A robust cybersecurity culture is essential to an effective Cybersecurity Management System (CSMS). It integrates security awareness and best practices across all stages of the vehicle lifecycle, ensuring that everyone involved prioritizes security. This approach not only protects against evolving threats but also ingrains a mindset of proactive security, making vehicles more resilient and secure against cyberattacks. ISO/SAE 21434 outlines three key requirements for fostering a cybersecurity culture: [RQ-05-06] as fostering and maintaining a strong cybersecurity culture, [RQ-05-07] ensuring assigned roles have the necessary competencies, and [RQ-05-08] instituting a continuous improvement process. We will explore each of these requirements in detail.

Weak vs Strong Cybersecurity Culture

As stated in [RQ-05-06] – The organization shall foster and maintain a strong cybersecurity culture. The standard provides examples of both strong and weak cybersecurity cultures. You can treat the table below as a checklist to establish what is already implemented in your organization. Even if you think that something is implemented or described as a rule on a piece of paper, that doesn’t mean that it is actually followed. That is precisely why you should pay great attention to this part of Clause 5. Not only to prove to auditors that you can follow but also lead a good example. The standard provides many good examples in Annex B. Below you will find a few examples of weak vs strong practices.

Examples indicative of a weak cybersecurity cultureExamples indicative of a strong cybersecurity cultureThe responsibility for decisions related to cybersecurity lacks clear traceability.The process ensures that accountability for decisions related to cybersecurity is clearly traceable.Priority is given to performance, cost, or schedule over cybersecurity considerations.Ensuring cybersecurity and safety is of utmost priority.The incentive structure prioritizes cost and schedule over cybersecurity.The reward system encourages and motivates effective cybersecurity practices, while penalizing those who compromise security by taking shortcuts.Passive attitudes toward cybersecurity can include behaviors such as:Relying heavily on testing only at the end of development.Failing to proactively prepare for potential weaknesses or incidents in the field.Management only responds to cybersecurity issues when incidents occur in production, in the field, or when significant attention is drawn to them.Proactive attitudes toward cybersecurity can include behaviors such as:Identifying and addressing cybersecurity issues from the earliest stages of the product life cycle (cybersecurity by design).Ensuring the organization is ready to quickly respond to vulnerabilities or incidents in the field.Cybersecurity lacks the necessary resource allocation.Cybersecurity resources have been allocated appropriately. Skilled personnel possess the competence necessary for their assigned tasks.There is a lack of systematic processes for continuous improvement, learning cycles, or capturing lessons learned.Continuous improvement is ingrained in all processes.

Assigning Responsibilities

According to [RQ-05-07], the organization shall ensure that persons to which cybersecurity roles and responsibilities are assigned have the competencies and awareness to fulfill these. It is insufficient to assign responsibilities to anyone, especially someone who lacks expertise in the field.  Even well-versed individuals need multidisciplinary knowledge to grasp the broader context and provide effective guidance.

ISO/SAE 21434 recommends the following for a competence, awareness, and training program:

• Organizational rules and processes regarding cybersecurity, including cybersecurity risk management;
• Organizational rules and processes regarding disciplines related to cybersecurity, such as functional safety and privacy;
• Domain knowledge;
• Systems engineering;
• Cybersecurity-related methods, tools, and guidelines; and/or
• Known attack methods and cybersecurity controls.
  

While these suggestions are excellent, other methods can also enhance competence. Additional ways to improve competence include:

• Learning by doing courses, earning certificates, learning from other people in your group/company
• Hands-on experience such as lab exercises, CTFs, competitions, and other practical projects
• Keep up to date with the latest threats, technologies, and trends
• Soft skill development such as team building, critical thinking, team building
• Professional networking – meeting other experts in the field, exchanging ideas, attending conferences

Continuous Improvement

As stated in [RQ-05-08] – The organization shall institute and maintain a continuous improvement process. The following examples are presented in the standard:

• Learning from previous experiences, including cybersecurity information gathered by cybersecurity monitoring and observation of internal and external cybersecurity-related information;
• Learning from information related to cybersecurity regarding products of similar application in the field;
• Deriving improvements to be applied during subsequent cybersecurity activities;
• Communicating lessons learned about cybersecurity to the appropriate persons; and
• Checking the adequacy of the organizational rules and processes in accordance with [RQ-05-02].
  

Even when a project is completed to a high standard, there is always room for improvement. For instance, the task may have been executed flawlessly but could have been completed more efficiently with better time management. Additionally, the information used might be outdated, emphasizing the need to select better resources and the continuous monitoring of cybersecurity trends. What we can do is learn from our mistakes and follow best practices. Implementing peer review processes or hiring external consultants can provide a fresh perspective and provide more robust guidelines. Continuous improvement is essential and should be applied to all cybersecurity activities presented in ISO/SAE 21434.

Key Takeaways

Let’s take a look at some examples for each of the discussed requirements.

• Strong Cybersecurity Culture: The company hosts a “Cybersecurity Awareness Month” each year with workshops and awards for good security practices. Regular emails keep everyone informed about security issues and new updates.
• Competencies and Awareness: Employees in cybersecurity roles attend training sessions every three months to keep their skills up-to-date
• Continuous Improvement: The company reviews and updates its security rules twice a year based on new threats. Employees give feedback during monthly security meetings to improve these rules.

Conclusion

The three requirements mentioned in ISO/SAE 21434 are essential for establishing a robust cybersecurity culture. Ensuring a strong and successful cybersecurity culture is a key factor in ensuring good quality work and employee satisfaction. It is recommended to allocate some time and appoint specific employees to review existing processes, guidelines, and potentially conduct interviews, surveys, and gap analysis. A healthy cybersecurity environment will lead to overall organizational prosperity.