Information Security Blog

What a BMW 328xi can teach you about Security Awareness Training

What a BMW 328xi can teach you about Security Awareness Training

0 Flares

0 Flares


×

Security Audit

I (unfortunately) had to buy a new car this past month.  I say unfortunately because it was a time consuming project at a time when I was already over-taxed at work.  I also say unfortunately because the reason I had to buy a new car was that I totaled my previous car, with my son in the car – scary stuff.  Fortunately, my son, myself, and the folks in both other cars involved in the accident were not hurt.

During my search, one of the cars I decided to test drive was a BMW 3 Series.  I had never driven a BMW so I figured it was time to  test the “Ultimate Driving Machine” moniker. After a test drive you could sum up my feelings in a single word: “underwhelmed”.  My wife drove a Ford Contour in the late 90’s that to my recollection was as much or more a  “driving machine”  as the BMW was.

A week later a friend of mine who drives a 2010 BMW 328xi was incredulous when I compared his beloved car to a late 90’s Contour and insisted there must have been something wrong with the car I drove.  He asked me if I put the transmission in “Sport” mode (I did)  which allows you to manually shift the car.  A knowing smile spread across his lips.  “Did you ever just leave it in the “tiptronic” mode without shifting manually?”  When I told him “No” , he tossed me his keys,  “Let’s go!”

I now fully understand why it’s called the “Ultimate Driving Machine.”  I was still smiling an hour later.

So what does this have to do with Security Awareness …

I am sure that BMW’s Global Sales Manager would expect that EVERY salesperson would demonstrate the “sport” driving mode of their vehicles to EVERY car buyer requesting a test ride (especially one who told the salesperson “I’m not that impressed” during the test drive).  It would be interesting to know if BMW’s Sales Training explicitly calls this out,  or  is it one of those things that’s so obvious that they didn’t even feel it was necessary to explicitly spell it out.  I would also think that BMW would have put some “controls” in place to make sure that this couldn’t happen (so that the tens of millions of dollars it spends each quarter in marketing aren’t wasted).  Either they didn’t or they are not effective.

Think about your environment.  What information security controls do you assume that EVERY employee knows about? For what critical controls that you have stressed to your employees do you not have any mechanisms in place to validate that they are working?

  • Are emails with PII/PCI/HIPAA protected data being sent to/from your clients?
  • Are access control “exceptions” put in place on your firewalls/applications/Identity Management that don’t follow normal approval processes? If so, not being de-provisioned in a timely manner?
  • Are critical business apps being pushed into production without proper security testing?

I’ll bet your dollar against my new car that the answer in most organizations to these or similar (and equally troubling) challenges is yes (ten years of security auditing experience tells me I’m drinking the (1/2 a cup of)  coffee I bought with your dollar in my new non-BMW car if you take the bet).

BMW’s lack of Sales Awareness Training (and/or Monitoring) cost them a $38K sale with me.  What will your lack of Security Awareness Training (and/or Monitoring) cost you?

0


Free Whitepaper: Five Best Practices for SIEM

siem-whitepaper

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Is ISO 27001 Right for (Y)our Organization?

iso-27001-webinar

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Free Whitepaper: Stop Wasting Money on Penetration Testing

penetration-testing-whitepaper

Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

About the Author:

John Verry (CISA, 27001 Certified Lead Auditor, CCSE, CRISC) is Pivot Point's resident "Security Sherpa". He is lucky enough to spend most of his day helping clients develop a road map to address security, compliance, and attestation requirements.

Add a Comment

0 Flares Twitter 0 Facebook 0 Google+ 0 Pin It Share 0 LinkedIn 0 Reddit 0 StumbleUpon 0 Email 0 0 Flares ×