The rise of the Internet of Things (IoT) is driving changes in all aspects of security causing organizations to reevaluate the necessary people and service skills, structures and approaches to their security needs.
Earl Perkins, research vice president at Gartner, shares his thoughts on how security leaders can develop new approaches to security organization and better protect their digital business against potential threats and breaches.
Q: How has the rise of IoT and connected devices changed the security landscape?
A: The landscape known as the “pervasive digital presence” is changing how we approach digital security through four main differentiators from traditional IT security: scale; diversity; function; and flow. Security and risk managers should consider how these differentiators are driving change and adapt new strategies that help address the ever-shifting landscape.
Learn More: Digital Risk & Security Hub
First, the security landscape is changing due to the scale of this digital presence. The pace of innovation has generated requirements for millions of devices, most network connected or wirelessly connected in some capacity. Unfortunately, most of these devices have little or no protection at the software and infrastructure level.
As a whole, the industry will need to acknowledge IoT’s pervasive presence and adopt new strategies that consider our digital world.
There are connected devices that have been in use for many years that need to safely and securely communicate with newer connected devices, particularly in the world of industrial automation and control systems. For example, with the diversity of devices and environments in which they operate, there is no single standard for device-to-device authentication or how devices can securely link to cloud services.
Read More: Improve National Security Through Technology
Another differentiator in IoT security is how typical IoT devices function. Many devices are constructed to be “fit for purpose,” in that they are created to perform specific functions that may require only a few operations, such as a sensor detecting five characteristics of an environment or an actuator performing to commands. The rise of the IoT creates a varied and different approach to device function – some devices may be built to only deliver information by the second, while others act as a static storing place for information until something may be triggered.
Finally, security and risk decision-makers must look at data flow in IoT networks to understand how, when and where to secure data. Data in IoT networks tends to be constantly changing, even if it’s stored. When making key decisions to protect data via encryption, network segmentation, or even monitoring and detection, data flow remains a key differentiating characteristic that may require new approaches in digital security.
Q: What is the biggest challenge facing security leaders today?
A: Perhaps the biggest challenge security and risk managers will face is shifting their perception of how to manage and assess risk. Security managers are accustomed to taking a calculated risk on how to mitigate threats in their organization, but the rise of IoT introduces new variables to the risk formula, variables that need to be incorporated into traditional means of assessing and calculating IT risks. As a whole, the industry will need to acknowledge IoT’s pervasive presence and adopt new strategies that consider our digital world.
Q: What key learnings can security leaders take away from recent security breaches?
A: The rules are evolving – the industry needs to begin by establishing a “minimal security foundation”, meaning establish at least the basic security model that addresses prevention, detection, response and prediction concerns in an adaptive security framework.
In the past, the only devices a DDoS hacker would likely use were PCs, servers and perhaps mobile devices, which limited how severe an attack could be. However, the recent Dyn DDoS attack was record breaking in several ways, including the sheer volume of “noise” generated by using devices—including IoT devices—to generate that noise, affecting not only enterprise users but consumers. Organizations with a minimal security foundation would be (and were) better prepared in prevention, detection, response and prediction to address such an attack.