A lesson from VW: Vendors, reputation is everything

Just jumped on the news, between some soccer player affair and the wonderful Rugby world cup I put my eyes on the VW scandal: OMG they lie to customers and government agency… Why I am not at all surprised?

Let be clear, I have nothing against VW, it is a great brand with great product, but is a company driven by profit and so profit is the biggest interest, above ethic and other consideration. This is why government and consumers need to be vigilant and force companies to act fairly. It is surprising that something like that comes out from a German vendor, they are well-known for the quality of their product everywhere, but this simply show how difficult is to sure about quality everywhere.

It can be a hackable entertainment system in your car that allow an attacker to take control of your brakes, or a hacked result of pollution outcome from your diesel car engine all show that quality and control is a mandatory requirement for every vendor of any kind.

There are some interesting outcomes in this story:

we should be skeptic about everything, the moment we lower our attention here comes the problem, so at the end the more a vendor is under scrutiny the better is for the customers. even a major brand can make mistakes, willingly or not the vendor have to take full responsibility and put in place all the effort possible to avoid similar accident.

From a vendor perspective investing in quality is mandatory if they want to present themselves as a value added player, and not the cheap option. but quality is a complex issue, that require careful management of product, branding and communication.

quote-it-takes-20-years-to-build-a-reputation-and-five-minutes-to-ruin-it-if-you-think-about-that-warren-buffett-26787And the basic point is that once the damage is done the recovery will be painful and hard, ant it could burn all the profit we have made thanks to the cheat.

This is the same thing that happen with security, and information security (which is my field) is not an exception.

Security from a customer point of view should be a basic requirement, not just an add_on. Likewise for vendors security should be one of the core pillar because is strictly related to the quality of what a vendor do.

so let us take some consideration:

was the VW affair something done without the knowledge of the senior management?

If so, but at the moment I doubt it, this means that the senior management was not putting in place the correct set of control on quality. Quality should be a serious internal affair, and it means that you should know, check and control what is the output of your systems.

But to be able to check quality you should know exactly how to grade it, and what could come out form a not compliance. so if your process need to check the emission level of your engine you should e sure this is checked tested and cross referenced somehow by external entities before the government agency check.

If you do so you can be fairly secure you have your result consistent with your design, and think that a non compliance could be rally related to unpredictable events.

If you do not put in place something like that (that is important since it is a mandatory requirement from a specific market, well a lot of markets actually) you are guilty and you didn’t do your job correctly.

you made mistakes because you did not check correctly the risks and the consequences. you made mistakes because you didn’t put in place the correct chain of control, you made mistakes because you, basically, didn’t do your job. There is no excuse for bad management, managers are paid to take risk and make decision, so they are fully responsible. the fact they do bad their job can’t be a reason to be absolved.

pity there will be casualties for this mistakes that will hurt people working, so do not think for a moment this is something that can be taken lightly. every worker that will lose his job because of this should be accounted on those managers shoulders.

was the VW affair something done with the knowledge of the senior management?

150922175400-volkswagen-scandal-worsens-archer-intv-00001802-large-169well this is a completely different thing. or not? is being unable to do your job worse than willingly trying to scam customers and governments? because this is what we are talking about.

If higher management knew this it means that they were willingly trying to scam their customers to rise up their sales lowering costs. there is nothing bad in willing to raise sales and lower costs, till you di it in a fair, ethic, legal and fair way, not sure can be justified if this is done against the law (the comment is sarcastic, for the ones that didn’t get it).

so basically this means that the management did this math (I know I am over simplifying it):

cost without compliance =”X”

costs with compliance = “X+Y”

if we sell our product at “Z” our incomes will be “Z-X” if we are not compliant and “Z-(X+Y)” if we are compliant.

so we earn more with the not compliance.

now I hope they at least tried to check the cost fo being discovered and the %risk of being discovered, those 2 factors should be the point to analyze if it is worth to try the scam or not.

so basically they should have correct the math at least as

cost without compliance  = “X + (cost of being discovered * %of risk to be discovered)”

now the cost, apparently, will be as big as this year revenue for the company (may be more) this means that the cost of being discovered is almost Z, this rules out any chance to consider worthy the scam unless the %of risk to be discovered is really small, and for really small I mean several digit below zero.

but this % couldn’t be so small since there were external controls, chemistry and physics to work against them.

this means that they haven’t been able to correctly evaluated the costs of not compliance and so jeopardize their stream of revenue for nothing.

This basically means that:

  1. they were willing to scam
  2. they were fairly incompetent

so again this rules out any chance to be merciful, more for not being able to do their job actually.

Is this an isolated case?

Although I would like to say yes, I think this is a common practice in the industry of any country in any sector. Sometimes the cost of compliance is simply too high, sometimes management takes risks for not compliance knowing the eventual costs, most of the time they simply does not care because it is not in their targets (and we know that sales target are quarter based when we have a long vision, lol).

I am not talking here about honest mistakes, I am talking about willingly not being compliant or not doing all effort possible to carry out a serious, credible and reliable quality system.

Quality requirement could be mandatory (because of some law) or just best practice, or simply marketing claims but respect the quality baseline is always a serious matter that should be better evaluated.

VW scandals teach us that it is a priority for the management to act in a correct way because the cost of not compliance can be devastating. And in the connected world we are the repercussion are global. Let me claim also social responsibility for a company, a scandal like this can affect an entire country perception.

Bright side it happen in Germany, and so when I will talk with my German friends I will be able to say, come one stop making fun of FCA hacking car problem, you hack the EPA…

One last comment: when we will start to admit that “clean” cars and combustion engines are still way to come?


trust no one

var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘adkengage.com’,
ru = ‘http://www.thepuchiherald.com/wp-admin/post.php’;

A lesson from VW: Vendors, reputation is everything was originally published on The Puchi Herald Magazine

Time for enterprises to think about security, seriously

English: A map of Europe divided into countrie...
English: A map of Europe divided into countries; where EU member states are further divided by NUTS level 3 areas. The NUTS 3 areas are shaded green according to their GDP per capita in 2007 at current market prices in euros; darker green denotes higher GDP per capita and lighter green, lower GDP per capita. (Photo credit: Wikipedia)
View image | gettyimages.com

UE directive on Attack against information systems  give us no more excuse to deal seriously,

Under the new rules, illegal access, system interference or interception constitute criminal offence across the EU. But while the legislator is working to create tools to address cybercrime as a Whole system problem, that is affecting EU economy, what are enterprise doing on this side?

The problem is that if enterprises does not align their cyber security defence to the correct approach every legislation will be useless, because the target will be always too easy.

Makes absolutely no sense to start a security system while internally you use Explorer 8 and Windows 7 as default OS. make absolutely no sense to rely on firewall and ipsids inside without implementing a correct siem infrastructure.

Make absolutely no sense to try to keep Intellectual property if we do not add a correct dlp system, that means to have also categorization and processes.

Make absolutely no sense to beg for security if our Windows environment is poorly designed,

It is time to change our security approach from an annoying task to a foundation of our systems. we do not discuss the need of a CFO and risk analysis related to finance why it is so hard to make the same on information and cyber security (let me add also privacy)?

CSO role, and DPO ones, should be at the heart of every  board as the CFO, the HR and the other company roles.

Alas CSO and DPO need a high level of Independence, since their roles itself need to be a source of control and guidance for the entire company (no more no less than a CFO). And both the roles are not “IT geek guys stuff” since require specific knowledge, that goes beyond the IT implementation.

Alas if architectural roles are still a minority in the IT world, we can imagine how hard could be to find those other figures that requires the ability to see the security inside the business and deal with a wide range of interfaces not necessarily technical.

This is a wide problem that cover all sectors of the industries. there is no more area that can be safe from IT implications. The Jeep cars hack is just an example another example of how serious is the question.

a correct cyber and information security approach should take in account:

  1. how we protect ourself from the external threats
  2. how we implement internally a secure aware process to deal with the valuable information we process
  3. how we implement a secure aware production process
  4. how we contribute to the progress of the cyber and information safety in our environment and ecosystem.

does not matter who we are or what we do those 4 points can’t be avoided anymore.

and can’t be managed as a geek itch to be scratched.

  1. how we protect ourself from the external threats

Point one is historically the first implemented, but also one of the worst nightmare.

Security is usually seen as a series of Patches to be put on system after the design. and usually this is done putting a “firewall” or a “next generation firewall” or some other marketing driven Technologies, not considering that any insertion is useless if not seen into a serious context and design.

And the design start with the simplest questions:

  • what I want to do with my IT?
  • what is the value of IT for my business?
  • what is the implication of the IT process in our process?

Budget and design should follow accordingly to that.

but design can’t avoid simply facts as:

Things need to be patched and upgraded to maintain a minimum baseline of efficiency and security

process should be design accordingly to the technology, the people and the business

if you don’t do this you keep having people surprised by the End of Support of the old Windows versions and using Windows Explorer 8 browsers just for “compatibility issues”.

If you do this  to proof you do not understand anything about IT, you did a good job otherwise, well we have a problem.

2. how we implement internally a secure aware process to deal with the valuable information we process

We can implement whatever we want, but if we do not have a clear picture of what we are going to protect and why, all the design is useless.

I wrote in the past how hard is to understand what is and where is the value in our data. Still so many people does not consider that most of the Intellectual Property of our company is in our email servers or pst files, or that names, addresses and emails have a value for the criminal cyberworld even if we do not value it…

Internal processes are usually bad designed because they do not keep into account what need to be protected, :

  • resources
  • people
  • training
  • controls
  • metrics

And of course the most important request of all, KISS implementation (Keep It Simple Stupid).

having more than 1000 processes in place is not a good thing, is a nightmare.

3. how we implement a secure aware production process

No matter if we write code, make hardware or make paperwork, how secure is our work? how can be be sure the component we are using do what we want and have not be tampered? if we write code how we can be sure we write good, secure code? if we do cars how can we be sure that our entertainment system could not allow to take control of the car’s brakes?

it all the same, we need to implement security in our production process, this means being able to set up controls and metrics (again) that span all the production line, and involve also who provide us services or parts.

is our financial broker a secure interface? can we trust those derivates? can i trust this code?… is all about security.

if we delivery anything to anyone, HW, SW, Service of any kind we have a production system that need to be secured. sometimes the law help us putting references, sometimes is our job to create those references.

but if can’t provide a trustworthy production system why the customer should trust us?

it is not only IT, it is security, IT is just a part of the equation.

4. how we contribute to the progress of the cyber and information safety in our environment and ecosystem.

And we can’t be secure in an insecure world, we are all player of an interconnected world. we can’t think of security in the finance systems without the collaboration of all players (banks, governments, regulators bodies), the same should be for IT. But we are years behind, so it is time we take our part of responsibility and start collaborating to make the environment safer.

Kicking out the bad thing is a long, never ending process that require a lot of effort from everyone, all the players should be in charge of a part of the responsibility. if we are not cure we lower the overall security, so if a car can be hacked it is a danger for all the other cars on the streets, the same if enterprise do not keep this thing seriously they are a danger for all the rest.

collaborating, exchanging ideas, listening and Learning, there are a lot of different ways to do so.

Activities like the ENISA EU cyber security months that will be held in October are a great moment to think about security and related issues

just watch at the weeks arguments:

  • Week 1Cyber Security Training for Employees
  • Week 2Creating a Culture of Cyber Security at Work
  • Week 3Code Week for All
  • Week 4Understanding Cloud Solutions for All
  • Week 5Digital Single Market for All

this is what I am talking about. I strongly suggest that you all participate as citizens, companies, public entity. there is much to learn much to do, it’s time.


sent by Microsoft Edge




var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘adkengage.com’,
ru = ‘http://www.thepuchiherald.com/wp-admin/post.php’;

Time for enterprises to think about security, seriously was originally published on The Puchi Herald Magazine