I (unfortunately) had to buy a new car this past month. I say unfortunately because it was a time consuming project at a time when I was already over-taxed at work. I also say unfortunately because the reason I had to buy a new car was that I totaled my previous car, with my son in the car – scary stuff. Fortunately, my son, myself, and the folks in both other cars involved in the accident were not hurt.
During my search, one of the cars I decided to test drive was a BMW 3 Series. I had never driven a BMW so I figured it was time to test the “Ultimate Driving Machine” moniker. After a test drive you could sum up my feelings in a single word: “underwhelmed”. My wife drove a Ford Contour in the late 90’s that to my recollection was as much or more a “driving machine” as the BMW was.
A week later a friend of mine who drives a 2010 BMW 328xi was incredulous when I compared his beloved car to a late 90’s Contour and insisted there must have been something wrong with the car I drove. He asked me if I put the transmission in “Sport” mode (I did) which allows you to manually shift the car. A knowing smile spread across his lips. “Did you ever just leave it in the “tiptronic” mode without shifting manually?” When I told him “No” , he tossed me his keys, “Let’s go!”
I now fully understand why it’s called the “Ultimate Driving Machine.” I was still smiling an hour later.
So what does this have to do with Security Awareness …
I am sure that BMW’s Global Sales Manager would expect that EVERY salesperson would demonstrate the “sport” driving mode of their vehicles to EVERY car buyer requesting a test ride (especially one who told the salesperson “I’m not that impressed” during the test drive). It would be interesting to know if BMW’s Sales Training explicitly calls this out, or is it one of those things that’s so obvious that they didn’t even feel it was necessary to explicitly spell it out. I would also think that BMW would have put some “controls” in place to make sure that this couldn’t happen (so that the tens of millions of dollars it spends each quarter in marketing aren’t wasted). Either they didn’t or they are not effective.
Think about your environment. What information security controls do you assume that EVERY employee knows about? For what critical controls that you have stressed to your employees do you not have any mechanisms in place to validate that they are working?
- Are emails with PII/PCI/HIPAA protected data being sent to/from your clients?
- Are access control “exceptions” put in place on your firewalls/applications/Identity Management that don’t follow normal approval processes? If so, not being de-provisioned in a timely manner?
- Are critical business apps being pushed into production without proper security testing?
I’ll bet your dollar against my new car that the answer in most organizations to these or similar (and equally troubling) challenges is yes (ten years of security auditing experience tells me I’m drinking the (1/2 a cup of) coffee I bought with your dollar in my new non-BMW car if you take the bet).
BMW’s lack of Sales Awareness Training (and/or Monitoring) cost them a $38K sale with me. What will your lack of Security Awareness Training (and/or Monitoring) cost you?