There is no doubt that IoT technology has tremendous potential to improve outcomes for customers and also deliver significant business outcomes. As businesses are increasing investment on IoT, security professionals are going through a nightmare implementing secure deployments.
While there are numerous benefits, the highly interconnected nature of IoT setups and deployments coupled with their open nature and diverse hardware is creating a new set of security problems to deal with. According to a report by Gartner, the spending in IoT security is expected to be over half a billion dollars. Additionally, the growth rate is expected to be higher after 2020 as deployments and execution start getting more comfortable.
As the CIO, the most significant challenge is to create a balance between the promise that IoT technology delivers in terms of business benefits with potential security challenges which could be a nightmare for you and your business.
1. Basic benefits framework
As a CIO, the first and foremost thing you would want to get done is to create a basic benefits framework. The idea here is to identify the strategic levers that drive success for your organization and see how deploying IoT is helping towards that. Creating a basic framework is an essential step because it helps maintain a balance between pragmatism and vision. Identify clear use cases for IoT within your organization to create a benefits framework irrespective of whether the benefits are internal or external. For example, a domestic use case in a manufacturing unit could be to use IoT technology to improve safety for your employees in the workspace. An external benefit for a healthcare provider could be to improve overall well-being of its customers.
Ensure that every IoT project has a clearly defined objective backed by a business goal. Setting an objective is essential before you create the architecture and implement an IoT solution. This is a critical step that will help you define functionality, capability, differentiation and also helps establish you as an early project champion.
2. Securing IoT deployments
Gartner recently mentioned in one of its reports that by 2020, more than 25% of identified attacks in the enterprises will involve the IoT. Every single device connected to the internet is a security threat. It’s always a good idea to evaluate if that device is necessary. Also, since a device can be connected to the internet doesn’t necessarily mean that it should be. The challenge with IoT is that it requires protection from information attacks as well as physical tampering.
One of the critical things to understand during a new IoT deployment is the diversity of devices and the environment in which they operate. There is no single standard for a device to device authentication or communication, and that is what makes this process difficult. Make sure you create a list of existing infrastructure and devices and estimate how the new devices are going to communicate with the old ones.
It is also essential to understand and evaluate when and where to secure data. Irrespective of how you secure data whether it is by encryption, monitoring or detection, data flow is what is going to be the differentiator here.
Three things are doing to be a critical part of a secure deployment:
- Device identity – ensure strong device identity and root of trust
- Secure and scalable network – The number of IoT devices far outnumber what we see in a traditional IT deployment. Ensure your network security solution is scalable with the number of devices
- Physical and data security – Irrespective of whether data is at rest or in transit, it has to be secured. Additional physical protection is needed for IoT which can be leveraged using hardware-based security implementations.
3. Focus on devices
By now you would have realized that in IoT security, devices play a crucial role. There are a few steps you can take to ensure that security is maintained on the devices:
a. Identify – IoT requires strong identification and trust at its core. Some questions to ask here are, “How do you know the device is telling the truth?”, “How can you identify every single device that gets onto your network?” Hardware-based security is a crucial ingredient to be able to get answers to all these questions.
b. Encrypt – This is simple and straightforward. But it might not necessarily be as easy as it sounds. It may seem easy to encrypt 100 IoT devices, but if you have thousands or millions, then this can turn into a nightmare – not only from an execution perspective but also when it concerns cost. Your encryption costs itself will run into millions. There are many devices on the market that came way before IoT even became a thing. It will be challenging to add physical hardware-based encryption to it. There are still no clear solutions in this department, and you will have to rely on advanced data encryption methods to keep yourself safe here.
c. Trust – When I say trust, I mean this more from a vendor and manufacturer perspective. Understand your vendor well and see if you can trust them. Their devices are going to power a lot of essential data for you. You need to be sure you can trust the integrity of these devices.
4. Skills development
Based on what you discovered during the Basic Benefits Framework exercise, you’ll need to create a dedicated IoT team to design and grow the IoT development within the organization. In terms of skill, this teams needs to be able to handle designing, testing, deploying and growing the IoT products internally and externally. You will need someone to play the role of an IoT architect responsible for engaging and collaborating with stakeholders, designing IoT architecture, creating operational processes and ultimately coordinating with the organization’s existing architecture and technology.
5. Organization structure & risk management
Having taken care of all the above, the final step is to make sure your organization is prepared to handle this new change within as well as externally. It is necessary to train and keep all internal stakeholders a part of the process and thereby educating them on how to securely interact with the IoT products. For those who communicate with external entities, be it, customers or partners, it is essential to educate them about security and how best to handle and report issues from external users. Everything that you’ve done might go for a toss if the organization is not prepared to understand the risks and be ready to manage them. This is precisely why, you as the CIO, need to be part of the primary benefits framework from the beginning.
To sum it up, IoT can do a lot today and potentially even more in future. It is the future that is more intriguing as well as scary. If your organization is one of those ready to adopt IoT today, there’s a high probability they’ll continue to leverage its advantages in the near future. In that scenario, your role as the CIO will only get more important and critical, especially to ensure that everything runs smoothly and securely. Make sure you are prepared for this mammoth task.