How is a food safety manager addressing cybersecurity like going to your doctor? In both cases, you are accountable for setting the appointment and clearly defining your concerns. Your primary care doctor will conduct the initial assessment and forward you to specialists. You are not expected to be a medical expert.
- Video presentation on “Cybersecurity and the Role of the Food Safety Manager (Updated)” (45-minutes): https://youtu.be/0_Xj7pO_TMA
- PDF version of the presentation: https://blog.foodfraudpreventionthinktank.com/wp-content/uploads/2022/06/Cybersecurity-and-FSM.pdf
This blog post reviews my Food Safety Summit workshop presentation on ‘Cybersecurity and the Role of the Food Safety Manager.’ Part 1 was the presentation, ‘Cybersecurity and what it means to the food safety professional.’ This included an introduction by Craig Henry, and then cybersecurity expert presentations by Marcus Sachs (former member of the Defense Department’s Joint Task Force for Computer Network Defense and now from the McCrary Institute, Auburn University) and Joshua Corman (former Cybersecurity and Infrastructure Security Agency (CISA) Dept. of Homeland Security). Part 2 was a workshop where the attendees reviewed the application to the food industry and food safety.
From Food Fraud Prevention to Cybersecurity
I was frequently asked how my research expanded from food fraud prevention to cybersecurity. This work is the intersection of three tracks. First, since 2016 I have been researching the food fraud aspects of e-commerce and online marketplaces. Second, cybersecurity is a hot supply chain topic that I’ve covered for my undergraduate students in my Introduction to Supply Chain Management course. Then, it came together when ISO 22000 Food Safety Management included a new note that… “…cybersecurity and food fraud, food defense and intentional contamination,”. The way the commas were used, grammatically the document combined cybersecurity AND food fraud as one topic. This was “… cybersecurity and food fraud, …” not “… cybersecurity, food fraud, …”. I researched whether the ISO 22000 scope intended to consider cybersecurity and food fraud together (e.g., “cybersecurity AND food fraud”) or as separate topics (e.g., “cybersecurity” and then separately “food fraud.”.
Summary of my Presentation
Presenting at industry conferences is an absolute key to researching new topics. During many discussions throughout the week, we keep trying to find analogies that help explain the issue. A helpful image is to compare cybersecurity to your role as a medical patient and working with your medical doctor.
- You notice that your body feels sick or injured.
- You make an appointment and tell your primary care doctor what is wrong with your body.
- Your primary care doctor makes an initial diagnosis and offers treatments within their area of expertise.
- If the primary care doctor perceives a bigger problem, they will prescribe more detailed assessment tests or refer you to a specialist.
- You might know something about the illness or injury, but you do not expect to be an expert in everything (It is usually wisest to step back and let the experts take over).
- You are accountable for being your own advocate and making sure you stay engaged until you feel better.
- You are responsible for implementing any prescribed medicines or lifestyle changes.
As a food safety manager, your role is to pay attention to your operations and make sure you ‘feel good’ about the state of your food safety related cybersecurity ‘health.’
Call to Action for a Food Safety Manager
To explain the ‘call to action’ more directly, there are three key points (summarized from NIST, ISO 27000, and ISO 27032).
- You are NOT accountable or responsible for conducting IT/ cybersecurity assessments or selecting/ implementing/ managing those systems.
- You ARE accountable for sharing your expert, functional-area insight on critical infrastructure protection (what processes are the most vulnerable, and why) – AND assuring your system is covered.
- You ARE accountable for making sure you are meeting the FSMA and GFSI requirements for considering all hazards, including the food safety related hazards from cybersecurity and e-commerce.
Additional Insight from the Cybersecurity Workshop
It was fascinating to sit with the workshop attendees to discuss the food safety cybersecurity-related concerns.
- Ask IT for an audit of your people and systems – this will emphasize to your team that you are serious about this.
- Confirm with the corporate IT team that controls are in place to address a range of concerns including: critical IT system access controls, oversight, logging of changes, notification of changes, external access, password allocation, networked to other IT systems (customers/ suppliers), remote access/ employee (VPN Wi-Fi), use of remote devices (cell phones, etc. – asset tracking for everything), etc.
- Steps to review food safety vulnerability from cybersecurity concerns:
- Create a map of the manufacturing operations steps, including prerequisite or receiving steps.
- On that map, identify the systems or steps that are IT-intensive or automated systems.
- Review IT/ automation/ cyber/ information network incidents, system weaknesses, or concerns, etc.
- Cybersecurity is an important food safety management concern.
- As a food safety manager, your role is NOT to be a cybersecurity expert.
- Be a good ‘patient’ (food safety manager) and make an appointment with your ‘doctor’ (IT/ cybersecurity team) to assess your (cyber) health.
For related content, please see:
- Request for Comments: Section Draft for ISO 28000 Supply Chain Security for Cybersecurity and Food Fraud Prevention, By John W. Spink, Ph.D., April 5, 2022: https://blog.foodfraudpreventionthinktank.com/request-for-comments-section-draft-for-iso-28000-supply-chain-security-for-cybersecurity-and-food-fraud-prevention/
- Request for Comments: Section Draft of ISO 22000 Food Safety Management and Cybersecurity, By John W. Spink, Ph.D., December 7, 2021: https://blog.foodfraudpreventionthinktank.com/request-for-comments-section-draft-of-iso-22000-food-safety-management-and-cybersecurity/