Internet of Things, and the CISO…

With IoT Proliferation, Does Corporate Security and the CISO Need to Adapt?

By Ed Higgins

The answer to the question (above) in one word is: Yes.

With the clever innovations introduced by IoT, comes the need for copious amounts of creative thinking surrounding information security strategy in order to effectively embrace IoT while simultaneously ensuring information confidentiality, integrity, and availability.

The Internet of Things is not going away.  It’s much too ubiquitous and presents a great opportunity for innovation and benefits for us all (for home, for work, and for industry).  I believe most Chief Information Security Officers (CISOs) clearly understand this and want to support IoT.  But doing so will require clearly defined rules, appropriate controls and countermeasures, and a certain amount of legitimate paranoia.

I believe CISOs are (or should be) working actively with stakeholders within their respective organizations to fully understand the business’s longterm strategy surrounding IoT, in order to adapt their policies, practices, and guidelines to embrace the benefits of IoT advancement while continuing to protect sensitive data, ensure secure operations of the business, comply with regulations, and meet the security standards and business vision already established in their companies.

In many cases, existing security policies and guidelines, at least those which are fairly modern to begin with, can be leveraged and adapted to address IoT, much the same as when the topic of “visitor wireless area networks” was among our list of challenges. But topics involving classification, data integrity, detection controls, risk profiling, impact breadth, and incident response mechanisms all have to be reworked to address the deeper and widening threat landscape. This includes addressing  broader security implications now introduced by the IoT product manufacturer.  Some security pros argue, and I tend to agree with them, that the number and placement security intrusion detection and data leakage prevention systems could double or triple in complexity and volume-handling requirements due to the impact of IoT.

Additionally, many IoT devices are created by new startup product businesses, or even by crowd-funded operations whose primary objective is to produce very cool stuff fast.  It is crucial, I believe, that we must evaluate and scrutinize the security postures and data practices of the IoT product companies, since they essentially become a potentially risky extension of our corporate security landscape.