The team at GlobalSign is consistently monitoring key industries, like the automotive industry, for trends and guidance regarding cybersecurity implementation. Recently Auto-ISAC published Automotive Cybersecurity Best Practices, a high level guidance for the automotive industry on how to approach cybersecurity. The guidance was provided through collaboration of over 50 automotive cybersecurity experts and demonstrates some of the newfound urgency of the industry to build better capabilities. I applaud the team behind the work for a quick deliverable - especially as group standards are often very cyclical and a contentious process when it comes to building a shared consensus and material.
Overall, the guidance leans heavily on existing guidelines from organizations like ISO and NIST, which is good in that this blog isn't attempting to recreate the wheel. With that said, it does miss some opportunity to address more specifics of the auto industry. From an organizational standpoint, I believe there could be some additional guidance areas around how to fold in the executive buy-in from an industry generally unfamiliar with cybersecurity risks. This is why I have put together three tips to help you get buy-in in the next section of this blog.
A Summary of the Automotive Cybersecurity Best Practices Guide
Before I get into what was missing from the guide, here's a high level review of what was included. As represented by the executive summary of the document, the best practices provide guidance for an organization in the following buckets.
- Security by design: principles for addressing cybersecurity during the product development process.
- Risk assessment and management: mitigates the potential impact of cybersecurity vulnerabilities by developing processes identifying, categorizing, prioritizing and treating cybersecurity risks that could lead to safety and data security issues.
- Threat detection and protection: proactive cybersecurity through the detection of threats, vulnerabilities and incidents empowers automakers to mitigate associated risk and consequences.
- Incident response: enables automakers to respond to a vehicle cyber incident in a reliable and expeditious manner.
- Collaboration and engagement with appropriate third parties: Enhances cyber threat awareness and attack response.
- Governance: Aligns a vehicle cybersecurity program to an organization’s broader mission and objectives.
- Awareness and training: Training and awareness programs help cultivate a culture of security and enforce vehicle cybersecurity responsibilities.
3 Tips on Gaining Executive Buy-In Around Cybersecurity
In order to get your board to buy-in to automobile cybersecurity, you will need to ask and answer these questions when you meet with your board members. If we think of the Auto-ISAC guidance as the strategic how, what is also required is better guidance as to the financial and strategic "why" of a cybersecurity strategy. It will definitely be helpful if you can split your report using the Auto-ISAC buckets I mentioned in the section above. Each of these should outline the risks and explain how you plan to mitigate them with the budget and extra resource you are asking for.
How Does What You Want Benefit the Business? – Be Honest and Quantitative.
You will need to start by being very clear about what you want and why you want it. For many IT professionals, everything comes down to investment and budget, so you will have to put in a bit of work in order to explain how the extra resource is going to be valuable to them.
If you want to speak their language, talk about what they could lose by not investing, what they could save by investing and use examples from other companies to really prove the value. While ROI calculations for cybersecurity investments are often focused around loss, they are still imperative to evaluate the solutions.
For example, when Wired reporter showed how easily he could gain remote access of a Jeep, 1.5 million cars had to be recalled which cost the company reputation, money and of course many man hours in order to fix the vulnerability.
In order to build a quantitative understating, it will be essential to conduct a cybersecurity risk assessment and identify real threats to assets and vulnerabilities, as well as the likelihood of a breach and potential impact. You should look at what technologies are lacking, what resource is needed to combat the risks and if confidential data is being transmitted safely inside the organization.
In this part you will need to explain the value of encryption and identity and how the technical solutions you're looking to fund mitigate the risks that were identified in the assessment process. In the ROI calculations it's important to consider additional dimensions of the solution, like management of the system and any operational overhead it introduces.
What Regulations and Compliance Do You Need to Abide?
Every company and industry will have a set of regulations and compliances that they need to adhere to. For example, we have already looked at the Auto-ISAC guidelines in this post, but what about ISO, GDPR and NIST regulations? A lot of regulations come with heavy fines for non-compliance. This is something to bring up with the board. For example GDPR comes with fines of up to 4% of a company’s total global revenue!
Doing your research and coming prepared with the knowledge around regulations is really going to help when it comes to swaying the mind of the board.
While some of these won’t be as heavily regulated, they will have guidelines that are made for the purposes of helping protect your customers and your organization. The key is to make sure you are bringing everything back to risks and revenue with the board. The following are a list of areas which could be presented with a cybersecurity risk. You should be referring back to these as much as possible:
- Business continuity.
- Cost of recovering IE paying ransomware.
- Brand and reputation damage.
- Data and IP loss or theft.
- Loss of revenue through sales.
- Downtime.
How Are You Going to Safeguard for the Future?
Sure, while your board will be focused on how attacks are prevented and risk is reduced, it’s never a bad thing to talk about planning for disaster recovery. This is an area where the evolving instrument of cyber insurance may be useful to consider.
One of the useful byproducts of the cyber insurance process is how it requires you to consider more broadly your approach to cyber risk and response. When looking into cyber insurance, you will need to answer the following questions:
- What’s your plan to respond to a data breach or other kind of incident? – For this you will need to have a worthy incident response plan.
- Have you prepared responses that will be sent to the media, shareholders, lawyers, customers, law enforcement etc.?
- Do you have a security firm on retainer to help you with response?
- Have you tested your plan with a simulated emergency response or with a real-life example?
Once you have these baseline requirements, it will then be about researching the best company to handle your insurance and making sure cybersecurity is also at the forefront of your company culture.
Your board will see this insurance and safeguarding as what is needed to ensure that the company’s future is protected.
An automobile manufacturer can easily overlook cybersecurity as there is so much involved, even at the stage where you are simply trying to get the board to invest. The thing to remember is not to scare the board with trendy names of vulnerabilities or the latest technologies, simplify everything and put it in their language – the language of money that is.