Finding the Right Balance between Protecting Data and Fostering Innovation
By Yanni Charalambous, VP & CIO, Occidental Petroleum Corporation
Innovation begins and ends with all staff-whether in IT or other functions-questioning the status quo and looking for new ways of working and improving efficiencies in everything they do. Adopting new and leading-edge technologies is facilitated by IT as digitization is integrated throughout the organization. Information technology is vital to the safe and profitable production and marketing of oil and gas today.
Innovation in IT means discovering and exploiting new ideas, technologies, and methods that empower our most valuable resources—our people. Their imagination, creativity, and functional expertise will enable oil and gas companies to thrive and deliver value. IT must also provide technical leadership to the overall organization. How do we predict technology changing over 1 year, 2 years, 5 years? How can we apply technological advancements to achieve better outcomes? Information Technology is changing fast and it is necessary to take some risks to keep up.
In the past, IT organizations have often been “order takers.” Innovation came from the business teams. Today, IT is expected to lead and demonstrate how technology can be used to achieve business goals. With the Internet of Things, mobile computing, the cloud, operational analytics, production optimization, and other recent advancements, IT innovation is no longer limited to IT systems, but includes almost every aspect of the oilfield: smart devices, smart controllers, mobile distributed work force, enterprise networking, etc.
At Occidental, our business leaders are expecting us to develop innovative solutions at a faster pace. It is our job to know technology and how and when to apply it for the best business outcomes. As the dynamics between IT and the business evolve, we are collaborating to prioritize investments and design and build solutions for the future.
We routinely evaluate best practices in the Information Technology industry to find innovative solutions that contribute to the business objective and ultimately the bottom line. As a result, we formed an IT enterprise architecture team consisting of typically seasoned IT professionals with diverse backgrounds and experience who understand the business opportunities and challenges of new and leading-edge technology.
Defense in depth is another strategy for protecting systems and data
The team’s charter is to examine current and ongoing projects and recommend new disruptive technologies being used inside and outside of the energy industry. These strategies are then reviewed by senior management for potential discovery investment.
For example, our IT department is collaborating with our oil and gas business leaders to re-imagine how the oilfield will operate 5 to 10 years from now. This partnership has given us the opportunity to take advantage of emerging “industrial internet of things” technology that is transforming many industries. We assessed the applicability of existing and upcoming technologies on our operations and established an innovation path to build the foundation required to take advantage of emerging technologies. We focused on intelligent equipment, advanced analytics, connecting people at work and on the move, and providing seamless access to a “context aware” digital oilfield. This will enable us to move from merely understanding the past to seeing and improving the future.
Innovation and the introduction of leading technologies also bring risks associated with having a more digitized and interconnected environment.
Cyber security is part of the early stages of strategy development for each of the technologies we consider, and cannot be an afterthought. We must design security into every solution because the cost to address security once a technology has been applied can be very expensive and often is less effective. As a result, our enterprise architecture team must have the skills to recognize security implications and engage our cyber security team during the strategy development phase. This step reduces the risk of losing data or control before the solution is operational.
“Defense in depth” is another strategy for protecting systems and data. We employ multiple layers of protection based on industry best practices, which are part of a larger cyber-security roadmap that provides solutions and supports a lifecycle of prevention, detection, containment, and eradication of cyber intrusions.
Our cyber security roadmap was developed methodically to align with business requirements and impacts, while clarifying operational risks and identifying critical business data. We have focused resources on the most important business objectives without impeding productivity. It also establishes key indicators and metrics that allow us to measure performance. These metrics include progress toward meeting implementation deadlines for business critical projects, measuring, and reporting on identified threats and mitigation activities, performing third-party vulnerability assessments, and regularly measuring the response to mitigation of identified vulnerabilities. Exceptions to controls add risk to the organization and are documented and regularly audited.
As the cyber threats constantly evolve, we must remain vigilant in our efforts to protect systems and data. Staying connected to the industry and participating in workgroups, government-led activities, and information sharing forums is essential for staying on top of existing and new threats and approaches to mitigate them. Controls, operational manuals, configuration guides, and written procedures are continuously optimized to increase their effectiveness.
Any IT innovation and systems cyber security implemen¬tation must focus on improving operational excellence in ev¬ery aspect of our business, resulting in production that is more profitable and supporting our efforts to increase the recovery of reserves while improving margins. Our IT investments and in¬novations have focused on improving data security and quality, making “the right data” available to the “right people at the right time, every time” and applying appropriate analytics to improve operations and decision-making. By profitably growing our pro¬duction, we grow the company.