July 5, 2022

EP 6 – Protecting Critical Infrastructure w/ Carla Donev, VP & CISO at NiSource

Securing critical infrastructure that powers our way of life can be a sleepless job. But sometimes that’s the cost of being a protector… Today’s guest, Carla Donev, is no stranger to working round-the-clock. As Vice President and Chief Information Security Officer at NiSource, she leads security operations for one of the largest utilities in the country, which delivers gas and electricity to millions of citizens across six states. Host David Puner talks with Donev about the evolving threat landscape and how building safer, more resilient operations is key to preserving trust. 

[00:00:00.250] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.

[00:00:23.730] – David Puner
What keeps you up at night? It’s a question that inevitably prompts a long list of answers answers from cybersecurity leaders, especially those securing critical infrastructure that powers our way of life. Driving transformational change across connected OT and IT systems while facing a slew of constant cyber threats and increased regulatory scrutiny can be a sleepless job, one that consumes power 24/7.

[00:00:50.740] – David Puner
Which is why today’s guest, Carla Donev is no stranger to sleepless nights and round-the-clock calls. As Vice President and Chief Information Security Officer at NiSource, Donev leads security operations for one of the largest US utilities, which delivers gas and electricity to millions of citizens across six states.

[00:01:11.670] – David Puner
She’s got a lot on her plate and a lot on her mind, but she stopped by to share first-hand insights on how building safer, more resilient operations is key to preserving trust. We get to that and corporate cafeteria food and what keeps her up at night, of course, in today’s episode of Trust Issues. It was great to speak with her. I hope you enjoy the conversation.

[00:01:38.530] – David Puner
Thank you for joining us, Carla.

[00:01:40.360] – Carla Donev
Thanks for having me.

[00:01:42.250] – David Puner
One of the things we like to do before we get going and start asking the questions is for you to just maybe give us a little bit of a quick elevator pitch about what you do in your role at NiSource.

[00:01:53.920] – Carla Donev
Yeah. NiSource is a natural gas and electric organization. We are part of critical infrastructure. That has been an interesting space to be in lately. My role here is truly the true cyber function. We have everything cyber-related from IT and the OT perspective.

[00:02:11.260] – Carla Donev
I also do some work in the IT compliance, IT risk managements. I own security architecture now as well, along with security awareness. Recently, I just inherited the IT infrastructure organization as well. I have a little bit of everything across the IT function.

[00:02:29.730] – David Puner
Adding that infrastructure piece to it, what does that mean?

[00:02:33.380] – Carla Donev
What we decided is there’s a lot of consistency between the infrastructure components and the security. Those two teams worked so closely together that it just made sense to bring them together under one leader.

[00:02:46.370] – Carla Donev
For example, my cyber team has vulnerability management, but the infrastructure team does the patching. They work hand in hand. Now they’re kind of working a little closer together under one organization. So it’s been a good fit up until this point in time.

[00:03:00.380] – David Puner
What does a typical day look like for you? What are you involved with?

[00:03:03.810] – Carla Donev
I love my job because no day is ever the same. They are very different depending on what is happening in the world. Being part of a utility, especially right now with the situations going on in Russia, Ukraine, and just everything else happening in the world with ransomware and denial of service that we’re seeing everywhere.

[00:03:25.280] – Carla Donev
My day is always up and down. Usually we have our team meetings. We always have a team huddle in the morning and then we kick off throughout the day. Some days it’s whatever comes at us is what you do. I always tell my team I’m more of their PR person. I’m not hands on keyboard, but I’m here to help you.

[00:03:42.350] – Carla Donev
It’s a lot of calls during the day, a lot of emails, a lot of text, “Hey, I need your help with this, need your help with that.” Say that I do a lot of the fire fighting amongst everyone. Putting out those fires is kind of my job, and some days it’s harder than others. We are a natural gas company and so there’s been a lot of emphasis on us since the Colonial Pipeline.

[00:04:04.490] – Carla Donev
It’s been trips to DC to talk about that with folks and it’s a lot of internal conversations, just getting ourselves to a point where we feel like we’re prepared.

[00:04:13.960] – David Puner
I want to circle back to Colonial Pipeline in a few minutes, but I first wanted to ask you, you’ve been with NiSource now for four years. How has the cyber IT landscape changed, in your view, since you joined in January 2018? How has your role evolved in that time?

[00:04:33.310] – Carla Donev
Yeah, it’s changed a lot here since when I joined. When I joined, security at NiSource was completely outsourced. It was a very small team of just a handful of people and they communicated daily with our offshore folks and what we were maintaining. I wasn’t very comfortable with that. I thought it was kind of strange to feel I’m secure by getting a report every week.

[00:04:55.370] – Carla Donev
We’ve worked really hard the past four years. We’ve brought everything back in-house. We have all of our own tool sets in place, a full team that manages 24/7, but it also has its challenges.

[00:05:08.230] – Carla Donev
As we’ve grown, the cyber landscape has changed as well, with just the global impact and technologies everywhere. We have now meters sitting at your home that communicate back to us and things like that.

[00:05:22.140] – Carla Donev
We’ve just had to kind of adapt as we go along to what is out there, what do we need in place to, I would say, be on watch and be able to react if we need. A lot of times the team will come to us and say, “We’ve seen this and now we need this technology.”

[00:05:39.920] – Carla Donev
I would say from our perspective, just trying to keep up has been our biggest challenge over the past couple of years, but it’s been a fun journey.

[00:05:49.100] – David Puner
You mentioned the smart meters, and that brings up the topic of IoT. How does IoT figure into what you’re focused on now? What about it makes you nervous and what about it makes you feel like there’s nothing but opportunity there?

[00:06:05.590] – Carla Donev
I feel like you sat in one of my meetings earlier in the week. We live in an IoT world.

[00:06:12.020] – David Puner
Maybe I did.

[00:06:13.690] – Carla Donev
Maybe, you’re far. We live in an IoT world here. We have trucks out in the field every day that communicate back to us. I say that all the time, that those are just moving IoT devices. They’re just mobile. We have that.

[00:06:27.930] – Carla Donev
We now have in Indiana, we have solar farms and wind farms, and there are sensors all over those that are the IoT devices and now with the smart meters. You have a lot of interesting perspectives on that. You have the homeowners who don’t want it because they feel as if you’re the new Alexa listening into their environment, which is definitely not true. It literally just sends data back to us and that’s all.

[00:06:53.900] – Carla Donev
I think that we’ve had to do a lot of research and figure out how do we work in that space? Even from the network, how do we even connect to these? There’s thousands of them out there. How do we do it and how do we do it in an effective way?

[00:07:11.260] – Carla Donev
We’ve had a lot of conversations with our peers who are already doing that. We’re actually kind of a little behind in catching up with some of our peers in that space who have been doing that for a while but we’ve learned a lot from them. They’ve been able to share, “Hey, this is the technologies we use. These are the lessons learned that we have. These are things you should definitely not do and consider.”

[00:07:32.270] – Carla Donev
I would say that we are in a decent place right now with IoT. We can always get better, you’re never going to be 100%. I think that we are heading in the right direction. Especially I view that our industry is getting more into technology in the field and it is just going to be a matter of time before that’s all we have.

[00:07:52.530] – Carla Donev
People tell me all the time, “We don’t need a field person. You’re going to have a drone or a robot that does it.” I laugh most of the time, but it’s like, “Yeah, it’s probably is coming in the future.”

[00:08:01.870] – David Puner
How much of what you do on a day-to-day basis or how much of what you’re thinking about on a day-to-day basis involves embracing something futuristic and having to either poke a hole in it or say, “Okay, let’s figure out a way to make this work in the long run.”

[00:08:16.150] – Carla Donev
Yeah, the view of a cyber person is always to say, “No, you’re not going to do that. No, we don’t want that here.” I’ve always told my teams, no matter where I’ve been, that we have to find the yes and the no. They’re going to do it even if we say no, so we have to find a way to compromise with them in that. We’ve been able to do that so far.

[00:08:36.730] – Carla Donev
We have drones. We have electric power lines in Indiana. Sometimes the only way to be able to get into those rural areas and see above and see what’s happening is with drones. That’s the space that we definitely are in. I would also say that we have to think about what the future of the industry is and that’s something that we’ve been talking about. You hear about the sustainability and the renewables and we are getting into that space in Indiana in electric.

[00:09:02.190] – Carla Donev
We have a commitment to shutting down our coal plants and moving to all renewables. That’s a completely different technology environment than what we had. On the gas side, you hear about renewable natural gas and what that is and what’s that and what are we going to need to do with that.

[00:09:16.660] – Carla Donev
We’re not there yet on the gas side, but we’re starting to research that and a lot of things with that is technology. I have my team telling me why do I need to look into renewable gas we’re not doing it? I think we have to be prepared for it.

[00:09:29.800] – Carla Donev
Those are some of the things that I think about is where’s the future of the industry going and it’s moving to renewables, it’s moving to making things easier, more effective for our users. I mean, people want to pull up your app on their phone and see what is our usage, what does it look like? We have to think about those things. If we’re thinking about that from an app perspective as well is, what do we want our customers to be able to do in the app, how do we interact with them?

[00:09:53.930] – Carla Donev
That’s where the AMI devices come in. The smart meters. Do we have to send somebody out to your house now to check your meter, to read your meter, to shut off your gas or turn it back on? We can do that remotely. Those are things that are highly ingrained with technology and it’s scary.

[00:10:12.700] – Carla Donev
It’s scary to think, oh, wow, somebody here can turn off your gas at your house. It’s something that we do and we know that we’re setting it up in a way that’s safe for everyone.

[00:10:22.520] – David Puner
Great, thank you. When you’re talking about peers, are you talking about peers in your industry or peers just anywhere? Where are you taking cues from as far as user experience goes? I guess this is a long way of asking, just what other industries are you looking at and then what kind of security challenges does that pose when you incorporate them into what you’re doing?

[00:10:44.110] – Carla Donev
For us, the utility industry is probably one of the most collaborative I’ve ever been in. I’ve been in healthcare, I’ve been in retail. Those are businesses where you don’t talk to your peers, you don’t share information with them. In the utilities, I talk to one of my peers daily usually. It’s a lot of open communication, data sharing and this is what we’re doing, this is what we’re seeing.

[00:11:04.970] – Carla Donev
It is a very different environment and I think we do learn a lot from that. You also realize that you can’t just rely on that industry. There’s other industries that are way further ahead than we are. We rely a lot on information that comes from banking. Banking is one of the most advanced when it comes to cyber. We think about that.

[00:11:23.560] – Carla Donev
Here in Columbus, Ohio, there are some pretty large banks and I have some old team members that work at some of those banks. I’m able to call them and say, “What do you do with this? What do you do with that?” And pull a lot of the information from them. I pull a lot from my history in retail as well.

[00:11:39.680] – Carla Donev
What we used to do specifically when you talk about mobile apps. I mean, they’ve had them forever. Now the utilities are finally starting to get there. When I think about our mobile app, I think, well, “We did this back here, so here’s what we need to think about from a security perspective.”

[00:11:54.370] – Carla Donev
I would say that it’s good to have that open mind. The utilities are usually a little behind when it comes to technology. I would say for us it’s banking. Banking is what we look at pretty heavily, but we’re open to engaging with anyone else.

[00:12:09.510] – David Puner
That’s really interesting. When you’re hiring for your team, are you looking for that kind of background for folks who have been in other industries so they can bring that knowledge into your industry?

[00:12:19.930] – Carla Donev
Absolutely. I think that is critical. It’s always good to have people on your team who understand your industry and know all the ins and the outs, but I also believe that it’s beneficial to have folks from different industries. They have different experiences, they’ve seen things a little differently. I have no rule that says you have to be from the utilities for me to hire you.

[00:12:43.410] – Carla Donev
We hire a lot from the military. We’ve got a lot of fantastic people who have come from the military backgrounds and they are fantastic cyber folks. They are trained heavily and they are dedicated. We hire a lot of military, we’ve gotten people from retail, we’ve gotten people from banks, we have consultants and everyone brings their own skill set.

[00:13:05.780] – Carla Donev
I’m more of a hire of who you are as a person. I never hire people based on their skills or where they came from. To me it’s, can you be a good team member? Can you be somebody who represents our team well? Can you work well with others and get the job done? I can teach you the skills. I always tell people, I can teach you how to set up a network, but I can’t teach you how to be a good team member.

[00:13:26.630] – Carla Donev
For me, that’s kind of the stuff that I look at. I let my team dive into, are they technically capable? But for me, it’s just making sure that they’re the right person for the job.

[00:13:36.630] – David Puner
It brings up something that you had mentioned prior to this conversation in our pre-interview about your own degree. What was that again?

[00:13:48.490] – Carla Donev
I actually have an accounting degree. I have no computer science, none of that. That’s what I always tell folks. I told my boss not too long ago, “I am a fantastic person when it comes to balancing my budget, so you don’t have to worry about that.” I found my way into technology. I just didn’t want to reconcile accounts anymore. It wasn’t something that was for me.

[00:14:12.220] – Carla Donev
I found my way into a consulting job that was technology-based and learned a lot from that and got into IT audit over time. Before you know it, I’m in a security role. I initially said, “No.” When they offered me the interview, I said, “Absolutely not. I am not a security person. I’m not an IT person. I’m definitely not doing that.”

[00:14:34.950] – Carla Donev
I went home, thought about it for a while, and said, “Well, why not? Why not try something different? Who knows?” That was probably over ten years ago, and here I am, in this role, managing the security operations for one of the largest utilities in the country. It’s been fun.

[00:14:54.170] – David Puner
Do folks around the office hit you up around tax time for tips and questions and stuff like that? Tips and tricks, I guess they like to call it?

[00:15:02.490] – Carla Donev
No, I openly tell them that I don’t even do my own taxes, so I’m not that person.

[00:15:10.170] – David Puner
You mentioned Colonial Pipeline, the Colonial Pipeline ransomware attack from 2021. You mentioned that a few minutes ago. In the wake of that attack, how are you looking at pipeline security now? What’s changed since then?

[00:15:23.350] – Carla Donev
There’s been a lot of change since then, and it’s been eye-opening for the industry. I think when that happened, it really opened the eyes to, wow, there isn’t much, from a requirements perspective on the pipelines. Colonial really showed that. Many people aren’t aware that TSA actually is the regulator for the pipeline industry.

[00:15:46.770] – Carla Donev
The same TSA that’s in your airport is regulating our pipelines. When I first heard that, I’m like, “It can’t be. It can’t be. It’s got to be a different TSA.” Then it’s like, “No, it is. It’s the same folks.” I think it was one of those they realized that they needed to get ahead of it, and they needed to start putting some ground rules around what needs to be done with the pipeline industry.

[00:16:10.630] – Carla Donev
We have within electric NEC safe. Those guidelines have been around forever, and we comply with that. It’s very strict around what you can and cannot do from a cyber perspective within that organization. The last year now, TSA is trying to get us to that point of what does that environment look like in the future? What will that regulation be?

[00:16:34.290] – Carla Donev
They’ve released security directives that have been, here’s your requirements, now. Here’s what you must do. They released those to the top 100 pipelines in the country, we were fortunate enough to be one of those. You start thinking about it a little differently. We’ve always had controls in that space, but not as strict and granular to the level that we realized we needed.

[00:16:58.420] – Carla Donev
We focused on that the past year and started to really harden and think about that environment completely different. It’s been fun. It’s been fun dealing with the OT stuff. You don’t get to see that every day and think about, this system actually sitting here, controls the gas to six different states and how it does it.

[00:17:19.040] – Carla Donev
You think about the cyber around that and the implications of it. It’s been very eye-opening. I thought about that a couple of years ago when I first started here. We had the Merrimack Valley incident in Massachusetts. An unfortunate incident there. But that night, I’m sitting in my office, and the first questions people are asking me, “Is this a cyber event? Somebody get control of the gas?”

[00:17:42.870] – Carla Donev
You initially say, “Let me find out.” Then you sit in your office and you start questioning yourself on, “Oh, no. Is this the right thing? Is it not?” I jokingly told someone the other day, I’m like, “It’s so funny that that night I had Department of Energy, DHS and the FBI all call me on my phone. Didn’t know they had my number, but they found it.

[00:18:02.090] – Carla Donev
In the end of the night, we realized it’s not a cyber incident. You feel a sigh of relief, but then you think about it, and I was like, “Wow, it could have been.” I started really thinking about my job a lot different after that and the implications of it. It really changed my mindset that people can lose their life if I don’t do my job right. It’s very different feeling after that. I think I have taken my job very differently from that.

[00:18:29.990] – Carla Donev
I think it’s only going to get more involvement from the government. They are focusing on cyber. They’re focusing on how do we secure the critical infrastructure? With the Russia-Ukraine situation, it’s coming up even more now with Russian as a powerhouse in that they have the ability to bring down critical infrastructure. They’ve done it in other countries.

[00:18:49.530] – Carla Donev
How we focus on it here has been just part of the extension of the Colonial Pipeline and now this. It’s been a real focus for us and we’ve been able to really advance our cyber program. It’s kind of exciting.

[00:19:02.120] – David Puner
I would think that with the war in Ukraine and obviously now that we’re post Colonial Pipeline, how do you stop thinking about your job? Is it possible to do it? It would seem like there’s never anything not to worry about.

[00:19:17.590] – Carla Donev
No, I worry all the time about it and I think about it all the time. Like I mentioned, it’s one of those things where people’s lives are at risk if I don’t do my job well. It is constantly on my mind. I feel like I do work 24 hours a day, seven days a week, and my daughter would probably tell you that I do. It’s just the nature of the business that I’m in and anyone who’s sitting in my role probably feels the same way.

[00:19:43.830] – David Puner
Going back to the TSA directives for a moment, among those mandates, it requires notifications of major breaches within 24 hours. Considering it can be difficult to even determine whether you’ve had a major breach at times, how do you drill to do that kind of reporting?

[00:20:03.370] – Carla Donev
It’s a challenge, and reporting is probably the most talked about item out there. The SEC is now talking about requiring reporting. You now have SISA reporting, you have CSA reporting and it’s all over the place.

[00:20:15.580] – Carla Donev
Everyone wants you to report everywhere. It’s a challenge because in 24 hours sometimes you’re still looking into it and how big is it, what is the scope? We really report if we think we have something. So we are more on the over-cautious side I would say, of potentially reporting something.

[00:20:35.290] – David Puner
Thank you. Thank you for hanging in. I wanted to ask you about Zero Trust and how it figures into your day-to-day.

[00:20:44.530] – Carla Donev
Yeah, Zero Trust, it’s like one of those new buzzwords. It’s like the DevOps and everything else that comes up. For us, it’s one of those things, we are just hardening ourselves, locking ourselves down as much as possible and using the term. We don’t trust anyone. We have to know you. You have to be a reliable source for us to be able to engage with you technically.

[00:21:07.850] – Carla Donev
I think if there is a common view of it, it might be a little easier, but our view of Zero Trust is completely different than everyone else’s. I think we feel as if in our definition, we’re meeting Zero Trust but somebody else might come in and say, “Absolutely not. You’re not.”

[00:21:24.740] – Carla Donev
I think it’s depending on who you are and what your organization thinks about it. I love it. I love the buzzwords that come out. Within our function, it’s always something.

[00:21:36.670] – David Puner
As we record this podcast, I’m somewhat fresh from returning from the RSA Conference in San Francisco. There’s a lot of no-surprise talk about Zero Trust. People seem to be somewhat fatigued with the term. A lot of them say, “It’s just a buzzword.” Then I think, rightly so, there are a lot of people who mentioned, “Well, it is a foundational principle. It’s not a capability or a toolkit or anything like that.”

[00:22:03.030] – David Puner
Obviously, trust is a word we hold near and dear. It’s part of our podcast name here. Just when you think about trust itself in what you do and what your company does, your organization does, how does trust figure into what you need to be for your customers?

[00:22:21.370] – Carla Donev
We talk about trust constantly, even from the individual perspective. We had a whole leadership session about a year or so ago on just trust and that whole concept. Then you also have the trust from a technology perspective too, on that whole Zero Trust. Who do you trust, who you do not trust?

[00:22:40.840] – Carla Donev
For us, as I mentioned, we are a very, I would say narrow organization. We have states we function in. We have a handful of organizations that we do business with. We’re not international. Our whole concept has been, we know who we do business with and we’re not going to do any interaction with anyone else. Geo-blocking is a big thing that we do here, and it’s like we don’t need another country to even communicate with us because we’re not there.

[00:23:08.230] – Carla Donev
We get the complaints a lot from our customers saying, “I was in France trying to pay my bill and I couldn’t connect you.” We’re like, “Yeah, you couldn’t. That’s part of what we do.” You do get the hate mail on it, but for us, it’s really worked out. It’s really, I would say, helped narrow us down to, “This is the scope of our business.”

[00:23:27.420] – Carla Donev
If you want to engage with NiSource from a technology perspective, then we have to build that trust with you, and we have to understand who you are, what you do. Anytime someone wants to connect with us, we go through a very detailed review of that organization. What are their cyber procedures? What type of connection do they want? How can we monitor that? What different gates can we have along the way to make sure that there’s nothing going wrong?

[00:23:52.220] – Carla Donev
We want to trust, but it’s the whole trust but verify as well. We’ll let you in, but we’re going to make sure that you’re doing the things right. That’s part of who we are. It’s all about safety, and we’re just cautious.

[00:24:03.490] – David Puner
You sort of touched upon it a moment ago. Third parties. When it comes to handling and managing third parties, what kind of considerations do you keep in mind?

[00:24:12.850] – Carla Donev
We keep an open mind, but as I said, we’re extremely cautious. Any third party that wants to do business with NiSource from a technology perspective, goes through a very detailed third-party assessments. We have actually outsourced part of that to an organization that provides us with report after report on a company.

[00:24:31.980] – Carla Donev
I think our questionnaire that goes out to them is 250 some questions that we ask them about their organization. We risk-rank all of our vendors. Are you a critical, high, medium, or low vendor? That tells us how often we want to keep track of you and what we’re doing to manage your account.

[00:24:50.550] – Carla Donev
There have been companies that we’ve turned down and said, “No, thank you.” We just don’t feel as if they are secure enough for us to engage with them. We don’t feel as if they have the right business practices in place. We have turned down companies. It’s hard on our business side of the folks because they’re like, “Wait a second, we want to use them.” Here I am saying “No, but you got to find somebody else.” There’s a lot of, I would say, hard conversations there, but in the end, everyone realizes it’s the right thing for the organization.

[00:25:19.210] – David Puner
Great. Thank you. Then as far as the workforce itself goes, what kind of challenges are you experiencing there right now?

[00:25:26.460] – Carla Donev
We are all short staffed. We’re all facing challenges.

[00:25:29.680] – David Puner
Yeah. Of course.

[00:25:30.790] – Carla Donev
It’s fantastic that most people can work remote now. We’ve been able to expand and look outside of just our headquarters split print for people. We can go to other states now and say, “Okay, you can work for us remotely.” The market is so difficult right now to find those people. Everyone is just after them. Someone this morning I said, “Somebody is going out, someone’s coming in.” It’s truly coming down to a financial aspect.

[00:25:57.740] – Carla Donev
I have folks here that are telling me, “Hey, I’m in Columbus, Ohio, and here’s what a normal person makes in Columbus in this role, but they’re now working for a company out of Silicon Valley in California, and they’re paying them what we pay our directors here. It’s like, how do I compete with that?”

[00:26:15.180] – Carla Donev
It has been very difficult for us to compete in the market because you are competing against those large companies that pay very differently than we do. We just bring in the best people that we can, and we’re short staffed like everyone else and have open roles, and we fill them when we can.

[00:26:35.240] – Carla Donev
We don’t fill them just for people to sit in the seats, we want to make sure that we have the right individual in place. Sometimes it takes us a little longer to fill them than others.

[00:26:45.430] – David Puner
Yeah. Obviously, it’s an enormous challenge throughout cybersecurity. Do you have any idea where it’s all headed in the next five years? How is this going to work itself out?

[00:26:53.690] – Carla Donev
I think the positive is that there’s more and more institutions, colleges and universities, that are starting to teach about cyber. More people are getting into the field. I hear that a lot. I think they’re not coming out as fast as we want all of them.

[00:27:12.980] – Carla Donev
I talked to a group not too long ago from a university here, and they want the big jobs. They want the Facebooks and the Googles and those kind of roles. Here I am sitting in a utility which is not sexy at all, and they’re like, “Nope, I’m going to go work for Google out in California.” Or “I’m going to sit in the Columbus, Ohio and work for Google.” It’s really hard to bring in that new talent. There’s not much excitement about my industry. That’s been a challenge as well.

[00:27:42.090] – David Puner
Right. Particularly now because in many instances, it obviously doesn’t even really matter where you’re sitting, you can be wherever. Is by any chance the NiSource cafeteria a draw? If so, I’ll give you the opportunity to pitch it.

[00:27:57.980] – Carla Donev
Well, it used to be. Our office is still pretty empty, so it’s not open right now, but we do have across the street a Chipotle and Boston’s Tim Horton. We’ve got good food around, and you always have good food with Uber Eats now, but our office isn’t as busy as it used to be. I come in, I’m not a work-at-home kind of person, but not everyone’s there yet.

[00:28:26.720] – David Puner
Two more quick ones, and then I’ll let you have the last word should we have missed anything here. Going back to something a little bit heavier as a result of the war in Ukraine, how does higher natural gas costs figure into what you’re doing from a security purview, if at all?

[00:28:45.070] – Carla Donev
Gas prices definitely are higher. I think for a company like NiSource, we don’t produce the gas. We actually buy it ourselves and then pass it on to our customers. Our money is actually made by the rates that people pay. Those are rate cases that go to each state. We don’t just make them up and send them out. The states actually approve how much we’re going to charge our customers for their gas.

[00:29:08.650] – Carla Donev
It’s a fine line because now we’re paying more for it, but yet we can’t at this point in time pass it on to our customers because we have to put that through to the states and get it approved. I would say that other companies are probably feeling the same pressure we are, but it’s like a year long process to go through that.

[00:29:28.710] – Carla Donev
We are actually starting that in a couple of states, talking about, “Here’s the investments we’ve had to make, here’s what we pay now, here’s what we feel like our rates should be.” In those rate cases, we put in technology. That’s the capital expenditures we have and Cyber is finally starting to get in there because we are making such large investments in it.

[00:29:49.320] – Carla Donev
The states are finally starting to understand that, especially this past year with all the new work from TSA and everything. They’re understanding, okay, this company had to invest $10 million, for example, in cyber.

[00:30:01.670] – Carla Donev
Now we’re being able to say, “Okay, let’s recoup some of that from our customers.” I think as the gas prices increase, we’ll continue to go to the states and ask for some relief. That takes a while to get in effect so I think for now, we’ll just be dealing with it for a period of time.

[00:30:20.020] – Carla Donev
That’s the thing that I think people need to understand, is if you’re getting an increase in your gas rates right now, if you’re in a different state, that’s probably due to a rate case that’s been in the works for probably a year to two years. That’s not even what’s affecting going out to the customers at this point.

[00:30:37.100] – David Puner
My last question for you before I’ll open it to whatever, is, of course, the question everybody loves. What keeps you up at night?

[00:30:44.900] – Carla Donev
I slept pretty well. I mean, nothing keeps me up a lot, but I will say I share with people all the time that it’s the people. The people is what keeps me up. It’s not a piece of technology, it’s not what’s going on in the world, it’s the people. Am I doing the right thing to educate them and to make sure that they are aware of what’s going on and what they need to focus on when they’re reading their email, for example?

[00:31:09.930] – Carla Donev
It takes one person, sitting anywhere in our organization, that clicks and you can bring down our entire company in minutes. You saw that with Colonial. That is my thing that keeps me up is, the education and the people. Making sure that they are aware and they are being as cautious as the rest of us.

[00:31:28.700] – David Puner
How do you do that?

[00:31:30.850] – Carla Donev
We have a pretty robust security awareness program. We have an individual that’s dedicated to it. Does a lot of messaging, we have our own blog out there on our Internet, and she blogs about everything cyber-related, what’s going on.

[00:31:45.120] – Carla Donev
We also do phishing exercises monthly, and they get harder and harder all the time. I report that up to our board, actually, on a quarterly basis. I spent 20 minutes in May talking about phishing with them. How do we do it better? How do we get people more aware?

[00:32:01.820] – Carla Donev
I have been on probably more staff meeting agendas in the past two months than I have in the past four years just because it is a hot topic, and getting people to understand the severity of it. I actually had someone tell me that last week. They said, “I never realized that somebody clicking on a phishing email could lock up the entire company.” I think until people understand that, it’s something that we’re going to continue to do.

[00:32:28.530] – David Puner
Carla, this has been really interesting. Unfortunately, we’re coming to the end of our time here. Is there anything that you’re itching to tell the large Trust Issues audience?

[00:32:38.780] – Carla Donev
I just want people to understand that our job is really hard and we’re not doing it to be painful to everyone. Like I said, everyone comes in. I get rolling on the eyes all the time, “Our cyber told me no.” It’s not because we don’t want you to do something, it’s because we’re trying to protect you. We’re trying to protect you, our customers, our organization. I don’t think that a lot of people really understand that.

[00:33:04.490] – Carla Donev
People in my position and my team’s position is stressful, it’s hard, it’s the most difficult job I think I could ever imagine. It’s so rewarding when you think, “Okay, all this stuff is going on in the world and knock on wood, so far we’ve done a good job.” That’s what makes me happy.

[00:33:20.660] – Carla Donev
It makes me happy that I have a fantastic team. I don’t know what I’d do without them. They keep me on my toes and they just keep evolving what we’re doing. It’s a very rewarding career, and more people should get into it, but if you’re not an adrenaline junkie and you’re not ready to go and excited about being on call 24 hours a day, it’s probably not the profession for you.

[00:33:44.590] – Carla Donev
I thank you for having me on.

[00:33:46.990] – David Puner
Thank you very much. Really, this has been terrific. Thanks for coming on the podcast. Look forward to keeping in touch and talking to you again soon, I hope.

[00:33:54.580] – Carla Donev
Yeah, absolutely.

[00:33:55.310] – David Puner
Best of luck with everything.

[00:33:56.130] – Carla Donev
Thank you.

[00:34:03.710] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment, constructive comment preferably, but, you know, it’s up to you, or an episode suggestion, please drop us an email at [email protected]. Make sure you’re following us wherever you listen to podcasts.