Applying Mazda’s “Gram Strategy” to Cybersecurity and Risk Management

Published on 7th July 2022 Author: Carlota Sage

Image via Mazda

Imagine being sixteen years old, gassing up your mothers old Chevy Cavalier and seeing a sleek smurf-blue roadster zip past the gas station. Time stops. You immediately fall in love with it. Time starts again, and you disappointedly climb into your mom’s clunker and sullenly drive yourself home. You spend the next twenty years thinking about that car, until you finally buy one – a bright red 1994 Mazda MX-5, with the peppier 1.8L engine, all the lightness and delight you imagined in that 1990 roadster that zipped by your teen-aged self.

Photo by Carlota Sage

You love the hell out of that 2,100 lb spritely roadster, but given that you’re the third owner (and that you can now afford a brand new Mazda MX-5), you decide to give the new ones a try.

Image courtesy Mazda

And you’re terribly disappointed. Weighing in at ~2,500 lbs, all the lightness is gone. The simplicity has been replaced with a cluttered cockpit filled with technology. You decide not to spend your money on a new Miata after all.

This is exactly what happened – and it must have happened a lot, because Mazda turned their “Gram Strategy” on the Miata for the 2016 redesign. With this strategy, in use since at least the 1980s, Mazda engineers consider how they can reduce every component in a car by a gram. This spreads the effort of streamlining across the entire system, while forcing engineers to take a fresh look at the system as a whole.

Image courtesy Mazda

The Gram Strategy

According to Kenichiro Saruwatari, Mazda’s President of R&D at the time of the 2016 Miata redesign, the Gram Strategy considers a car “as a complete entity,” revising the individual components together to reduce the total weight of the car. No more sacrificing your roadster’s air conditioning system to lose a few pounds…every one of the thousands of parts, nuts, bolts, fasteners, fabrics, and other bits and bobs that make up the car were examined with the question, “Can I make this lighter without sacrificing performance?” in mind. With this approach, Mazda was able to shave 200 pounds off the total weight of the 2016 Miata.

Shaving 200 lbs out of a car may not conceptually seem like a lot, but at 10% of its total weight, the difference is quite noticeable when driving. Mazda achieved their goal: to make a lighter car that would delight their drivers.

What does the Gram Strategy have to do with Cybersecurity and Risk Management?

With so much to lock down or monitor in an environment, and constant new threats springing every day, your security and risk management program can feel overwhelming. With more security tooling comes more dashboards and alerts – that “cluttered cockpit” feeling that only adds to the weighty feeling.

We spend a lot of time “reacting” in cybersecurity – reacting to news cycles, to new technologies, new vulnerabilities – putting out fires in general. We often lose sight that cybersecurity is a part of risk management. We must shift our reactive behaviors to proactive risk reduction.

Applying the Gram Strategy

Fortunately, just like Mazda, you can apply the Gram Strategy to your cybersecurity and risk management efforts. Take a step back and consider your business risk as a whole, and then think about how cybersecurity helps reduce overall business risk

1. Focus on your end user.

You don’t need a specific end goal, but you do need to have an objective – and that objective needs to enable your internal and external end users. Just as Mazda’s objective was to make the car “lighter” for their drivers, you need to improve cybersecurity/reduce risk by making the users’ overall experience better. I like to say that “Any friction is an obstacle” for your users, whether they’re the end user or the teams supporting them.

2. Think systematically.

Look at every component in your cybersecurity and risk reduction program. Be methodical in your approach: Consider people and process before technology.

Are your people trained? Is their workload reasonable?
- Untrained or overworked talent mistakes aren’t malicious, but are a significant risk that you can manage. This can be one
Are your processes streamlined? Do they make good use of the technology in play?
Does the technology you have support the best possible processes for your company? Are its security options configured correctly?

3. Look for better, even if it’s not necessarily “best.”

Anything that is an improvement reduces your risk. You may be better off leveraging the systems you have better than spending time and money looking for the “best” solution.

4. Do it again. And keep doing it.

Mazda was public about applying the gram strategy to the 2016 Miata redesign, but they continue to make the cars lighter whenever possible. Similarly, you should continuously seek to improve your programs by reducing friction wherever possible.

Gram Theory in Practice

I’ll give you a very simple example. I once worked with a group who would output their work to Excel files and mail them to a peer on another team.

I asked them, “Why don’t you just give that person access to this system? Is it a cost issue?”

They replied, “No, they shouldn’t have access to all the customer data, just to the metrics from this report.”

No one had told the business owner that you could restrict information by role. By setting the other user up in the system, we reduced the risk of confidential information being leaked through email while reducing friction for both users involved.

Small, iterative changes can make a huge impact for your business, with the potential bonus of generating a lot of goodwill from your business users and credibility for your technical/security team. So go out there, and for once, think small!

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Carlota Sage, CISSP

Carlota Sage was a Virtual CISO Principal at Fractional CISO from 2021-2022. Carlota helps organizations build and implement cybersecurity programs. Carlota has a background in knowledge and program management, and has helped companies including Netflix, Facebook, and FireEye to build and refine their end-user help, service systems, and knowledge bases. Carlota has a masters degree in Information and Knowledge Strategy from Columbia University