When people ask me what makes a successful NERC CIP program, my answer is always the same: it’s not just about compliance, it’s about culture. You can meet every regulatory requirement and still be vulnerable. You can pass every audit and still lack resilience. The organizations that stand out—the ones that turn NERC CIP from a box-checking exercise into a true force multiplier—do so because they invest in their people.
One of the best examples of that in action is NextEra Energy.
Over the past five years, I’ve had the privilege of working closely with NextEra through private sessions of ICS456TM: Essentials for NERC Critical Infrastructure ProtectionTM. I’ve seen firsthand how a utility of their size and complexity has embraced the hard work of building not just a compliance program, but a living, breathing security culture that threads through every layer of the organization.
And it’s producing real results with measurable reductions in audit findings, improved cross-team collaboration, and a workforce that not only understands the standards but knows how to apply them in high-consequence environments. And it all started with a decision to rethink what training could—and should—look like.
Risk Before Requirements
One of the most common traps in NERC CIP compliance is starting with the standards and reverse-engineering a security program around them. It’s an approach that may get you over the regulatory finish line, but it rarely helps organizations stay ahead of evolving threats. (Side note: there is not a single NERC CIP requirement that discusses threat management!)
NextEra took a different path. As Carlos Morales, their Senior Manager of the NERC CIP Program, has said, they’ve built their program by thinking about risk first. Carlos and his team developed a playbook that starts by identifying failure modes and what could go wrong in their operational environment, as well as what the real-world consequences would be. Then, and only then, do they map those risks to the CIP requirements.
That mindset is essential. It shifts the conversation away from “Are we compliant?” and to “Are we secure, reliable, and resilient?” The byproduct of that work will be a compliant program—but the driving force is operational excellence.
The Role of ICS456
ICS456 was built to empower practitioners to understand both the spirit and the letter of the NERC CIP standards. We go deep into not just what the requirements say, but also why they exist, how they’re interpreted, and what proper implementation looks like in the real world.
That’s one of the reasons NextEra brought ICS456 in as a private training experience. In that setting, students are more comfortable discussing their own challenges and compliance history. We can dive deeper into specific challenges or blockers than I’d otherwise be able to in a public class across multiple utilities, vendors, and auditors. It became a working session where SMEs from across the organization could collaborate on solving problems relevant to them and in real time.
Over the years, those sessions created ripple effects. People who may have been siloed—engineers on the OT side, cybersecurity analysts on the IT side, compliance staff, physical security—suddenly found themselves learning side-by-side, speaking the same language. When we talk about “breaking down silos,” this is what it looks like in practice.
Certification with a Purpose
Training is only part of the equation. At some point, you need to validate that the knowledge sticks—and that’s where the GIAC Critical Infrastructure Protection (GCIP) certification comes in.
NextEra made a strategic decision to encourage widespread GCIP certification across its team. Today, they have over 60 professionals who’ve earned the credential—and that number is still growing as NextEra has committed to continue to invest in their people.
Why Does That Matter?
Because GCIP doesn’t just test theoretical knowledge. It evaluates whether someone truly understands how to secure and support critical systems under NERC CIP’s jurisdiction. When 60+ people inside a single utility speak fluent CIP based on uniform knowledge and understanding, you get something powerful: alignment.
Suddenly, conversations shift from “What is CIP-007 again?” to “Here’s how we aligned our CIP-007 vulnerability management process with our CIP-010 configuration baseline tools across multiple environments.” You get faster decisions, fewer misunderstandings, increased efficiencies, and better outcomes.
Audit-Ready Means Every Day
One of the most telling metrics NextEra has shared is this: their number of audit data requests has gone down.
That might sound like a small thing, but in our world, it’s a big deal. It means their evidence packages are tighter, their documentation is clearer, and their story is more complete. Instead of volleying documents back and forth or trying to reconstruct decisions months later, their teams walk into audits with confidence and walk out with fewer findings.
That’s not an accident. It’s the result of the investment they’ve made in preparing their people. The audit team is happier. The process is more efficient. And the organization saves money through direct audit support, avoiding compliance gaps, and reducing late-stage corrections.
One CIP Program, One Team
NextEra’s internal motto says it best: One Team, One CIP Program.
Historically, many utilities approached NERC CIP with fragmented ownership. Generation had their CIP leads. Transmission had theirs. IT and OT rarely sat in the same room. But NextEra flipped that model. They treated NERC CIP not as a department’s responsibility, but as everyone’s.
That cultural shift matters. Because security doesn’t live in policy documents. Instead, it lives in the people and the decisions they make. And when everyone, from field techs to system architects to compliance analysts, understands the “why” behind the standards, you get better decisions.
You also get trust. Between teams. Between departments. Between the utility and the regulator.
Training That Inspires
I’ve taught ICS456 countless times, to hundreds of students. And every time I return to NextEra, I see something special: momentum.
There’s a hunger to learn more. A willingness to wrestle with hard questions. A genuine excitement for compliance—not because it’s easy or fun, but because it’s meaningful.
That’s probably the most rewarding part of all this: seeing people who used to say, “I don’t want to work in compliance,” now leaning in and asking, “How can I do more?” They’re recognizing that NERC CIP is not just a checkbox exercise, but that it can meaningfully impact grid reliability and security.
Final Thoughts: Leading by Example
Not every utility has the resources of NextEra. But every utility can learn from their example.
They went beyond checklists and spreadsheets. They asked bigger questions. They looked inward, at their people, their processes, their culture, and built a program that addressed their unique concerns. They made training a cornerstone, not an afterthought. They prioritized understanding over memorization, risk over scripted procedure, and continuous improvement over static compliance.
That’s what leadership looks like in this space.
I’m proud to have played a small part in their journey, and I’m even more excited to see where they take it next.
Because at the end of the day, protecting critical infrastructure isn’t just about passing an audit.
It's about forging a resilient, reliable future for the grid. NextEra's journey shows how dedicated training and innovative thinking can help forge that future. Their approach is not just a template for industry, but a roadmap for other leaders in this space.
Let's champion this mission together. Let’s transform compliance from a mere obligation into a transformative force that drives us toward a safer, stronger, and more secure tomorrow.
.jpg "Blog - OT Ransomware on the Rise_340 x 340(1).jpg")
