Event Review: Energy Security Council (ESC)

Our team attended the ESC event in Houston, TX several days ago for the first time and we would like to answer a few questions you might have about this event if you are thinking about attending next year. Let’s jump in:

What were the top 3 things you learned at the event?

  1. This event is primarily geared towards CSOs and risk analyst in the Energy space. Their focus has traditionally been geared towards physical security rather than cybersecurity but CISOs now report to many of them.
  2. Operational technology security is becoming IT security. Insider threats related to cyber security and phishing also remains a high priority for this industry.
  3. Many presentations we saw still focus on communicating WHAT the problem is rather than HOW to solve it. For example, many presentations focused on scaring the audience with obvious facts like North Korea planning a cyber attack on the power grid but do not address practical solutions and steps to prevent or address problems.

Describe the most interesting conversation you had?

It is difficult to zero in on one exciting conversation because I’ve had so many! I spoke to several big players in the security space who were interested in talking about RQ and starting to use Cyber Risk Analytics tools to their advantage by putting an actual dollar amount on their security risk. I also found out that many companies are still interested in products that provide topology maps and products which can be used as a training/education tool for employees.

We had some concerns going in that our lack of expertise in ICS/Scada would be a barrier but since 90% of ICS related problems come from the enterprise our expertise is very relevant and valued.

What did you like most / least about the event?

The majority of attendees are not the extremely technical/IT or cybersecurity crowd you would get at other conferences like RSA or BlackHat. Some of what we had to offer in my presentation about Cyber Risk Quantification went over people’s heads when it came to the analysis and statistical models that lay behind our risk quantification engine. This is not a bad thing as events like this give us an opportunity to try messaging out and adjust but it is something worth noting when preparing a technical presentation for this audience.

Would you recommend we attend this show again next year? Why?

I would recommend we attend again because the conference is not expensive but still gives consultants/vendors like us, as well as attendees, a chance to experience security in the Energy sector which is not yet a common conference topic in the market today. So this ends up being a good market of potential early adopters to start engaging.

What could we do differently to have this event work better for us in the future?

Given that it was not as a technical of a crowd as we might find at other conferences, I would consider cutting about five slides from the presentation deck.  I would reposition the content as the primary benefit to the CSO crowd in attendance: “How to prove you need more budget and what specifically you need it for” is what I think truly interests this crowd.  Or how to tie in Cyber to your larger GRC/Enterprise Risk.

In conclusion, it is worth attending this event, especially if you have an interest in the Energy Security field.