Data Security Continues to Lag in the US Auto Industry

The 9/11 terrorist attacks in the United States triggered new security concerns through the American business community, including the U.S. auto industry. But four years later, results are mixed. Too many members of the auto industry’s extended enterprise continue to ignore perhaps their most critical security issue of all: business continuity.
True, new regulatory requirements such as Sarbanes-Oxley have focused attention on improving security for certain financial and operational data. But the law specifically excludes requirement that businesses take steps to ensure their own continuity in the event of a natural disaster or disruption in their own supply chain.
As a result, the auto supply chain today remains only as strong as its weakest link. That has always been true, of course. But it takes on new significance in today’s world of real-time data sharing. Data that once took weeks to seep through the supply chain now arrives literally within nanoseconds. Speed enhances competitiveness. Yet it also means that one company’s exemplary security can be instantly compromised by a supplier or partner that lacks the same level of preparedness. The potential for havoc to rush through the supply chain has never been greater.
Unfortunately, the auto industry remains ill-prepared for such a disaster with a Band-Aid approach of plant- or division-level policies that aren’t integrated by an overall strategic vision. Instead of big-picture plans that might include a three-year program to implement a good identity management solution, companies are preoccupied with immediate regulatory demands. Too often they settle for simple, manual procedures and put the need for an integrated security plan on the shelf.
How did this happen and why does it persist? We at Ernst & Young see two forces that hamper investments in security and, in some cases, focus the limited remaining funds in some areas at the expense of others.
Cost-cutting pressures are the first roadblock to security initiatives. Many companies have delayed or simply postponed general security enhancements. No one expects this pressure to lessen anytime soon. However, ignoring security now threatens to let companies slip further behind as the nature of security threats becomes more sophisticated and potentially dangerous.
The second powerful influence on security initiatives is Sarbanes-Oxley—especially section 404, which deals with internal controls over financial reporting. This section tells companies where their data security must be strong to satisfy compliance requirements, and companies have scrambled to meet those requirements. But achieving the needs of 404 compliance addresses only part of a company’s true security exposure.
There’s also a continuing tendency to focus too heavily upon the technological side of data security. Companies must recognize that security isn’t a matter of technology. It’s a business issue. Many companies are probably spending a large percentage of their security dollars in the wrong places, and that should be addressed first. Companies often can realize tremendous improvements in security by retooling policies and procedures and by training employees how to be more alert to security.
Putting systems in place to recover data and make it available to keep key assets operating normally is a fine objective. Most companies do a good job in this area. Where they are woefully lacking is in the broader issue of business continuity. A company cannot benefit from being able to supply a plant with data if the plant can’t produce because its supply lines have been cut and can’t ship products because highways have been blocked by a natural disaster. Larger companies stand a better chance of surviving big disasters such as a Hurricane Katrina. But studies indicate that 30%-50% of small businesses never recover from such devastation. They merely fade away because they have no plan for continuity.
The question of business continuity is a much broader subject than IT and the job description of the chief information officer. Traditionally, the CIO has been in charge of the company’s disaster recovery, at least as far as IT goes. The CIO’s power peaked during the e-biz area, but it has significantly changed with the arrival of Sarbanes-Oxley. Thanks to the law’s compliance demands, responsibility for IT security have shifted from the CIO to the chief financial officer. The CIO now focuses upon fine-tuning IT operations to support the business. Frequently the priority is to get things done quickly—even if it means adopting manual security procedures that may be bypassed in the heat of doing business.
In the meantime, very few companies have an executive who “owns” business continuity. In our view, that executive should be the chief operating officer or perhaps a specially assigned corporate “risk officer”—someone with the power, mandate and vision to integrate disaster planning and security programs across multiple plants, operations and divisions.
Having someone in charge of continuity is important. But so is the ability to answer a fundament question that most companies in the auto industry can’t: Where are the corporate crown jewels? It isn’t difficult to pinpoint the physical location of critical hard assets such as plants and machinery. But what about financial, planning, design and operational data? Certainly it’s in the company’s mainframe computers. But how much of it has been copied into employee laptops, e-mailed to suppliers or transferred into the databanks of partners?
In our experience, very few auto industry companies truly know where all their crown jewels are. Why not? Because they don’t have a good asset management program. Without one, no company can make good decisions about what to protect, let alone how to go about it. Effective enterprise risk management requires that you know where your assets are, have a program in place to maintain business continuity and establish adequate protection for the company’s crown jewels.