Cross-Divisional Cybersecurity Risk Management in Automotive: Requirements and Current Practices

Collaboration across multiple divisions in the automotive industry, including vehicle engineering, production, and backend services, complicates cybersecurity risk management. While standards such as ISO/SAE 21434, the ISO/IEC 27000 family, and the IEC 62443 series each offer domain-specific guidance, a focused review shows they do not offer a fully integrated, cross-divisional framework. Rather, they present scattered guidance on topics like communication channels, external dependencies, and aligned risk criteria, leaving it to organizations to unify these elements.
To explore how this gap manifests in practice, semi-structured interviews were conducted with six automotive manufacturers, capturing real-world challenges and strategies for cross-divisional cybersecurity risk management. The findings reveal disparate risk assessment methods, inconsistent terminology, and fragmented communication channels among these divisions, which hinder a holistic security posture. Conversely, the results highlight the benefits of coordinated strategies, such as enhanced risk transparency, more efficient resource allocation, and stronger regulatory compliance.
Based on both the standards analysis and interview outcomes, this paper advocates a cohesive framework that harmonizes processes, tools, and language across automotive divisions, ultimately guiding manufacturers toward an overarching, more robust cybersecurity posture.