Last year, security systems vendor, FSecure, tested the security of some of today's increasingly IT-loaded cars. Toyota's petrol and electric-engine hybrid, the Prius, which contains more electronics than some departmental servers, passed the test with flying colours. Now, Richard Cross, Toyota Europe's chief security officer (CSO) is working to create the same level of confidence in the IT systems of the company that built it.
Cross isn't shy about admitting how difficult it is to guarantee the systems and data security of the modern enterprise. At the moment at Toyota, as at most other companies, the IT security story "is about moving from immaturity to developing maturity," says Cross. "It's a journey, and it isn't finished yet."
The starting point, for Cross and for Toyota, will be familiar to many other CSOs. "When I started at Toyota I was the first security manager," said Cross – and it showed. "We had some firewalls and some old intrusion detection systems, but they weren't deployed in any concerted way," he remembers. There was no centrally coordinated security plan, and those measures that were in place were dedicated to specific systems, distributed through the organisation in unconnected and uncoordinated silos.
Worse still, "risks weren't associated with counter measures, we had no way of knowing whether we were spending too much or too little; there was no way of measuring any virtuous benefits; and there was no history of security problems or issues," says Cross. And because of this, "the bottom line was that effectiveness for security generally just could not be relied upon."
Since then, Cross' challenge has been to replace a weak security culture with a strong security management ethic, one which more accurately reflects Toyota's overall commitment to best process and management. It has not always been easy. At Toyota, as at many businesses operating in a competitive global market, security is often seen as an inconvenience – a constraint on business development and, not uncommonly, someone else's problem.
However, there were existing management values for Cross to build on. Of these, perhaps the most important is Toyota's total commitment to quality and to constant process improvement. "Security is like quality," says Cross – it demands a deep commitment to planned goals and unwavering attention to detail.
It also requires that people take nothing for granted, and that they constantly reflect on how things can been done better. At Toyota, "this idea of improving everything that we do is [drummed] into you. It's an instinct, a reflex," says Cross. And when applied to security, it requires that everyone takes responsibility for ensuring that best security practices are established and observed.
This is not to say that Cross's pursuit of a strong IT security management system at Toyota Europe has not involved investment in technical solutions. Since assuming his role, Cross has evaluating a raft of different systems from different vendors, and considers that the decisions last year to invest in IPS (intrusion prevention system) technology, has probably made the single biggest impact on Toyota's IT security.
However, he warns, organisations should beware of relying on systems vendors or other third parties to resolve their security issues. "There are no silver bullets," he says. Those who fall into the trap of trying to fix specific security issues with specific tools will not be successful.
"I think in our business buying [IT security] tools is like squashing ants [one at a time]. I'm constantly tempted to go out and buy solutions, but in actual fact, changing processes and changing the culture of the organisation is about hunting elephants – harder to do, but a good deal more productive."