Posted by Steve Senterfit on November 14, 2014
At its core, the oil industry has a very simple mission: finding and producing oil, driving value, and ultimately replacing the reserves to ensure there is more oil to come. It once was relatively easy work with plentiful options, but in recent decades it’s become increasingly complex: Oil is harder to find; it’s deeper in the earth, it’s located in more hostile environments without easy access to modern technology. Those circumstances are driving entirely new business models in the industry, involving more joint ventures, reliance on new, more complex technology and tactics, and involvement with a broader range of third parties. This major global transformation requires organizations to be able to predict, identify, and manage myriad changes nearly simultaneously to thrive.
In my conversations with clients and heard at industry events -- such as the 9th Annual API Cybersecurity Conference & Expo where our Senior Executive Advisor Mike McConnell is giving the keynote and the Abu Dhabi International Petroleum Exhibition & Conference where this year Vice President Terry Thompson is speaking about technology security challenges – there is a sense that energy companies have the fundamentals, such as technology development, cyber, IT, risk, and investment and regulation under control. But leaders tell me that what concerns them are the implications and risks related to each of these components of the business that are not being raised to the board level for a more holistic view of risk management. Here’s an example: a company may have a robust protection from Phishing attacks, but if one is successful and results in the loss of private personal or client information, that could be a crushing blow to customer relationships, and trigger regulatory issues and other impacts.
Earlier this week, Booz Allen released its annual Energy Sector Trends for 2015, which are based on our conversations with CEOs, CISOs, chief risk officers, and others in the oil and gas and utility industry, as well as on what we see in the marketplace. The trends indicate that energy companies can thrive in this new more complex environment by embracing robust analytics to help them improve operations, manage their regulatory commitments, understand their market ecosystem, improve their reputation, predict health and safety incident, and prevent excessive capital investment risk taking. This year’s trends also include what we are hearing about cyber security and elevating risk management above the C-suite.
When it comes to cyber, energy companies understand the important role they play in nations’ critical infrastructure. In some regions – especially the Middle East and North Africa – cyber threats against this sector are an issue of national security. Energy companies must put their massive amounts of data to use in protecting their multi-dimensional attack surface with proactive threat detection. In 2015, we will see the industry start to address the security of their third-party vendors and even those vendors’ vendors – a move to mitigate so-called “fourth-party vendor risk.” Our clients tell me that they also see a great need to include cyber incident response procedures as part of their highly matrixed business continuity and crisis management plans. Nations and customers are simply too dependent on the energy industry to risk a digital disruption.
Leaders also tell us that on top of their extensive planning and preparedness exercises, their CEO and board members must now have an integrated understanding of enterprise risk. We expect to see the boardroom transition from managing individual components of risk to having a more complete understanding of it. In 2015 and beyond, a complete picture of risks at the highest level will ensure that the company, and not just a department, or an asset, will be well protected.
Information sharing is another important trend. Many companies are now participating in the Oil and Gas Information Sharing and Analysis Center (ISAC), an industry group that allows companies to address external threats and manage risks as a group by sharing threat information, while keeping company private information to themselves. This approach has already been successful in the financial services industry.
It’s clearer every year that the industry’s global transformation just won’t allow reliance on old ways of doing business. While the energy sector can look to other critical infrastructures such as financial services for guidance, it is clear to me that only those organizations who embrace a holistic and cohesive approach to analytics, cyber threats, and risk management will find true, long-term competitive advantage.