General security

Interview: David B. Coher

May 29, 2015 by Infosec

David B. CoherFrom helping to prevent a Y2K disaster as a Capitol Hill staffer to securing the Smart Grid with one of the Nation’s largest utilities, David B. Coher has over 15 years of experience in the technology policy arena. Throughout, David has sought to break otherwise complicated problems into simple, discrete issues that can be addressed and solved with less hand wringing and more action.

Currently, David is the leader of SCE’s Reliability and Cybersecurity Department, which ensures that the systems responsible for meeting the electricity needs of 14 million Californians run smoothly and are secure. David’s team is responsible for addressing the current and future regulatory policy needs and ensuring the reliable operation and security of SCE’s power plants, commodities trade floor, and corporate functions (including procurement, fleet services, real estate, and vendor

Previously, David led the team working on the regulatory matters surrounding SCE’s $6 billion annual participation in energy commodities markets. This work required leading a team that reconciled state and Federal regulation from nearly a dozen regulatory bodies with competing goals and political directives. Before joining SCE management, David served as legal counsel to SCE on reliability and cybersecurity matters, energy market regulation, infrastructure project development, and related matters.

1. Before becoming the principal, reliability and cybersecurity, for Southern California Edison Co., your career path included stints in the political realm and time as an attorney. Why did you make the switch to the cybersecurity space?

I initially made the switch because I had been supporting SCE’s regulatory compliance work from within the Law Department and a manager from our operations side left. The Vice-President of the business unit for our power procurement (buying electricity and other energy in the commodities markets) asked me to come over and lead the business team for him.

2. How did your time in politics and the court room prepare you for your current role, and do these prior positions give you a competitive advantage?

My time in politics taught me that relationships are important. While this may seem obvious, it is sometimes easy to forget that people won’t always do what they should or what you need just because it is their job. Rather, they have to want to help you, which is most often because either it helps them or because it helps you and they have a friendship with you that drives them to want to help you. This was a valuable lesson to learn early in my professional career – make and keep friends as much as possible, without compromising your values.

As for my time as an attorney, I learned that it’s not what the situation is that is important but what the decision maker knows that is important. In a courtroom, judges and juries are only allowed to see a limited amount of the evidence and they only hear a limited amount of the story of what happened. This is counterintuitive, but it is because of very well established rules of evidence that have been built up over many years to keep from biased decision-making entering I into an important decision. Outside of the courtroom, there are no such rules and so we easily forget that the decision maker may not know all that you have seen to arrive at the decision point. So, it is important to remember what the decision maker actually knows and to keep them informed of those things that you just assume they should know, but that they may not know because of either not having been dealing with the issue in the past, not having been told, or otherwise.

3. Looking at your LinkedIn profile, I see that you helped to prevent a Y2K disaster as a Capital Hill staffer. Care to explain?

Sure. When I worked on Capitol Hill I supported Rep. Stephen Horn on the Subcommittee on Government Management, Information, and Technology. It was Rep. Horn’s Subcommittee that was key to having media attention and government resources focus on the Y2K issue in the late 1990s. Rep. Horn was highly successful in bringing the necessary focus from both the responsible government executives and the public, so as to get the work done that was required. It was a good example of how to work across sectors and across the aisle to get a problem solved.

4. What sorts of cybersecurity issues might an electric utility with millions of customers, such as Southern California Edison, face that businesses in other industries may not?

Our potential cybersecurity issues include those that other industries face, but with the critical element of our service being required to be available 100% of the time. We are an ‘always-on’ service that, when we have a problem, it can cause problems for many others who are relying upon us to be available. This is why we focus so much attention on maintaining and strengthening the reliability of our service.

5. Are there challenges you face today that you did not encounter when you took on your present job north of seven years ago? If so, please explain?

The most interesting one, I think, is that when I joined SCE as a litigation attorney, my role was often to come into a matter after-the-fact. Now, I’m a part of an issue nearly from the moment it begins – good or bad! Sometimes this can be exciting and challenging, as it means getting to address issues as they come up.

6. While no two days are the same in the life of a cybersecurity professional, what sorts of things might you be tasked to do on any given day?

Most of my job is helping others find the answers they need to do their work. Whether those answers are questions about the legal nuances of a regulatory requirement or just about the proper process for a manager to get their employees the access to a system that they need to access to do their jobs, my job remains the same – getting people the answers they need. So, while no two days are the same, that’s because the questions always seem to be different – but the underlying work of helping my colleagues by finding them the answers they need remains the same.

7. What kinds of hard skills and soft skills do you need to do your job effectively?

The key hard skills are analytical skills and technical proficiency with computers. The analytical skills are required for solving the tough problems that are presented regularly. Sometimes it means coming up with the answer myself, more often, however, it means seeing the core of the problem and seeing who can help me solve the problem. Without the ability to breakdown a problem and understand who can help, most of the problems I see, in my role, would not be solved.

I think the technical proficiency with computers is somewhat self-evident. However, it is more than just the proficiency with computers and rather it is about enjoying tinkering with computers. If you’re genuinely interested in tinkering with computers, taking them apart – figuratively and literally – then you will be on the cutting-edge because you are interested in keeping up-to-date, not because it’s your job.

The soft skills are as discussed above, building relationships and the ability to look at a situation from another’s perspective.

8. When Roscoe Bartlett was a Republican Congressman, he frequently sounded the alarm on America’s supposedly vulnerable power grid. Would you say that America’s power grid is vulnerable to things like terrorist attacks? If so, could terrorists realistically use cyberattacks to compromise the power grid?

I think it’s well known that the power grid is vulnerable to a variety of cyber attacks – just like much of our nations infrastructure. But, we must be careful not to fall victim to the hype that has been created in recent years and months that make it seem far easier to exploit such vulnerabilities than it actually is to do so. We should keep it mind that the situation does require attention and work, not fear and cowering.

This is why we work so hard at Southern California Edison, in my group and throughout the company, to work with others across the industry and in partnership with government agencies to remain vigilant in addressing these issues.

9. You are often sought out as a guest speaker to address topics such as grid reliability and cybersecurity. How important is it to you to share your expertise on these issues?

I believe that the work my team is doing is important to the company and to Southern California as a whole. I believe that at Southern California Edison we are on the leading edge of ensuring the continued reliability and security of the grid. Therefore, it is important to raise awareness of these issues, so that people within the industry and outside of it are aware of what we are doing and what they can do to help.

In addition, it is important to be a voice to counter the fear mongering that has been taking place in the media and, in some respects, in the industry, regarding the current situation. While I agree that there are very real issues that require real work and real solutions, the hype and hyperbole of late will not help get us reach the solutions we need.

10. What sort of advice would you give a college or university student who wants to work in the cybersecurity space?

First, determine what specific field in cyber security you want to be working in. Then, find those who are doing what you want to be doing. Seek out opportunities to meet with and speak with those who are doing what you would like to be doing. Whether that be as simple as using LinkedIn or Twitter to connect with them or attending professional association meetings, if you’re in the same city. Don’t be afraid to reach out and ask for assistance or just a conversation.

Posted: May 29, 2015
View Profile