Oil giant BP is currently having a “big internal debate” about how it can lock down personal computers without losing out on flexibility for employees, as a direct result of the increasing threat of cyber attacks.
Outgoing CIO Dana Deasy was speaking at Gartner's Symposium in Barcelona this week where he said that 40% of worldwide cyber attacks are in the energy sector and that the threat has “quietly been getting worse and worse”.
Deasy said: “Talk about reinventing yourself in real time – you're moving from a world where you want to keep the bad guys out, to a reality of what happens if they do get in and what's the game plan?
“You almost have to set your organisation to think about dealing with the art of warfare, because you are dealing in a different world with a different sort of adversary.”
He explained that the threat to BP is “incredibly real” and that it is coming from both organised crime networks, as well as state sponsored attacks. However, it is the latter of the two that is real cause for concern.
“State sponsored attacks are the ones that we are most concerned about, because the nature of them is that they aren't necessarily about causing you harm today, or even tomorrow, but some day in the future. Or they don't even want you to know that they are there,” said Deasy.
“You are dealing with an adversary that is incredibly well organised, incredibly sophisticated – tens of thousands of them – and you may not always understand what they are after.”
Deasy insisted that although this hasn't changed BP's 'big thinking' or stifled its innovation, it has sparked an internal debate around how it can lock down personal devices and restrict what employees do on them.
“We are having no choice but to lock down and make more restrictive what people can do with the personal computer, which is kind of ironic when you think about that term when it was created – the idea that it was personal,” he said.
“By locking it down you obviously take away flexibility. So it's about getting this incredibly difficult balance right between flexibility and freedom, of allowing people to do their jobs and protecting the firm. It's something we have to work with every day.”
Finally, Deasy said that in his time at BP the focus on cyber and risk management has got increasingly intense, where he now spends up to 20% of his working week assessing the potential outcome of a serious crisis.
“If you had asked me six years ago about the time I would have spent worrying about risk and crisis management – I would have said it was the annual desktop exercises, the quarterly risk reviews, and maybe a little challenge with your team,” he said.
“Today risk is becoming a greater part of your weekly agenda, I would say today I probably spend 20% of my time dealing in some form of risk – either in government discussions, board discussions, senior executive discussions, or team discussions, just working through what crisis management would look like, what would disaster recovery look like, and how the world of that unknown would play out.”
Deasy recently announced his departure from BP and is set to join JP Morgan as CIO. He is to be replaced by Mike Gibbs, who is currently CIO and vice president of BP's refining and marketing business.