Information Security Blog

What a BMW 328xi can teach you about Security Awareness Training

What a BMW 328xi can teach you about Security Awareness Training

Security Audit

I (unfortunately) had to buy a new car this past month.  I say unfortunately because it was a time consuming project at a time when I was already over-taxed at work.  I also say unfortunately because the reason I had to buy a new car was that I totaled my previous car, with my son in the car – scary stuff.  Fortunately, my son, myself, and the folks in both other cars involved in the accident were not hurt.

During my search, one of the cars I decided to test drive was a BMW 3 Series.  I had never driven a BMW so I figured it was time to  test the “Ultimate Driving Machine” moniker. After a test drive you could sum up my feelings in a single word: “underwhelmed”.  My wife drove a Ford Contour in the late 90’s that to my recollection was as much or more a  “driving machine”  as the BMW was.

A week later a friend of mine who drives a 2010 BMW 328xi was incredulous when I compared his beloved car to a late 90’s Contour and insisted there must have been something wrong with the car I drove.  He asked me if I put the transmission in “Sport” mode (I did)  which allows you to manually shift the car.  A knowing smile spread across his lips.  “Did you ever just leave it in the “tiptronic” mode without shifting manually?”  When I told him “No” , he tossed me his keys,  “Let’s go!”

I now fully understand why it’s called the “Ultimate Driving Machine.”  I was still smiling an hour later.

So what does this have to do with Security Awareness …

I am sure that BMW’s Global Sales Manager would expect that EVERY salesperson would demonstrate the “sport” driving mode of their vehicles to EVERY car buyer requesting a test ride (especially one who told the salesperson “I’m not that impressed” during the test drive).  It would be interesting to know if BMW’s Sales Training explicitly calls this out,  or  is it one of those things that’s so obvious that they didn’t even feel it was necessary to explicitly spell it out.  I would also think that BMW would have put some “controls” in place to make sure that this couldn’t happen (so that the tens of millions of dollars it spends each quarter in marketing aren’t wasted).  Either they didn’t or they are not effective.

Think about your environment.  What information security controls do you assume that EVERY employee knows about? For what critical controls that you have stressed to your employees do you not have any mechanisms in place to validate that they are working?

  • Are emails with PII/PCI/HIPAA protected data being sent to/from your clients?
  • Are access control “exceptions” put in place on your firewalls/applications/Identity Management that don’t follow normal approval processes? If so, not being de-provisioned in a timely manner?
  • Are critical business apps being pushed into production without proper security testing?

I’ll bet your dollar against my new car that the answer in most organizations to these or similar (and equally troubling) challenges is yes (ten years of security auditing experience tells me I’m drinking the (1/2 a cup of)  coffee I bought with your dollar in my new non-BMW car if you take the bet).

BMW’s lack of Sales Awareness Training (and/or Monitoring) cost them a $38K sale with me.  What will your lack of Security Awareness Training (and/or Monitoring) cost you?


Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

About the Author:

John Verry (CISA, 27001 Certified Lead Auditor, CCSE, CRISC) is Pivot Point's resident "Security Sherpa". He is lucky enough to spend most of his day helping clients develop a road map to address security, compliance, and attestation requirements.

Add a Comment

Share This