By Karen Andersen
September 24, 2018
In auto dealerships, showrooms, car lots and implement dealerships, there is a constant flurry of activity amidst the smell of car wax, the gleaming smooth finishes, and all the latest models. As you approach the service area, the sound of impact wrenches and the scent of grease, motor oil, and all things mechanical become apparent. One area that can easily get overlooked is cybersecurity.
In today's world of instant communications, connected devices, Wi-Fi in cars, infotainment consoles, and a whole world of financial and consumer information, cybersecurity plays an important role. Don't forget to consider the existing cache of paper documents that contain customer financial data. To help emphasize the need for strong security practices and awareness, Eide Bailly has been partnering with dealerships to provide insight on this crucial topic.
When building anything, it’s important to start with a solid foundation. The same principle holds true for cybersecurity. Leaders need to be on board, have an understanding of what needs to be protected, and align cybersecurity to business objectives. The creation of a cybersecurity steering committee is one of the services we have developed to help dealerships build a strong foundation. The first steps include creating a charter and a mission statement. Subsequent steps include determining who has a seat on the steering committee table, defining authority, reaching consensus as a team and defining roles and responsibilities. The mission should also align information security strategy to business objectives.
When to Bring In an Advisor
Most organizations realize there is some sort of responsibility regarding information security, but do not know what best practices look like. What data is considered critical? Which targets may be enticing to a hacker? Do employees know how to spot potential threats? Are employees themselves potential threats? Cybersecurity can seem overwhelming and too technical for business leaders to discuss, which is all the more reason to have someone help you make sense of this complex topic.
By realizing that cybersecurity is not solely an IT problem but requires the input of the business, the focus starts to shift. The formulation of an Information Security Steering Committee engages technical leadership with the business. Leaders outside of IT start to recognize they have an impact on shaping the security objectives and ensuring the solutions are workable. Key decision makers then realize they are able to determine priority on how to support business objectives instead of simply relying on IT to solve problems after the fact.
A successful security steering committee also fosters collaboration by building a common understanding and agreed upon objectives. At the beginning of a business, there is an entrepreneurial feel, and employees may fill a multitude of roles. As a business grows, opens up more stores and hires more employees, roles and responsibilities may not be clearly defined. Are your IT resources focused on strategy and aligning to business objectives, or are they stuck in reactive mode because they are known for problem solving with functional users calling on them to resolve minor but frequent incidents?
By shifting leadership focus on technical strategy and away from reactive mode, the security posture of the environment is able to mature. A collective decision on what matters to the business overall becomes the goal. Other areas of the business also realize they have a responsibility to ensure information security is part of each area of the dealership. Lastly, functional areas are the end customer and recipient of technical solutions, so it makes sense to include their insights when developing successful solutions. You have defined objectives for the growth of your business, so it’s important to align your technical strategy to support and grow with you.
Real Life Application
Eide Bailly worked with a large auto dealership that had more than 25 stores. Like many businesses, it started small and added employees as the business grew. People wore many hats and were mostly operating in response mode. The business was family-owned, and as it grew, additional family members became leaders. Stores were divided across family members, and each member approached their dealerships in their own way. This created a culture of disparate processes behaviors, and because they were family members, it was challenging to get issues raised to a level that could be acknowledged.
To help solve these issues, we worked with leadership to formulate an information security steering committee. Challenges were collectively discussed, assigned skillsets were reviewed and it became obvious that changes were needed to support the growth of the business. Compliance became easier as consistency was applied, and key decision-making power was reigned in once a consensus was obtained. Initial conversations were tough, but as we continued, and individuals had the chance to reflect on proposed changes, anxiety started to change to relief and a sense of support. Responsibilities were redefined and positioned to be proactive, rather than reactive and efforts became collective, rather than the entire weight being placed on IT.
Bringing in experienced consultants to help navigate the conversation can address some of the tougher operational challenges by bringing them out into the open. As a consultant, asking these tough questions is less risky as an outsider. Lastly, as a trusted advisor, we bring the necessary expertise to the table to create the foundation needed to grow the business.
Contact your local Eide Bailly professional or a member of our Cybersecurity team to start making strides today.