team seeks a healthy balance between risk and reward on new technologies and initiatives. “We’re like the brakes on race car. Our objective isn’t to slow the business down but to stay on the track so that it can go as fast as possible.”
In February 2016, Cheniere began exporting LNG and became the first large-scale exporter of US LNG. Being first to the international market, the company enjoys an advantage over competitors. Part of Phillips’ mission is to maintain that lead by safeguarding data. The LNG industry also has unique points of risk—gas pipelines and liquefaction plants—carrying a flammable product. As such, this infrastructure could be targeted. By protecting the cyber systems that operate these assets, Phillips has a key role in securing them.
None of these systems are connected to the internet, so they can’t be hacked through the public-data highway. Nevertheless, hackers are relentless in seeking other ways to break in. Some are foreign actors supported by governments, including Russia and Iran, Phillips says. The energy sector, a multinational industry with government-owned entities, is a prized target. Intrusions have been detected within systems at the US Department of Energy as hackers acquired files pertaining to accident reports at power plants, Phillips points out.
Access to Cheniere’s sensitive systems is strictly controlled. Nonetheless, phishing schemes, in which hackers try to trick users to reveal their access permissions including passwords, are a constant source of concern. Hackers can be extraordinarily persistent when trying to break into networks, spending more than a year trying to crack through security on a given organization’s systems. Thus, an organization’s security efforts must be vigilant and relentless.
“Cyber is one of the newest risks to businesses. The risk has to be managed. It can’t be completely prevented.”
Phillips’s external partners agree. “Consequences of a breach can have long-lasting effects,” said Jim Guinn II, managing director at Accenture Security. “That’s why executives should be as committed to improving cybersecurity as they are to controlling other business risks.”
In addition to educating employees about how to avoid falling for phishing ploys, Phillips works to restrict data on a need-to-know basis. Digital-rights management protocols with encrypted files allow access to data to only those who need it. Working through who needs access to what is a time-consuming task that requires input from operational personnel and business leaders.
As new technology offers more efficient ways for business and operational teams to manage production and distribution, security measures have to allow users to take advantage of them.
“We try to lock down environments as much as possible,” Phillips says. Still, his team has to constantly consider exceptions for sound business reasons. That effort requires a balance of risks with the benefits of the latest software, mobile devices, and network options.
About a decade ago, after high-profile accounting scandals involving corporate heavyweights Enron, WorldCom, and Tyco, Congress cracked down on financial abuses. Since then, cybersecurity has become a standard part of business risk assessment prompted by new regulations administered by the Securities and Exchange Commission. One sweeping legislative measure in particular, Sarbanes-Oxley, Phillips says, partially changed his career path. That law requires corporations to divulge risks in detail to investors.
Cybersecurity chiefs have subsequently been forced to develop regulatory expertise. “The CISO becomes the glue between operations and legal when it comes to new regulations,” he says. Business leaders and attorneys look to Phillips to help make sense over how new rules will impact the business. He also provides input to the company’s insurance team so that they can explain cyber risks to policy underwriters.
In addition, Phillips is working to influence how the new energy industry niche will be regulated by Washington. Currently, there are not many regulations governing LNG exports, but Phillips says there is a big push coming from Congress to do so. Given his experience dealing with regulatory reform when electric power was deregulated during his eleven-year stint with CenterPoint Energy, he is wary of how the rules may impact Cheniere. Regulations governing the North American bulk power system become onerous, he says. Companies have to spend as much as $750,000 a year “just to prove that they are compliant,” he says. Because of the cost, many companies simply aim for minimum cybersecurity requirements.
“We want to make sure regulations that do come out provide good security, not just the minimum,” Phillips says. A more voluntary approach to security rules in which companies have the incentive to do more than the basics in return for better insurance rates would be ideal, he says.
Although it’s uncertain how regulators will act, all public corporations can expect data security to be carefully scrutinized. It’s a permanent part of the landscape now.
“Cyber is one of the newest risks to businesses,” Phillips says. “The risk has to be managed. It can’t be completely prevented.”