Security is more than just a regulatory-driven necessity for utilities; it has become a business imperative. Most utilities can no longer do business effectively or efficiently without internet of things (IoT) technology; and recent events in the Ukraine have shown that large-scale attacks against power grids can succeed. Beginning July 1, 2016, utilities must comply with NERC’s Critical Infrastructure Protection standard, v6, which features an expanded scope and emphasis on security, compared to previous NERC CIP regimes. Most U.S. utilities already enjoy a relatively high level of awareness and sophistication about cybersecurity, compared to other industries — but there are some common weak spots. To respond effectively to ever-shifting cyber threats and vulnerabilities, utilities must adopt a risk-based security approach that exceeds regulatory requirements. This paper recommends an integrated utility security program that encompasses physical and digital security technology, staffing and training, leadership support, cross-departmental collaboration and cross-sector coordination.