Enterprises that develop products with embedded software have some overlap with traditional IT, but need to be analyzed differently.
For one, traditional IT security solutions do not scale well. It is not possible to just take ISO27001, use your normal ISMS or use firewall/antivirus and think your security will do what you (really) need. The same is true same for the promises about KI, blockchain and other magic solutions to solve all the security demands you have.
More and more, embedded products are connected and offer a growing attack surface. A chain is only as stable as the weakest link... And an attacker will find the weakest link. There’s no point having really strong, expensive (and cumbersome) security in one place if right next to it everything is held together with string.
It is important to look at the whole chain – and its environment – and detect weaknesses and strengths. I contribute most value by helping you get a view of the whole chain: Development, production, and service throughout the product’s lifetime. Only when you see security as a whole chain are you in a position to take the right decisions.
As a small business, I have a laser-clear focus on working with your personnel to determine the desired level of security. I bring in my experience to analyze and document your current security strengths and weaknesses. If you already have a security team, I like to collaborate. Otherwise, I can work with security-liking employees or educate interested ones. The goal is to empower your employees with security optimisation so your business does not needlessly lose money or reputation.
Depending on your requirements, I can analyze an existing product, fix a concrete incident, or help plan a new project with security in mind from the beginning. My favourite is getting your overall security level for embedded products in shape.
The first step is always a clear breakdown of your true security requirements, done together with product management and engineering. Depending on our findings, we might continue with trainings for software engineers. Or with a precise risk and threat analysis. Or with building an incident management system, or issuing new guidelines for development… Whatever the next step is for you.
To help you succeed with embedded products, I offer the relevant combination of:
Analyze the whole chain
Implementation of security in a new project
An analysis of a running project
Personal development: Training to detect security relevant situation themselves
Analyze current security process
Definition of needed security level
Build up security team
Supporting on concrete problems as external expert
Implementation of new processes
Testing of current systems