Sean Stalzer, CISO and Director of Cybersecurity, Dominion Energy
Q: You’ve spent (mostly) your entire career at Dominion Energy, growing from software development to becoming CISO. What kept you invested in the company and the energy industry, and how did your early technical roles shape your approach to leading cybersecurity today?
A: The energy industry is different than what I believed I knew growing up. Perhaps I never thought about it enough but it should be apparent to most that a utility is a service focused culture. When things are at their worst, such as with a hurricane or blizzard, the utility is at it’s best with crews out in the weather restoring power as rapidly as possible while keeping to our primary core value of Safety. That mindset pervades the entire industry and is exemplified by Dominion’s culture. When I was sent to Dominion on a consulting project, shortly out of college, that culture was clearly evident and the mission is absolutely one I could fully get behind. So, as that project ended, I stayed and have never regretted that decision.
In terms of my early techincal roles, there were foundational in two important but very different ways. First, for lots of leadership roles, you can take a qualified manager or qualified leader and place them in the role. They don’t usually need to know the specifics of the tasks being done by the team to manage or lead a team. Within cyber, however, that is FAR from the case. There is rarely, if ever, a posting for a cyber leader that says “Anyone apply!” Rather, those postings clearly expect technical competence and cyber competence in addition to good managerial and/or leadership skills. So years spent in various technical roles is a very strong foundation to a current cyber leadership role and it is, in most companies view, mandatory. Cyber leaders are not fungible with other roles. Second, those early techincal years also taught me what not to do as a leader. Being a smart techie is far from the same thing as motivating, guiding, growing, empowering and leading teams to success. I think young, very smart, very motivated techies often don’t clearly understand that difference and not every company allows you to fail, learn and grow. I failed multiple times in my early career as I learned how to be a better leader to the future teams that I would be a part of.
Q: With the weight of protecting critical infrastructure and facing increasingly complex cyber threats, how do you personally stay grounded and keep a clear head under that kind of pressure? Is there a mindset or practice that helps you lead effectively, even in high-stakes moments?
A: It is a personal pet peeve of mine (although it may well be a truism) when it gets said that it is not ‘if’ a breach happens, but ‘when’. In my mind, that is starting down the path of giving less than one’s best. I play to win. I always give my best. It is kind of like having a safety culture but not setting the expectation at 0 safety issues. Practically speaking we know humans make mistakes and there may be one, but it should always be the goal to strive for 0. So within cyber, that same mindset should exist. We strive for perfection realizing issues can and will arise. I think beginning with the mindset that the cyber security of today is not good enough for tomorrow, and playing to win (so to speak) sets a leader up to stay grounded and manage the pressure. That said, if you are not the kind of person that thrives under pressure or that is willing to accept that your decisions can have dramatic consequences, cyber leadership is probably not the right long term career path. All of that said, the one practice that I firmly believe in is: Hire and invest in the right people. If you build the right team and invest in them, then if things go sideways you should have the trust and confidence that you have folks working with you that can right the wrong.
Q: For those just entering the cybersecurity field, especially in sectors like energy that aren’t always top-of-mind, what would surprise them about working in this space—and what skills or mindsets do you think will be most valuable over the next 5–10 years?
A: While I think it is intuitively obvious, I am regularly amazed that not everyone connects these dots: Nothing in the world works without power. There are lots of very essential services that we rely on every day. Losing one or more of them would absolutely impact our life and we can/should be doing everything necessary to protect them. If you lose power, you lose every one of those services. There are some amazing cyber security companies out there doing tool development, incident response, defensive actions and cyber development. However, if you want to be on the tip of the spear you really have two options: Join the military’s cyber forces or join an energy company. You will experience everything possible in a defensive cyber role.
Q: Dominion Energy plays a major role in powering data centers beyond Ashburn, Virginia, and one of many critical infrastructure gateways for the digital world. How does that responsibility shape your cyber strategy, especially in securing both physical grid systems and digital assets simultaneously?
A: There is certainly a great confluence of critical things within Dominion’s service territory. The data centers that operate the backbone of the internet is one of a list of things we could discuss. Going back to the original question and my answer of the service culture and the mission focus, that is really also the answer here. Dominion, like many of our peers, simply does the right thing. Doing the right thing for cyber security for all aspects of the electric grid naturally means we are doing the right things for all of those critical nodes within our daily lives. Some of those essential nodes certainly mean we get additional help from other partners that is unique to our company but our core values and our focus on doing the right thing is ultimately what underpins our approach to cyber and everything else that we do.
Q: With cyber threats becoming more advanced—from ransomware to nation-state activity—what do you see as the most significant cybersecurity threat facing Dominion Energy and the broader energy sector today, either known or unknown to the greater community?
A: Speaking more at a national threat level, the potential of insider threats is always a significant concern within the cyber space. The FBI put out a movie (available on Youtube) known as “Made in Beijing: The Plan for Global Market Domination”. It walks through four insider threat scenarios across various sectors. The first scenario is energy related but all of them are interesting stories and highlight that threat. Watching it, I think it makes the case for why having a good program in that space is an important aspect of cyber (and physical) security for companies today. Certainly there are other significant threats out there. One of the more commonly talked about is how easy access to AI tools, that do not always have strong guardrails on them when they come from certain nation states, allows criminal groups to amplify their attacks both in sophistication and intensity. That trend will likely continue. And finally, the big boogy-man that we have been talking about for five years now is “quantum” and what it could do to existing security processes should it evolve into what researchers fear that it may. That is a theoretical challenge for another day but one cyber professionals think about.
Q: You’ve mentioned your passion for cybersecurity and your commitment to building strong partnerships across the industry. What are you most optimistic about when it comes to the future of energy security, and how are you preparing Dominion Energy to lead in that future?
A: Cyber security is a team sport. Relationships at all levels and in all roles, matter. I am optimistic that those statements are increasingly widely accepted as a truism in cyber. As a nation we are starting to figure out what the utility industry has been practicing for years which is that sharing and collaborating makes us all stronger and safer. When North Korea has over 7,000 bad actors and China has over 1.4 million, any individual company needs strong relationship with its peers, with the US Government, with key vendors, with industry groups, with security vendors, with its own business segments in order to maximize all of our chances of being secure. When I first entered the cyber role, my initial thinking, born out of years doing IT work, was that “tools and technology” were the right answer. They are a component of a good program but people and relationships are the right answer. Strong, empowered, supported teams who collaborate in a positive, transparent way with the business segments to advance the company’s goals is a strong foundation for long term success and I see that occurring all around me. Cyber is constantly changing so our defenses and approaches must also constantly evolve. Tools do not do that. People do. And relationships are what drive people to function as communities which collectively can overcome large challenges.