Julian Horne, Partner at Miramar Global, in conversation with Josh Foster, formerly General Manager, Connected Vehicle Software at Garrett
Industrial manufacturing organisations are driving change utilising technology, often with multiple manufacturers involved in a supply chain to deliver a product to market. While collaboration creates innovation, concerns around cybersecurity and how to approach solutions to the perceived cybersecurity deficiencies are front of mind. “Historically, specifically in automotive, I don’t think of traditional OEM’s as cyber focused companies. However, most manufacturers now have an element of cyber awareness and security in their product because many products are now aggregating data via a software platform, whether that is built into the product or effectively layered into an operating system.” says Josh Foster. He goes on “There is a fundamental difference between a software product and an operating system. The product cannot work without an operating system and that is where the cybersecurity element traditionally lies. Some firms have bought the expertise in house via acquisition, and some use a third-party supplier to support their product.” For example, OEM’s, Tier One manufacturers, and software providers are, most usually, all linked via APIs, but ultimately, they remain separate products and services. This can make it complex to understand where responsibility lies, who has access to data, who is storing that data and so on. There isn’t a standardised solution out there, but it feels like firms are looking to change that. As the industrial sector has innovated at speed, it has the same considerations and challenges as other sectors that have experienced disruptive digitisation over relatively short periods of time: standardisation. The challenge is to take aggregated data from operating systems, but once it is delivered to the cloud interpret and decipher the data in a meaningful way, meaning it can become useful. Standardisation, while challenging in the short to medium term, would ultimately be the long term goal for speed, efficiency and cost.
“Data is at its most vulnerable while it is in transit” says Josh “There is a requirement for the communications stream of information to flow across all parts of an operating system for the object, say a car, to work. But we are talking about going into the cloud and the piping of data. We need to look at the vulnerability of the data being communicated, as in this example, where we take data outside of the car.” Consumers now work on the assumption the technology they are buying (in their car, laptop or phone) will, for the most part, keep their data safe. While this isn’t correct, it is the assumption a manufacturer knows the consumer is making. A significant roadblock in cybersecurity development to support the consumer expectation is budget. Cybersecurity can be seen as having little tangible ROI for development teams within industrial tech whose focus is taken by consistently trying to develop technology stacks to outrun their competitors as without the latest consumer technology, sales falter.
“Cybersecurity is really a software and budget problem” continues Josh. “It has to sit as part of the budget allocation where the expectation is that ‘X’ percent of revenue is spent on cybersecurity. This would ensure it’s not only part of your strategic plan, it’s also invested in the right way. It would have to be, I believe, a targeted percentage of revenue and it’s a budget that you never cut. It’s something I don’t think industrial companies will ever get comfortable with.”
“We should also mention, one of the biggest issues across the whole industrial space, in my opinion is ability to access talent. We can’t compete in industrial with Google, Apple and other tech giants today. We don’t appear to be as interesting as companies to new talent. To attract great cyber talent, you probably have to pay them a bit more than top software talent because software is sexier. It’s more fun and visually rewarding than working on cybersecurity. Cyber is almost like being in quality assurance or quality testing and lacks the same level of visibility within an organisation. Very few people want to do that, so it can end up being either junior developers or developers who didn’t develop enough to truly write code. Some large industrial companies are also artificially constrained by salary bands that don’t necessarily fit the software talent requirements we have in industrial today. We must understand that cybersecurity is part of brand reputation and reputational risk. A lot of companies just view it as a necessary evil. We are competing for teams and talent, and we need to rethink our approach to enable the industry to attract that top tier of talent.”