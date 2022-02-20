Governance-led efforts

UN R155 stipulates that vehicle OEMs need to first prove the basic capabilities of their cybersecurity systems and processes. Each model produced requires a type approval to prove that specific products have specific implementations that were made in accordance with the requirements of the certified cybersecurity system and process. However, many vehicle OEMs have adopted the opposite approach. The regulations and standards themselves are used as the cybersecurity requirements of the project. That makes it possible for the work products to serve as evidence of compliance across the whole enterprise.

The BSIMM12 report notes that companies have two paths to achieve a mature security system. One is to construct a security system from top to bottom through compliance requirements. The other is to improve security capabilities through the engineering team.

Because BSIMM is a descriptive model, it describes and compares these two approaches but it doesn’t evaluate the pros and cons of them. Organizations that choose a governance-led approach usually start by defining a software security initiative, which is an organization-wide program to instill, measure, manage, and evolve software security activities in a coordinated fashion. The leader of such an initiative first establishes a centralized team structure. This might not involve immediately hiring employees, but it may be necessary to form a full-time team to implement key activities to support the further definition and institutionalization of software security-related policies, standards, and procedures at the organizational level.

The BSIMM12 report defines three key security activities.

Policy: Create policy

Standards: Create security standards

Process: Publish process and evolve as necessary

However, in the current organizational structure of many automotive OEMs, security teams often come from engineering research and development teams, and they are not sufficiently empowered to implement security-related policies, standards, and procedures at the enterprise level. Further, it’s often the case that security groups don’t have adequate support and budget. Therefore, security teams should limit the focus of these key activities to a specific project, using the project budget.

BSIMM also observed that governance-led and emerging engineering-led approaches to software security improvement embody different perspectives on risk management that might not correlate. Governance-led groups often focus on rules, gates, and compliance, while emerging engineering-led efforts usually focus on feature velocity, error avoidance through automation, and software resilience.

Success does not require identical viewpoints, but collectively the viewpoints need to converge in order to keep the firm safe. That means the teams must collaborate on risk management concerns to build on their strengths and minimize their weaknesses. Although many automotive OEMs construct their cybersecurity systems through engineering projects, this approach still requires the security group to understand the overall framework. So it’s vital that the security team gets sufficient support within the enterprise, not just limited to specific projects.