Issue link: https://iconnect007.uberflip.com/i/1088168
76 SMT007 MAGAZINE I MARCH 2019 Johnson: Of course, then the goal is to do the right thing as effi- ciently as possible. Humphreys: Don't get me wrong, the regulators want to do the right thing; it's just a bureaucratic pro- cess involved to develop the regulations. It's too slow to stay up with the pace of technology and the threat. Johnson: You can either go at the pace of regu- lation, which means you're going too slow and could be exposed, or you can go at the pace of technology that is way ahead of regulation, meaning you have to make some unregulated ethical choices. Humphreys: You must look at risk to your orga- nization, not just compliance risk from a regu- latory standpoint. There's that whole plausible deniability defense that I fight all the time. Even if they do that and even if I'm compliant and have some issue, they can pass the buck to the regulator and say, "But I was compliant with your standards." Johnson: "It's the standards that are the prob- lem, not me." Humphreys: I'd like to think that the majority of the world still wants to do the right thing and understands the reputational risk exposed to them, but it's not a plausible defense to say, "But I was compliant; it's the regulator's fault." At the end of the day, your customers are without your services. Johnson: How often in the conversation does it come up around where the fear is that doing the right thing may turn out to be illegal later? Humphreys: Not so much in the electric space, but I can see it in the manufacturing space. I'm encouraging the electrical industry right now to say, "Take those compliance violations and adopt the cloud." Because when you go toward a settlement with FERC, the way the compliance process works is you're issued an initial potential violation, it goes back to enforcement, and the FERC has to approve it. There's this long, drawn-out process until a financial penalty is actually assessed. During that whole process, it's not feasible for these small folks to retain the legal re- sources and all the time spent to fight it. But in the instances of adopting technology like the cloud, for example, I think you will win that fight by saying, "My justification for adopting the cloud was my risks in these areas were much higher than my compliance risk, and I had to do this." Those are the kinds of things that are going to draw FERC to move faster to get these standards up to pace to get technol- ogy. It's unfortunate that it's incumbent upon the industry that's being regulated themselves to drive the regulations to change, but that's the world that we're in. Assess the risk to see if the compliance risk is less than the reputation- al, operational, and competitive risk. There're tons of competition with PCBs and things like that. If one word gets out that you had a com- promise and there was an issue, think about how much that's helping out your competitors and how many customers you will lose. To me, in that kind of an industry, that would far outweigh the regulatory risk for me from a business perspective. Again, calculating your risk model, that would need to be part of the training or outreach to your constituents of looking at the holistic risk model. How many different inputs do you have into risk in de- ciding how you're addressing cybersecurity? In your industry, I think compliance is probably middle to the bottom of the totem pole, and that might be valid. Johnson: I think it is. Thank you, Chris. Humphreys: You're welcome. SMT007