If you have any doubt at all about the impact of the IoT, consider these facts: 75 percent of the world’s population has access to a mobile device. When you compare the number of connected devices in 2009 (0.9 billion) to the number today, it represents a 30-fold increase. It is estimated that over 26 billion devices will be connected to the internet by 2020.
Along with the massive growth of IoT is the growth of corresponding security issues. As connected devices increase, so does the amount of data generated and transferred by these devices. As more data is transferred, the number of pathways and parameters for the cyber criminal to exploit also increases. It all adds up to the need for more protection than ever before.
Vital role of the CISO
As the world of IT security transforms to meet this exponential growth, the role of the CISO becomes vital in terms of defining the IT security strategy.
Before IoT, the IT and Operational Technology (OT) layer were controlled and secured differently; IT security focused on the confidentiality of data and network infiltration, while OT security emphasized physical security, safety and business continuity. Now that more devices are connected to the internet, the OT layer has become increasingly IP enabled, making it more vulnerable. Traditional security models must adapt, and the CISO must create a unified IT security strategy.
Attention to the following key drivers will assist the smart CISO with devising a strategy that truly works in securing the IoT:
1. Layer visibility. The OT layer, the IT layer and any other layers of the network should have visibility and be encompassed by an overall, unified security plan of action. No layer or device should be exempt.
2. Threat visibility. New devices mean new loopholes and threat vectors. A sound strategy should take into account not only existing vulnerability, but potential vulnerability, as soon as a device is connected to the network. A real-time threat assessment and definition that works around the clock is key to preventing new attacks.
3. Platform visibility. The creation of a monitoring apparatus that is agnostic is vital in today’s software platform environment of continuous updates, open source and self-imposed redundancy.
4. Network encryption. Point-to-point and point-to-multipoint encryption should be based on network segments, network protocols and network flows. In other words, internal networks in their entirety must be encrypted to ensure security long term.
5. Automated remediation. The end-goal of IoT security should be an approach that requires no human intervention. Automated, immediate security control utilizing machine-to-machine intelligence is a key to not only a successful, but also cost-effective unified security strategy.
IoT growth poses challenges for the forward-thinking CISO as scale increases, scope broadens and the need for cohesive cooperation increases. Those who consider the above drivers can develop a security strategy that will address these challenges and pave the way for the organization to take advantage of the opportunities the IoT also brings.