Ben Lane, CIPRNA event manager, met Brad Davidson, principal at Deloitte Consulting LLP. Brad Davidson is a principal at Deloitte Consulting LLP and currently works with national security and civil sector clients within Deloitte’s Government & Public Services practice. Brad has 15 years of experience conducting strategy, analytic, and risk work for government clients related to critical cybersecurity and infrastructure assets and systems. Brad has also served as a subject matter specialist focused on identifying and analyzing physical and cyber threats to critical infrastructure assets used by the US and NATO allies in support of military operations.
Brad graduated from the University of Tennessee with a degree in Political Science and earned a Master of Public Policy, with a concentration in National Security and Intelligence policy, from George Mason University. He enjoys spending time outdoors with his wife and kids in Leesburg, VA.
This is a transcript of their conversation.
Ben Lane:
Brad, thanks for joining us today and we’re pleased to announce that Deloitte is going to be joining us at CIPRNA in Houston (March 11-13) as one of our Gold-level Sponsors https://ciprna-expo.com/exhibition/sponsors/
We are very much looking forward to seeing you there. Let’s start off with a quick question of what is Deloitte’s role in critical infrastructure and its security and resilience?
Brad Davidson:
Thanks for having us, Ben. It’s a big question—Deloitte provides and integrates vital solutions to assist the critical infrastructure (CI) community. I’ll be more specific, our teams deliver a variety of solutions to a variety of organizations in this space, including advanced risk and data analytics. One of the things that makes Deloitte unique in this space is that our experience spans all 16 CI sectors—we can offer our clients both a multi-sector and cross-sector perspective. Many of our clients see this as a benefit because it helps them navigate an increasingly complex CI ecosystem with increasingly complex risks. Let me give you an example, our teams support commercial, local, state and federal CI clients. This experience often gives us a deeper picture of critical infrastructure challenges, which then enables us to help our clients build deeper solutions. Now, I don’t want to sound too conceptual, we also have world-class sector and industry experience, and we’re seeing increased demand to bring this experience to bear on real-world operational challenges. We also use our specialists to convene new approaches and alliances in the ecosystem, including new forums of public-private engagement that are organized on the exchange of real value, not just convening for the sake of convening. This approach helps our clients fortify existing CI, boost its resilience, and develop the next-generation security and performance capabilities.
Deloitte recognizes that these relationships are often key to information sharing and collaborative action, which in turn plays an outsized role in CI security and resilience. Public private partnerships should align the goals, interests, and incentives of different actors, leverage their resources and capabilities, share the risks and responsibilities of managing these potential risks; and promote innovation and leading practices.
Through public private partnerships, government and industry have a unique opportunity to strengthen risk situational awareness and develop mitigation strategies and action plans that produce sector-wide and cross-sector benefits. I’m excited by Deloitte’s current and future role in this space.
Ben Lane:
What are you seeing as the biggest challenges currently for government and owners/operators of critical infrastructure?
Brad Davidson:
The landscape of challenges continues to both expand and evolve. Physical security remains crucial, of course, but now, there is a rising tide of risk from the cyber domain. These risks can be backed by nation-states and involve malicious AI applications. The advancement of nefarious AI capabilities will likely expedite the intensity and scale of these attacks. Beyond this, the CI community is also managing secondary and tertiary effects beyond their control which can severely disrupt operations. Quickly understanding how a disruption in one sector can have cascading impacts across other sectors, and rapidly deploying mitigation solutions, is a significant challenge. It’s important for organizations to build an approach that balances these various challenges; that’s exactly what we focus on with our clients and what makes this area so ripe for sharing leading practices and driving continuous innovation.
Ben Lane:
GenAI is a big topic across the critical infrastructure community. It is viewed as both a risk and an opportunity. What are your thoughts on navigating the impact of GenAI on critical infrastructure security?
Brad Davidson:
Completely agree that GenAI is both a potential risk and an opportunity in this space. Organizations will need to determine their own risk tolerance within mission operations when thinking through GenAI implementation in their systems. For example, we work with Chief Information Security Officers (CISOs) who are wrestling with striking the right balance between GenAI benefits and cybersecurity concerns. From a GenAI cybersecurity standpoint, overall usage could create more responsibilities for a CISO regarding data security and privacy, access control, model integrity, logging and monitoring systems, and training and awareness across the workforce. Effective implementation of GenAI can return benefits related to network security assistance, application development, the management of large operating systems, and security talent and skills shortages. In addition, with today’s emphasis on driving efficiency and supporting frontline workers, AI will likely play an important role here.
GenAI has been a top concern among security executives, particularly over the last two years, but there is also a potential downside. Critical infrastructure owners and operators may feel pressure to allow use of Gen AI broadly, but doing so indiscriminately could create unreasonable risk related to data confidentiality, data poisoning or prompt injections, enterprise, SaaS, third-party security, and legal and regulatory risk issues. This is a fast-moving target that will require growing attention and enhanced mitigation considerations. As such, organizations need to take an enterprise risk approach to these decisions.
Ben Lane:
In the USA, there are a lot of small operator/owners, for example in the power generation sector, whose Security Officer’s role may not be a primary function of security and is very different from the big players. How do you approach the differences between these?
Brad Davidson:
Deloitte is passionate about this topic. Small owners and operators are often the first line of defense in the protection of critical infrastructure assets. There is no doubt that a disruption to a small critical infrastructure owner and operator can have large, cascading impacts across other sectors. This really comes into focus when it comes to cybersecurity. The federal, state, local, and private sector CI communities should focus on aligning federal, state, and local support to smaller owners and operators who do not typically have the security capabilities of the larger regional utilities or multi-national corporations.
Coordination with federal department and agency resources, such as DHS’s Physical Security Advisors and Cybersecurity Advisors could be a good resource for a small owner and operator. When feasible, security officers should also consider leading practices and resources from the broader CISO community and use publicly available frameworks for cybersecurity such as those published by the National Institute of Standards and Technology (NIST).
Deloitte works with federal sector risk management agencies, large regional utilities, multi-national corporations, and smaller owners and operators. All play important roles in securing our critical infrastructure and each requires varying levels of risk program capabilities, technical solutions, workforce training, and federal engagement—just to give a few examples. The CI system is vast and interconnected, and the role of smaller organizations tends to be underrepresented in this space. That’s why Deloitte’s capabilities and solutions are just as relevant for small organizations as they are for large organizations.
Ben Lane:
Thank you so much and we look forward to seeing you at the CIPRNA in Houston.
Brad Davidson:
Thank you. We’re excited to be a part of this year’s CIPRNA conference. Come say hello to us at Booth #15.