With IoT Proliferation, Does Corporate Security and the CISO Need to Adapt?
By Ed Higgins
The answer to the question above in one word is: Yes.
With the many clever innovations introduced by IoT, comes the need for copious amounts of creative thinking surrounding information security strategy in order to effectively embrace IoT while simultaneously ensuring information confidentiality, integrity, and availability.
The Internet of Things is not going away. It's much too ubiquitous and presents a great opportunity for innovation and benefits for us all (for home, for work, and for industry). I believe most Chief Information Security Officers (CISOs) clearly understand this and want to support IoT. But doing so will require clearly defined rules, appropriate controls and countermeasures, and a certain amount of legitimate paranoia.
I believe CISOs are (or should be) working actively with stakeholders within their respective organizations to fully understand the business's longterm strategy surrounding IoT, in order to adapt their policies, practices, and guidelines to embrace the benefits of IoT advancement while continuing to protect sensitive data, ensure secure operations of the business, comply with regulations, and meet the security standards and business vision already established in their companies.
In many cases, existing security policies and guidelines, at least those which are fairly modern to begin with, can be leveraged and adapted to address IoT, much the same as when the topic of "visitor wireless area networks" was among our list of challenges. But topics involving classification, data integrity, detection controls, risk profiling, impact breadth, and incident response mechanisms all have to be reworked to address the deeper and widening threat landscape. This includes addressing broader security implications now introduced by the IoT product manufacturer. Some security pros argue, and I tend to agree with them, that the number and placement security intrusion detection and data leakage prevention systems could double or triple in complexity and volume-handling requirements due to the impact of IoT.
In a previous article entitled, "IoT, When My Thermostat Becomes a Weapon", I wrote about the potential security concern for when insecure IoT devices enter the home network, where there also exists a VPN connection to the workplace. This could directly impact the business's security posture, since a compromised home LAN could become an attack surface through the business VPN. In talking with many CISOs during the RSA Conference 2017 (week of Feb 13 - 17), not many had even yet considered this potential risk. I believe CISO's should review their detective controls and security policy regarding VPN and home-office workers in order to ensure that adequate security controls such as strong authentication, complex passwords, inactivity logout, as well as VPN, anti-malware tools are functioning on the home-user's PC.
Additionally, many IoT devices are created by new startup product businesses, or even by crowd-funded operations whose primary objective is to produce very cool stuff fast. It is crucial, I believe, that we must evaluate and scrutinize the security postures and data management practices of the IoT product companies, since they essentially become a potentially risky extension of our corporate security landscape.
I hope you enjoyed this article.
Stay tuned, and stay safe,