Sajay Rai: Companies must protect their ''crown jewels.''
Ernst & Young's (ey.com) latest survey on global information security, released this month, shows that IT experts are more concerned about the security required to comply with the Sarbanes-Oxley Act of 2002 and similar European rules than they are with the many viruses and worms that can affect computer systems.
Sajay Rai, 46, a partner with Ernst & Young's Technology & Security Risk Solutions Practice and Global Automotive Center in suburban Detroit, says the survey included responses from IT executives at 33 companies, including automakers and suppliers.
Rai discussed security concerns with Special Correspondent Dale Buss.
What is the survey's message for the auto industry?
We found a widening gap between the pace at which the information-security risks are growing and the pace at which most of the organizations within the automotive world are handling those risks.
There are four major reasons (for that gap). The first is that (the auto industry) isn't regulated from an information-security perspective like the finance industry is. So over the past year, auto companies haven't kept up with their information-security investment the way that they should.
Usually, IT budgets are about 2 to 5 percent of overall revenues for companies, and the information security budget is from 5 to 10 percent of that total IT budget.
What we're seeing in the auto industry is that the percentage spent on information security is only 1 to 3 percent of the IT budget.
What else poses a security risk?
Growing global interdependency has a huge impact on autos. But in developing extended enterprises, your level of information security is only as good as your weakest link. If you're connected with many different vendor and business partners and strategic joint ventures, it's becoming very important for the auto industry to ensure that the proper (information-security) policies are in place.
Does that extend to greater supplier involvement with automakers' procedures as well?
Yes. As more suppliers get involved in manufacturing and more information is being shared in just-in-time processes, the interconnection is tremendous.
What are the other two risk factors?
Business demands are pushing the adoption of emergent technologies, which is putting enormous new burdens on information security. Use of devices like BlackBerrys, cell phones and PDAs is so pervasive that it's difficult to protect the data.
For the auto industry, the biggest problem is that (companies) haven't invested in managing their (intellectual-property) assets. They have to know what their crown jewels are and where they reside: on an executive's PDA or laptop?
They need to appropriately classify that information and protect it accordingly, with layers such as encryption.
The fourth aspect is that not enough auto companies approach information security strategically. Only a small percentage of information-security executives are involved in the overall risk decisions made within the organization.
Characterize the overall risk to the auto industry from those factors.
Much of it is risk to their r&d data. The other concern is privacy. Look at all the dealer and customer data at the finance arms of these big OEMs -- all that data that resides in their systems, and it's very possible that that information resides on assets that aren't protected.
From whom are we trying to keep this information?
Identity thieves who don't care if it's the auto industry or what it is; they want to break into the financing arm and get information. Or it can be a competitor who's trying to break in and get the r&d information for the newest hybrid.
What about technology solutions?
The key is not to buy technology just for the sake of it, until we know it will fix this business problem.