The Quality Hub Podcast
Listen Below. Learn More.
ISO - Cybersecurity as a Form of Quality Part 2
Episode 24 Part 2 – ISO – Cybersecurity as a Form of Quality
ISO – Cybersecurity as a Form of Quality Part 2
In this episode of the Quality Hub podcast, host Xavier Francis engages in a compelling discussion with Scott Dawson, President of Core Business Solutions, on the critical intersection of cybersecurity and the ISO 9001 standard. Scott emphasizes the integration of cybersecurity practices into an organization’s Quality Management System (QMS), drawing parallels to traditional quality control processes.
Core Business Solutions publishes ISO Certification podcast episodes weekly. You can find more episodes here.
Episode 24 Part 2 Key Content
Hello, everyone, and thanks for listening to the Quality Hub chatting with ISO experts. I’m your host, And today we’re here with the President of Core Business Solutions. Thanks for being here again today,
You bet. X And it’s kind of cool to be in the new studio setup.
Yeah. Yeah, I’m liking this. I think it’s going to be interesting. We’re not going to do it every podcast, but here and there we can. I get that. It’s always a pleasure having you here. And for everybody who’s listening and watching now over the next several weeks, we’re excited to explore a range of ISO standards beyond the well-known ISO 9001, at Core Business Solutions. Our ability to work with companies extends well beyond ISO 9001. We support our customers with consulting, training, and software in a comprehensive array of ISO standards. In addition, we support cybersecurity, which is what we’re going to be talking about today NIST and CMMC compliance and certification. But as I said today, we’re going to be talking about how cybersecurity is a form of quality from a high-level business point of view. So, can you explain a little bit more about how a QMS can be applied in a cybersecurity situation?
So if you think of cybersecurity as in your technology and the use of your technology as aspects of your organization’s processes, you think about it from the, I’ll use some ISO language here. The process approach. And computers are usually involved in most processes today, either generating information or running your equipment or processing data or that type of thing.
Having clear policies about the proper use of your computers, the maintenance of your systems, the protections you’re going to have in place, having objectives, and goals for things like training in your organization regularly, or testing of your remote vulnerability tests being done of your your system regularly or other kinds of objectives, which we think of as quality objectives. But it doesn’t seem to me you’re fudging things at all to say these are aspects of our quality because this is an aspect of our process. These are tools in our process. Just like we have a calibration system.
I was just about ready to say that.
Yep. Yep. So another piece to look at is process documentation, having details on the proper use of information generated from computer systems or the information you have to enter into those systems or other use of sensitive information.
You mean how it is stored.
Exactly right. Yep. How to properly use the equipment. So I’ve I don’t know how many times we’ve seen this, but if somebody has a sticky note on the side of a computer out in the shop that says, here’s the password, those of you who need to use the computer. Yeah, because we don’t want everybody to have to remember a password. So we’re just going to put the password right there.
And they see the password as an inconvenience versus a security.
Exactly right. Yeah. So that’s a that’s a common thing. Just to say, you know, our process is going to be locked down more than that. But then you have technical processes like keeping your computers updated. They call that patch management, you know, how regularly are you downloading and installing those updates. And many of those updates require your computer to be restarted. So you can download it all day long. But if the computer never gets restarted,
Then it’s not like it hasn’t applied the patch. So now your computer is just as vulnerable as if you’d never downloaded it. Anyway, in our company we have, you know, Restart Fridays, reboot Fridays every Friday. When you leave for the day, we reboot your computer. Because during the week our IT department has installed certain things and they’re depending on by Friday that those computers are going to be restarted. And if they’re not. You get a little reminder. That kind of thing. As we should. Yeah. So we’ve incorporated that in those processes into the disciplines and routines of our organization.
So if you are a tool shop. Think about it as maintenance as well.
Yes, and this is a tool.
Yep, that’s the tool. You have to calibrate it, maintain it, and make sure it’s up to spec and it’s safe.
And make sure people know the proper use. And what to do in the case of a problem. And what to do in the case of an emergency. You know, we also could talk about resource management and product realization and how it’s used within our organization. As in now if you’re not in manufacturing, let’s say that you’re in service or you’re in software development. Security is still just as important. And if software is a part of your product or it is your product, you have to design it from the ground up to be secure. And of course, I’m sort of preaching to the choir, I’m sure at that point. But I don’t know that I am.
Well, and that’s another aspect with if you can go into manufacturing as well if you’re manufacturing something electronic, the Internet of Things, doorbells, yeah, you know, switches for your outlets, all that stuff is hackable.
Like lights in our studio.
Exactly. Yes. Yes. So, you know, if you’re not planning, how are we going to put in writing code to protect that from a security standpoint? It can make the vulnerabilities. And now you’re talking about a lot of people. If we’re talking about something that’s sold on Amazon everybody can buy your doorbell or whatever.
Yeah, Yeah. So design and development certainly apply their measurement, analysis, and improvement. We, you know, think about measuring things that can affect quality. Well, if cybersecurity incidents can affect quality, shouldn’t we have some measurements around that too?
Absolutely.
What kind of data should we be collecting? Um, who’s looking at that data? What are our acceptable limits on some of those things? And how do the problems get escalated to get dealt with right away? Let’s just talk about patch management, for example. How often are updates installed on our computer systems? Who knows whether or not they’re being installed? Could that become something that we want to track every week we’re going to apply the patches and we want a log of when those are happening? And we’re going to want to monitor whether or not that’s happening or not having metrics and KPIs around some of the disciplines or processes that are necessary to maintain cybersecurity.
And the thing about this, too, when you’re looking at KPIs, you might be looking at a percentage similar if you can hit 80%, but it only takes one computer system to get broken into. So you’re probably going to want some pretty stringent, acceptable, limits there. You know, what kind of KPIs or information is top management looking at? You know what? What’s on their KPI list for, say, management review, for example, is cybersecurity even mentioned as part of management review?
Could you add that as an agenda item? And have two or three, you know, key, key metrics reviewed at the senior level, keep management informed, keep them aware of what we’re doing to protect ourselves. Talk about the results from, say, previous scans that were done, network, and things like that. If management is not involved, then it’s going to be hard to keep it as a priority as a business. However, keeping it in the forefront of top management will help to ensure that it stays a priority for your business.
Well also, management tends to have the purse strings. So if you find that we need to upgrade X, Y, and Z from software, from computers, this is out of date. The more they’re aware, the more they can now budget ahead and say, okay, we have to allocate X amount of dollars next year or maybe in the next six months to make sure this is upgraded and secure.
That’s right. And because they’re aware of the importance. And that’s the key. Another place that you can connect the quality with your cyber security is in your internal audits. So you could expand your internal audits to some degree to audit whether some of the cyber disciplines are being followed. You know, is training being done? Are people logging off of systems when they should log off? Do we have sticky notes with passwords on the side of monitors?
Or underneath the keyboard?
Yeah. Yeah. Another great, great security technique, right?
Yes. No one would look there.
It’s like the key under the door. Yeah, right. Same kind of thing.
What’s the first place anybody looks for the key?
It’s the key, Is it a doormat or a flowerpot? One of those two, right? Yeah. Internal audits can be effective, at least at a high level. Maybe some things are more technical than a regular ISO. Internal auditors may not be qualified to inspect, but there certainly are things that could be included as part of the internal audit. And then I guess the last one I would mention is corrective and preventive action. You know, when things happen or are found in an audit or found in management review or there’s a KPI that looks a little wonky, do we want to open a corrective action to try to look at the root of the issue so that we can avoid this becoming a major incident or if the worst thing happens in there is a cyberattack or is it a cyber incident? Certainly, you have to jump on it and get it corrected at the moment. But then the aftermath, are we going to investigate how we could have prevented that or should have prevented that from the beginning?
And also how your response, how good your response was.
Exactly Right. And what can we do to strengthen ourselves, right, for the future? And isn’t that what corrective actions are all about?
Yeah, exactly.
Yeah, for sure. So a lot of different ways that this can tie into a quality system. We didn’t mention much about training, but I think that one’s maybe a little bit obvious.
Well, you know, but to a point, you know, I’d like to go into that a little bit because training puts the general worker into this category, which is your most vulnerable. More likely. Two keeping those lines of communication with management and showing the importance of it. If you’re supposed to be taking training and you’re saying, hey, we’re going to have a report based on this, the more they realize your buy-in, the more they’re going to pay attention to you.
And there’s a problem just like anything else, if they’re you know, if you’ve worked with your employee engagement for their machines, their computers are going to be the same way. This is an important thing. And I know and I don’t want to get too personal about it, but I know we’ve had issues where, you know, people have tried to get us we communicate to one another that, hey, I got this weird phishing email, look out for it. So those are the kinds of things that, again, that get that buy-in in that culture.
Yeah. And it’s it’s heightened the awareness. I think all of us are more alert to things and we might raise issues that are not issues. The fact that we did that means we’re being aware. And we’re being careful and we’re been educated to know what to look for. And if in doubt, get it checked, you know, and sometimes we’ll send something to our IT department and say, can you check this and make sure it’s safe? I don’t want to download this file because it doesn’t look quite right or I wasn’t expecting it. Can you guys just run a scan on it before I download it so that I don’t inadvertently get malware on my computer?
And also the importance of it’s okay to stop productivity? And be safe.
Yep. Great way to say that because when you want someone who’s in an unsafe situation, say, out in the shop or out in the field. To stop and do get, get your safety gear on. Make sure that things that no one gets injured and you’re following proper procedures before proceeding because the worst that can happen, obviously if someone gets injured or even worse than that.
Well, same thing here. Why not stop, take a moment, and make sure that it’s safe to do what you’re doing? If you have safe practices that are necessary for a certain operation in your manufacturing environment, aren’t you going to put those safe practices into your process instructions? Aren’t you going to put those safe practices into your training? Aren’t you going to put signage and warnings up?
Aren’t you going to hire people who are qualified to work safely? It’s no different. It’s just that it’s it’s unseen. It’s an invisible thing. I don’t see it and I don’t quite understand it, so I don’t know that I can talk about it. Well, how about you get yourself up to speed, at least to a level where you can have a conversation with the professionals so that you can say, what are the general disciplines as a business, we should have in place and how can the quality system help?
Absolutely. Are there any specific cybersecurity processes that a company might need to implement above and beyond integrating cyber into an existing QMS?
Yeah, I think so. And to some degree, this is just different terminology for the same things. But there’s a, there’s a practice of prevention and detection which is used in, in the cyber world, preventing something from happening or detecting it. So questions that a quality manager could ask are what are the prevention and detection methods that we have? Are they being maintained? Who’s monitoring them? Are we using the information to take action when necessary? What happens if that detection or prevention system fails? How would we know that we’re vulnerable? You know, so there you don’t have to be the technology expert, but you can start asking some pesky questions. You know, another one is incident response.
That’s important.
Something happens, somebody clicks something, or a system that’s taken offline. For some reason, an incident occurs. Okay? We’ve got to have a plan of action for how we’re going to deal with it, how we’re going to get things back online. Well, isn’t that control of nonconforming products?
Yeah.
It’s just not a product, but it’s non-conformance. Right? Yeah. And in the cyber world, you’d call it an incident. Yeah, I guess you’d call that in the safety world too.
Yeah. And you have to, you know there’s a fire drill or somebody was injured. What’s our response? You know.
Yeah. And then resilience and recovery is kind of the planning for the long term. How do we ensure we’re able to continue operations in the event something happens that’s being resilient? You know, how do we do? We have backup systems, Do we have redundancy in in our systems?
Do we have a plan to recover quickly if something were to occur? I mentioned the backup issue earlier in the case of ransomware, how that’s often you go, Oh, let me get my backup right, install all that information, and we’ll just go back to work. But now you turn and say, Well, let me go find my backup. And then,
Who has that?
Yeah, exactly right. Or it’s out online and nobody knows the password to get to it right now. Or,
Or do we have a computer that wasn’t attached to the system to able to go in and get it?
That’s one of the key things about data backup is it should be segregated from your system. Because if someone is infecting your computer system, could they also lock down or encrypt your backup, and now you’re just locked out? So that’s an, you know, under the heading of resilience and recovery. What’s our plan and do we test the plan? You know, you talk about fire drills earlier. You know we’re trying to used to going out in the parking lot standing under this light getting counted head count and all that kind of thing.
Why did it have to be during a rainy day?
Exactly right. Yeah. You know, do you not only do your data backups but do you test them? Do you practice restoring the data, and make sure it’s working? Do you know what to do in the case of an attack by ransomware? What was somebody supposed to do just in a simple manner? What somebody’s supposed to do? If a phishing email comes in their inbox, do they just delete it? Do they do more than that to report it to somebody?
Right. Right. Well, we know we’re not supposed to click on it. What do I do now?
Yeah, exactly right. So, yeah, these are just to some degree, the same mindset is brought to cybersecurity as it has with quality terminologies different. The technologies are different, and the issues are somewhat different, but overall the strategies are pretty similar.
Yeah. So the big question is, are there any ISO standards or other standards that might assist companies with their cybersecurity needs?
Yes, standards can be used as a best practice to follow. Like what are the what are the minimum things I should be doing? And you can go so far as to get certified sometimes. Know which is a different level of compliance, I guess you’d say. However, there is an ISO standard called ISO 27,001, which is very similar to the way that ISO 9001 is organized.
It’s just all the quality terminologies are pulled out and the information security information is put in. But it’s still planning, Manager Review, Internal audits, documents, things that we’re used to seeing, rated quality professionals, but it has the controls necessary to protect information and that’s the ISO version of protection information.
Well, and I think that goes beyond cybersecurity. It’s an it’s an information security management system. So it gets into some of the things with paper. Where do you store things? You know, how should you do things if you’re not working?
Yeah. Your file cabinets log are certain areas of the facility designated as sensitive and only certain people can get access to them. You know, that kind of thing. So you just stop and think about information as protecting information is necessary in whatever form it’s in. So to the degree that there are certain risks to information, you would put certain appropriate protections in place. But it’s great in the way that it kind of is a top-to-bottom review of what goes on in your organization.
It also has that continual improvement mindset brought to it that ISO brings that things aren’t always as good as they can be or are they as good as they should be? And how do we on an ongoing basis, monitor our progress and make improvements? ISO 27,001 is a really good standard our company implements it. I mean, we’re information systems inside of a company. We’re also certified to 27,001, just like we’re certified the 9001. Those are important to us and those disciplines are important to our customers as well.
So there might be I’m not trying to get people off the hook here, but clearly, some places might need to be certified ISO 27,001 and they might desire that, but if nothing else, you could use it for being compliant. And use it as a good springboard to get you up to speed on this whole security.
And that’s another way to leverage what you’ve already done. Because it’s an ISO management system. It can help you apply any of the practices that you have in place for management systems to the world of information security. Now there are special industry standards. One that comes to mind is with the Department of Defense at a new standard that is just coming out called CMMC Cybersecurity Maturity Model Certification. I’ve been up to my eyeballs with this thing go easily for two years now.
Yes, we’ve done a lot of webinars on it.
A lot exactly right. The Department of Defense has a lot of sensitive information and the products that are produced and manufactured for the DOD, for our warfighters, all that equipment, all the materials, all the systems that are used on the battlefield are manufactured by the private sector. It’s one of the weirdest things I’ve ever thought about. The government doesn’t manufacture any of that.
They outsource it.
They don’t have any manufacturing capabilities. They outsource it all. Guess where all those specifications need to go. Outsourced. They are outsourced. It needs to be transmitted and transferred to suppliers who then transmit it and transfer it to their suppliers, etc., etc. So there’s information spread all over the place, things used by our military to defend our country that are in Smith’s machine shop.
Right. They’re not necessarily top secret either. That’s the thing that I think a lot of people are thinking, Oh, of US military is top secret. If you’re making a ball bearing. Or you’re making, you know, something, something that holds the gun or just this little piece of a plane that’s in itself not top secret. But it still needs to be secured.
There’s a there’s an infamous story and a very real, very scary story of the joint strike, I think, is the F-35, that fighter system. And three years after we came out with that new weapons system, one of our adversaries, China, came out with a duplicate just called something else. I guarantee you they did it in three years. Go figure out how to build their fighter plane. Fighter jet. The same as ours. No. They also didn’t hack the DOD systems to get the drawings and specifications.
They didn’t hack tier one, you know, prime contractors. I mean, Boeing and Lockheed and those guys, they went to Smith’s machine shop and John’s machine shop and this engineering firm and that testing firm and this software house help themselves on these less secure networks to the same drawings, put them all together into this picture that allowed them to manufacture it.
The same weapons system that we have. And the DOD has seen this happen time and time again. And now they’re saying all suppliers for the Department of Defense have to meet a certain cybersecurity requirement called CMMC. You know, those are things that our customers ask us to help them with.
So what words of advice would you have for our listeners on where they can start if they just want to begin to incorporate cybersecurity into their QMS?
Yeah, I think the place to start is by discussing it with senior management. I think an easy way to do that is in your management reviews. When you’re starting to talk about risks and opportunities, what you should regularly be doing and you’re talking about different ways in which your organization can be impacted by a certain risk, that cybersecurity is brought out as a real risk that we carry as an organization, and that we should be managing cybersecurity in a similar vein that we manage our quality and that you get buy-in from senior management.
Sometimes you can bring goals and objectives or KPIs or data into those meetings and start to get people more aware of them. First of all, I don’t have to be technical to manage this. I can learn new vocabulary don’t overwhelm me overwhelmingly with techno-speak, you’ll lose them fast. But make it straightforward that how about we just pay attention to the training we’re providing our employees, the updates we’re making on our network, and the backups we’re making of our network.
Are we making backups of our network?
Have they ever been tested? You know, just some basic blocking and tackling and then kind of expand it from there. But I would start with senior management and then, you know, make an inventory of things that go on in your organization that or should be going on in your organization related to cybersecurity somewhere.
So a little bit of a gap analysis and a little bit of a gap analysis?
A little bit of a gap analysis. Do we access data from our homes? Do we have computers out in the shop? Gap assessment is a really good way to look at it. Using one of the standards is a good way to look at it. Just to take inventory, take, take stock of what you are doing. And of course, you know, our consultants can do, you know, pretty straightforward gap assessments.
For cybersecurity, just to raise awareness and get you started if somebody needs some help. And X, one other thing that can be done is a more formal risk assessment, which is another way to look at a gap assessment. I guess. But it’s from the point of view of what are the various risks that we face. How urgent are they? How big of a deal are they? What are the ramifications of the impact that it might have? That’s another way to sort out the priorities in your organization. You know, we have the tools and templates and the people to help companies go through and do a formal risk assessment if that’s what they want.
And we we went through I think it’s called the improvement plan. We did go through that when we talked about some risks. So that is available if you’re if you’re a current core customer on a resource library.
Yeah. And cybersecurity is on there. Yeah. There are a couple or three ways that are in there.
Absolutely. So in kind of wrapping this up, do you have any examples of how a company has gone through a major security breach and turned it around to improve their customer satisfaction?
Yeah, Great. Great question. Again, I’m going to reach back a couple of years because it helps you see the end of the story, I guess. But T Mobile had a major incident in 2021. In August there was a major data breach, a lot of customer personal information was stolen, a lot of identity theft occurred because you got to figure it’s, you know, everybody who had a phone. And so there were millions of users or people’s data that was exposed and they had to go and put prevention measures in place and bring their customers along with them, because immediately their reputation was tarnished.
Immediately everybody questioned, we shouldn’t even be using t mobile. If they’re getting hacked. But they were very transparent about the whole thing. They informed their customers as to what happened and what steps they were taking. And, they have rebuilt their brand to show that cybersecurity is top of mind for them and that they’re very responsive in the event something does happen. And in the end, I think it’s they’ve turned it around to be a positive to show the resilience of their organization and how seriously they took, you know, the compromise of of personal information that occurred.
So sort of risk and opportunities, they took the opportunity to do the right thing and regularly, yeah, you know, make it better for the customer.
So those are you know, you can you can turn something negative into a positive. You need to have a plan to do it and then have the willingness to push through and rebuild, your credibility in that case. And I think T-Mobile did a great job with it.
And so that is a good example. I guess this helps us see, you know, from the numbers we’re talking about, especially from small business, I mean, 82%, you know, I mean, and some of the things that you talked about, how important this is as a form of quality, it’s not it’s now almost not as you of if, but when. You know, and you need to learn.
It’s very real. It is very, very real. Even though it’s hard to see it, it’s hard to understand it. But mere mortals can learn the basics. You know, and, and I’m an example of that.
Yeah, well, I mean you, you’ve, you’ve kind of started becoming passionate about this when I, you know, a couple of years after I started here and I’ve seen that growth from you. But also our company of how it’s almost second nature. And I think not to get into the weeds more but more but the culture that’s been built since. You know, you’ve determined this is an aspect of our quality. It’s just ingrained now from the beginning.
It’s an aspect of our success. And our success depends on protecting information just as much as it depends on meeting customer needs and meeting and delivering good customer satisfaction. I think it’s all tied into one thing. And just because we are an online company and we are, we deal with technology a lot doesn’t make us that unique.
Everybody has data and information that they’re the custodian of and they have to protect it. At least we should start asking some new questions. As part of our quality system, because we’re, you know, we do dive into the area of risk and customer needs and customer satisfaction. And this is all tied together.
Well, Scott, it’s always a pleasure to have you on, but this is informative. This is, I think, something that we are going to be talking about. ISO 27,001, and it’s going to be important for people to realize just how much it matters. And I appreciate you being on and talking about it and showing your passion with us.
It’s my pleasure and I love the new look and yeah.
Yeah, this is fun. I like this. This is fun.
Exactly Right.
We’ll have to use as much as we can, but not too much. Well, thanks, everybody, for listening today. I hope you enjoyed our podcast and it’s been informative for you. If you’re looking for more information about Core’s Business solutions and how we can help you with ISO certification or cybersecurity, which we talked about today, please email us at info@thecoresolution.com. You can also reach our website at www.thecoresolution.com as well. And if you haven’t already followed us on your favorite podcast platform, be sure to do so. That way you won’t miss the next quality podcast when it’s released next week. Thanks for being here and have a great day.