BMW’s Strategic IT Security Overhaul

BMW Group’s approach to weave CIS, a maturity model and Threat-Intelligence, into an innovative IT Security Risk Management model.

The BMW Group, a powerhouse in the automotive industry, commands a significant global presence, with operations spanning over 140 countries. The company has multiple production and assembly facilities located across Europe, North America, Africa, and Asia. This includes vehicle production plants, motorcycle plants, and several component manufacturing sites. The company’s workforce is 159,000 strong. 

As a prominent entity in the premium automotive sector, BMW Group’s vast operations necessitate a robust IT security landscape.

This case study explores the insights of Christian Schmitt (Head of Strategic IT Security Initiatives at BMW) and Daniela Recknagel (IT Risk Management Expert) in their journey to adopting the CIS Critical Security Controls (CIS Controls) as a core component of their innovative Threat-Intelligence, Control- and Maturity-based IT Security Risk Management model, to bolster their IT security framework.

The Challenge: Shift from an application-centric top-down risk model to a security-capability-oriented risk management approach incorporating the operational environment.

For this to happen, the following requirements had to be fulfilled:

• Include the most relevant threats and attacks whilst being free of overlapping risk scenarios.
• Incorporate the current threat and attack situation with countermeasures and their current and to-be maturity level.
• Facilitate Prioritization and Return on Security Investment (RoSI) decisions.
• Remain standard-orientated as far as possible with as little proprietary maintenance effort.

BMW’s previous IT Security risk model, primarily based on quantifying the IT security risk using an application-centric approach, utiliized the protection need and security level per application. However, there was a strong demand that the IT Security Risk Model also reflect improvements in the general crosscutting capabilities required to ensure proper security like asset management or vulnerability and patch management.

The Solution: Integrating the CIS Controls as Control Framework into IT Security Risk Model.

BMW has been using the CIS Controls since 2022. The CIS Controls (all Implementation Groups) serve as a core component of their IT Security Risk Model. While CIS Controls resources indirectly benefit the entire team, direct engagement is estimated at around 10%.

The decision to integrate CIS Controls into BMW’s IT Security Risk model was multifaceted: 

• The CIS Controls offer a balance between impactful security areas and practicality for a large organization.
• The community-driven nature of CIS Controls fosters a collaborative security environment.
• CIS Controls align well with other industry standards and best practices, including MITRE ATT&CK, VERIS, and NIST frameworks.
• The framework provides guidance on measuring security effectiveness and developing key performance indicators (KPIs).
• It explains the interdependencies among various security safeguards. 

Implementation and Tools  

To navigate the complex landscape of security safeguards, BMW leveraged the CIS Controls Navigator, which facilitated an integrated view of Safeguards and their correlation with other standards. They also utilized CIS Controls Assessment Specification for its easy navigation, dependencies, and KPI proposals.

Recognizing the need for a tailored solution, BMW developed their own self-assessment tool, designed to cater to the specific requirements of the organization and to define a clear responsibility model for the different asset types per Safeguard.

The Impact: Facilitated IT Security Measure Prioritization and RoSI Analyses

The implementation of CIS Controls has been instrumental in reinforcing BMW’s IT security strategy principles, which emphasize a data-driven, maturity-focused, and automation-centric approach. 

The company has gathered data supporting the automated, data-driven effectiveness of certain safeguards. 

The CIS Controls played a crucial role in identifying areas for improvement and facilitating strategic prioritization. This, in turn, has enabled BMW to conduct “Return on Security Investment” (RoSI) analyses as part of their prioritization process for security measures along with other valuable factors like the number of dependencies between different safeguards.

BMW uses the CIS Controls as a central component in their novel threat intelligence-driven, control- and maturity-based IT Security Risk Model to rate the as-is and to-be maturity of the IT Security level.

In the model, CIS is combined with IT security specific risk scenarios from the VERIS framework (setting up upon “Threat Actions”) and the latest Threat Intelligence statistics from Verizon as gathered for their Data Breach Investigations Report (DBIR). 

BMW’s strategic deployment of the CIS Controls has significantly contributed to the enhancement of the company’s IT security posture. 

This case study underscores the successful incorporation of the CIS Controls into BMW’s sophisticated IT security risk management strategy, showcasing the benefits of a structured, data-driven, and maturity-oriented security approach.