Goals for building blocks for cyber security
2023
september 27, 2023
The result of working with this tool is a plan in the form of a visual roadmap that fits the needs of the company regarding IoT cybersecurity. The roadmap is made through collaborative discussions focusing on the importance and timing of core tasks involved in cybersecurity for IoT.
The collaborative work anchors IoT cybersecurity in the company through a common language and a visual representation of the resulting planning-decisions that can be easily shared and used in meetings.
The core tasks are represented in the four building blocks for IoT cybersecurity.
This tool builds on knowledge of the four building blocks for IoT cybersecurity as acquired through the tool Building blocks for cybersecurity.
A roadmap provides peace of mind
Each of the four building blocks represents a task for furthering IoT security, and of course they interact and depend on each other.
In the perfect world, all building blocks would be developed in parallel, if needed. But this might not be possible in a busy day in the company. The rationale of the roadmap is that the building blocks need to be prioritized according to time and importance.
By prioritizing time and importance, the company can address the most important aspects of IoT cybersecurity in the present situation, while at the same time ensuring that the other building blocks will be dealt with in their right time.
The roadmap is a grid with two axes where the building blocks get represented by the company.
The roadmap template has two axes (see template below):
The roadmap template is divided into squares to invite the company to draw its own building block shapes by filling out connected squares. This might leave open spaces in the roadmap, but sometimes all squares will be filled out.
Based on the building blocks' importance and timing for the company, the company will decide on the form of each of the four building blocks. This will be done by filling out squares in the template to visualize the importance and extension in time of each building block in the roadmap. See the example of the completed roadmap below.
In the example, the building block ’Regulation and Standards’ has continued attention in the whole roadmap period, but this block also has low importance for the company. This is more like a continuous steady trickle.
In the first year, the focus is on developing the building block 'Alignment of business and security' and this block remains important as technologies keep on emerging and evolving.
In year 2 and onwards, there is also medium focus on 'Approach to security and risk' and in years 4 and 5 'Processes and organizational integration' becomes increasingly important.
The roadmap profile of this example company is business oriented IoT cybersecurity where cybersecurity is seen as important for the business model, and IoT security is always developed as a part of each new IoT product or service (Integrated IoT cybersecurity). At the same time, the company has awareness of the need for compliance with regulations, while working steadily to improve IoT cybersecurity practices and organizational integration.
Invite people whose knowledge represents as many aspects of the building blocks as possible, to avoid decisions being postponed to a later meeting. Plan for the meeting with a duration of approx. 2 hours, incl. a short break.
3-4 persons are the best group size for the initial roadmap discussions and planning. More people can be included later to verify, calibrate, and discuss the visual roadmap.
This guide is divided into three parts:
The whole group works collaboratively in the same roadmap during the meeting and uses their own copy for trials or notes or experimenting with the form of building blocks.
This entails deciding on the time horizon for the roadmap, incl. considerations of alignment with other planning horizons in the company such as strategy, customers, development projects etc.
When ready, write the time intervals on the X axis of the shared roadmap.
Based on the shared visual roadmap, assess the following points:
The collaborative work anchors IoT cybersecurity in the company by establishing a common language and a visualization of the resulting planning-decisions that can be easily shared and used in meetings. The holistic nature of the roadmap guides the consideration of the company’s IoT cybersecurity situational context as a whole – making room also for considerations on how the building blocks interact.
The result is a shared plan that potentially spans functions and managerial levels.
It becomes clear which building blocks to focus on as next steps, and the roadmap shows that everything does not have to happen at once.
While making the roadmap it becomes clear that the company 1) should not invest in all building blocks all the time, but rather focus on creating a progessive sequence of building blocks, and 2) should not become over-committeed to one of the four building blocks but keep the development of all four building blocks in mind.
Also the roadmap represents the company's own, individual way of working with IoT cybersecurity.
The technologies in IoT solutions and services keep on evolving which implies that a building block can never truly be finished. Even though a building block is not in focus in the roadmap, the building block still needs ongoing attention and incremental adjustments along the way.
Explicit measurement of the progression with the building blocks might be a sound addition to the existing quality system in the company.
The next step is to go ahead with the process decided on in the new roadmap. Creating change in perceptions and behaviour towards IoT cybersecurity is a learning process closely connected to a company’s real-life context and a collaborative learning process for everyone involved in the company.
The collaborative learning process can be structured and enlightened by the tailored collaborative change tool for IoT cybersecurity.
The contents described above have been developed in the project:
’CyPro – Cybersecure manufacturing in Denmark’ by Aarhus University, Alexandra Institut, DAMRC, UGLA Insights and FORCE Technology funded by The Danish Industry Foundation. Material from the project is published under licence CC BY-SA 4.0