Julian Horne, Partner at Miramar Global, in conversation with Josh Foster, formerly General Manager, Connected Vehicle Software, at Garrett
Cybersecurity is front and centre of every manufacturing company’s marketing or public messaging, as it is with every company who creates, collates, views, stores, sells or buys data. But have we lost sight of where the true value of cybersecurity is and within specific sectors, like industrial development, the true value to the bottom line? There are two very defined sides to cybersecurity; the same skill set is required whether you are protecting against the breach or creating the breach. There is a question as to which side the most talented individuals choose to sit.
One major challenge is that industrial companies are yet to understand what needs to change for them to have access to or hire the best talent in this sector. We don’t work in a world now where people want to work within the constraints of large global organisations necessarily when they might have other options. Although hacking might not give you a pension fund or help build your CV, there is a genuine appeal to young people coming out of university to spend some time on the ‘wrong’ side of the coin, as it’s an opportunity to learn very quickly and with no constraints. “There is then maybe Tesla, who will sponsor a competition to see who can hack their software, and they’ll pay big bounties, big money to see what the vulnerabilities of their software are. It’s actually an opportunity to be entrepreneurial coming out of university, making significantly above market rate given your skill set to do something that’s fun. For a lot of people that’s sexy, they can say, “Hey, I’m top of the totem pole”; I went at this corporation that has hundreds of thousands of people working for it and I found something that they couldn’t find on their own. Would you rather do that or work for a large industrial manufacturer for less money and more structure?” Josh poses a valid question.
“The direction of travel seems to be that the most effective way for businesses, for industrial organisations to do cyber today, is to outsource it. If they’re all using outsourced options, they’re all contributing to the extremely high cost of getting this problem over the line. But you think software moves fast? Think about how fast hackers are moving and how fast you need to move from a cybersecurity standpoint. You just can’t move fast enough. The cost will just continue to increase”
A cyber breach on an industrial development organisation is probably, percentage wise versus other industries, quite low. Hackers target and aim to breach organisations where there is defined data that they can monetise. Data only has value to a hacker if it can be manipulated to make it have a saleable value. That isn’t industrial development, where the only value is to competitors who are likely developing the same kind of systems in house or using the same third-party outsourcers already. The real value comes with personal data. “It’s more personal, isn’t it?” says Josh. “What’s somebody going to do with that personal information, hacked from the data that your new car operating system has not kept secure. Hacking is all about monetisation and you tend to get better, your best leverage, your best scale from large amounts of personal data. That is where industrial technology should be spending its development budget. If your operating system stores data in a warehouse with millions or hundreds of millions of people, that’s the scary part and the hackers dream.”
Industrial firms need to think strategically and consider cybersecurity development as part of their budgeted business plan. There are options: M&A, partnerships, in house development or third-party vendor solutions. Ultimately, lots of companies in industrial have invested a lot of budget and are still without a solution, mainly because the goalposts keep moving and the cybersecurity landscape keeps developing. But still, sitting waiting for someone else to find the solution doesn’t work either. Industrial hasn’t found the solution, but ultimately, without government intervention, will it ever? For every new code to protect from a cyber breach, there is a hacker creating new code too.