Secure Your IoT Deployment During the Security Talent Shortage
Today’s organizations are faced with a dilemma. On one side, they want to take advantage of the business opportunity that the Internet of Things (IoT) can unlock. But the reality of IoT security and associated risks to brands and customers leaves them hesitant. I hear this play out time and time again when meeting with device manufacturers and businesses considering IoT to drive transformation. With the growing number and severity of IoT attacks, caution is well warranted — IoT creates physical, privacy, and revenue risks. At the same time, most organizations are unprepared to monitor, manage, and update IoT devices. To compound the problem, the industry faces a record-setting three million person shortage of security pros that leaves organizations without coverage for new IoT projects and overextends existing security teams.
At a time when the opportunity of innovation is limited only by imagination, security is a persistent challenge. These competing forces push and pull against each other as decision makers calculate the risks against the ROI of connectivity — but this isn’t a binary choice. There is a way to augment your existing team and resources with trustworthy solutions that help you meet the ongoing security needs of IoT.
IoT Is Especially Vulnerable to the Security Pro Shortage
The shortage of security talent is especially dangerous for IoT because its unique risks are difficult to detect and costly to fix.
Sometimes it is easy to identify the risks: a compromised connected car or gas furnace could injure or even kill someone. IoT also introduces risk to revenue when integrated into the equipment businesses depend on for primary operations. Consider a national supermarket chain that connects their refrigeration systems to increase equipment uptime and reduce service calls — a DDoS attack that shuts down those same refrigeration units could disrupt operations for days and result in revenue losses negating the value they were hoping to accrue.
Despite the Risk, IoT Is too Valuable to Delay
Despite the risks, the potential of IoT is too valuable to ignore. 80% of companies that invest in IoT see increased revenues while benefiting from reductions in costs and downtime. As IoT becomes mainstream, organizations that don’t pursue IoT-driven innovation are missing the opportunity to secure their place in the future economy.
Here are some common outcomes that businesses are pursuing with IoT:
Operational efficiency. IoT is a powerful tool to optimize processes, reduce costs and increase uptime for business-critical equipment. Starbucks kicked off an IoT project to cut down on service calls: “If we can avoid one service call per year in each store, it pays for the project,” said Jeff Wile, Starbucks senior vice president of infrastructure enablement, in Channel Futures.
Product and customer insights. Telemetry and data from IoT devices can provide a clear view of how products are being used and environmental conditions that may be impacting their performance. Rolls Royce uses data from different airlines to minimize the time planes spend on the ground.
Employee empowerment. IoT empowers employees with data-driven decision making. The Alaska Department of Transportation uses IoT to help employees save lives and reduce costs.
Product transformation. IoT allows businesses to reimagine the value they deliver to customers through product experiences. European energy company E.ON built the connected E.ON Home Energy Management system to empower their customers to better meet their individual energy goals.
There Is No Shortcut, Security Expertise Is Essential
The benefits of IoT are clear, but the costs of downtime, data loss, and brand damage after an attack reduce the value of IoT projects. Given this threat and the shortage of security talent, organizations often search for checklists to save themselves from making IoT security mistakes. A checklist alone does little to ensure correct implementation, and attackers will happily target weaknesses left by missed implementation details.
IoT security is not a set it and forget it task. Security expertise requires a mix of best practices, knowledge of exploits and the ability to test security capabilities against a full range of attack vectors. It also includes learning from new threats as they emerge and prioritizing updates. Security expertise is necessary to safely plan for IoT and to ensure solutions are securely implemented and kept up to date over time.
Finding Security Expertise Despite the Shortage
Security expertise is hard to find and comes at a premium. As you reach the limit of available talent the key to success becomes differentiating between core activities that require specific organizational knowledge and functional practices that are common across all organizations. Your security pros are vital for core activities such as defining secure product experiences and strategies for reducing risk at the app level. Deliver on functional practices by partnering with vendors or procuring security solutions that multiply your team’s effectiveness and quickly ramp up IoT operations.
To ensure that your IoT deployment can meet the challenges of today’s threat landscape, outsource these functional practices to solutions that deliver these essential capabilities:
- Holistic security design. IoT device security is difficult. To do it properly requires the expertise to stitch hardware, software and services into a gap-free security system. A pre-integrated, off-the-shelf solution is likely more cost-effective and more secure than a proprietary solution and allows you to leverage the expertise of functional security experts that work across organizations and have a birds-eye-view of security needs and threats.
- Threat mitigation. To maintain device security over time, ongoing security expertise is needed to identify threats and develop device updates to mitigate new threats as they emerge. This isn’t a part-time job. It requires a dedicated resource that is immersed in the threat landscape and that can rapidly implement mitigation strategies. Attackers are creative and determined, the effort to stop them needs to be appropriately matched.
- Update deployment. Without the right infrastructure and dedicated operational hygiene organizations commonly postpone or deprioritize security updates. Look for providers that streamline or automate the delivery and deployment of updates. Because zero-day attacks require quick action, the ability to update a global fleet of devices in hours is a must.
The shortage of security talent shows no sign of waning. To protect your business and customers during the shortage, ensure your team remains focused on the core activities of creating secured apps and experiences. Matching their efforts with technology solutions or partners that utilize the expertise from top security minds is the most effective way to ensure your devices and equipment are secure and that they remain secured over time. This approach allows you to take full advantage of the opportunities of IoT while significantly reducing the ongoing risk that connectivity introduces.
Dr. Galen Hunt is the Distinguish Engineer and Managing Director of Azure Sphere at Microsoft and he founded and leads the Microsoft team responsible for Azure Sphere. The mission of his team is to ensure that every IoT device on the planet is secure and trustworthy. Previously, Dr. Hunt lead the Operating Systems Group at Microsoft Research and pioneered technologies ranging from confidential cloud computing to light-weight container virtualization, type-safe operating systems, and video streaming. Dr. Hunt was a member of Microsoft's founding cloud computing team and helped build Microsoft’s first cloud operating system. Dr. Hunt holds 98 U.S. patents, a B.S. degree in Physics from University of Utah, and Ph.D. and M.S. degrees in Computer Science from the University of Rochester.
Feature image via Pixabay.