Embraced across the industry, digitization has rapidly transformed automotive engineering. Manufacturers welcomed the flexibility, cost savings and rapid product development provided by software-based engineering and the consumer-focused features enabled by online connectivity.

Digitization however, carried a dark passenger, unleashing a host of cybersecurity threats on manufacturers who were unprepared for their new roles as software and internet companies.

Even as manufacturers have confronted these threats, progress has been hindered by radically differing development methodologies practised by traditional engineering teams and the digital newcomers. Agile practices have not mated well with the deliberate and careful processes established over years of manufacturing experience.

Systemic change can be difficult for OEMs, who risk repeating the quality failures encountered a decade ago with the onset of drive-by-wire systems. Toyota’s infamous unintended acceleration crisis remains a cautionary tale of how an organisation’s culture and values can be just as important as technical skills in producing safe and reliable products.

Prevention is better than cure, and cheaper

Just as a healthy diet and regular exercise reduce the likelihood of disease, some of the most effective cybersecurity controls are also preventive and reduce the likelihood that a product will develop vulnerabilities. These build a kind of cybersecurity fitness.

Policies and procedures that correctly prioritise, support and resource cybersecurity are all good examples of preventive measures - as are the development of cybersecurity capabilities through training, recruitment, and supplier engagement.

This is why the recently issued WP.29/UNR 155 cybersecurity regulation requires certification of an organisation's cybersecurity management maturity as a prerequisite to approval of specific vehicle types.

Prioritizing healthy cybersecurity

The caveat is that preventive measures are often implemented poorly. They take time to establish and mature, and it’s not always clear how to measure their effectiveness. Sadly, it’s sometimes easier to wait until an underlying issue becomes a serious problem, since at that point few will question the urgency and expense.

There is a strong temptation to focus on code review and penetration testing to detect and then remediate vulnerabilities. This is akin to waiting for surgical intervention for a disease that could have been prevented with healthier practices. Testing and review are of course essential activities, but without preventive measures, they are expensive and painful solutions to avoidable problems.

Of course, just as diet and exercise programs rarely survive in the long term without disciplined lifestyle changes, so cybersecurity must become a focus and integral facet of an organisation’s values to ensure ongoing support and influence. To target support where needed most, such an organisational ‘lifestyle change’ requires ongoing monitoring of its effectiveness at every level of the organisation.

Data-driven cybersecurity fitness

Results can’t be achieved overnight. As with physical fitness, cybersecurity fitness requires a tailored program that starts from a clear understanding of current capabilities towards well defined and measurable goals.

It is essential to measure the effectiveness of capabilities in reducing the frequency and severity of vulnerabilities. Equally vital is anticipating the potential damage of existing weaknesses and designing supplementary mitigations to protect against negative outcomes, even while building capabilities to reduce them.

It goes without saying that the success of such a program depends on understanding how an organisation's cybersecurity maturity influences product cybersecurity. A sophisticated model of organisational cybersecurity dynamics enables precise targeting of both preventive controls and product mitigations. It is a powerful tool in realizing the benefits of preventive cybersecurity and delivering healthy, cybersecure products.