When everything’s connected, everything’s at risk

In this Help Net Security interview, Ken Deitz, CISO at Brown & Brown, discusses how the definition of cyber risk has expanded beyond IT to include IoT, OT, and broader supply chain ecosystems. As organizations connect these assets through cloud and networked systems, the attack surface and dependencies have multiplied.

Deitz also shares strategies for managing risk through visibility, segmentation, and resilient recovery planning.

From your perspective, how have the boundaries of “cyber risk” expanded in recent years to include IoT, OT, and the broader supply chain?

Cyber risk used to be shorthand for “IT risk.” That boundary is gone. The typical default is external/cloud connectivity for cameras, badge readers, HVAC systems, fleet sensors and factory controllers. The demands of business have also collapsed the walls between IT, OT and IoT, allowing telemetry to feed analytics, automation and business decisions.

The most significant change we have seen from a risk perspective is that dependencies have become concentrated. A single identity provider, software updater, remote management tool, or logistics partner can now be a single point of failure for multiple systems. The unit of risk is no longer an endpoint. It is the control plane (cloud consoles, APIs, etc.) that manages thousands of endpoints and critical processes.

Given their resource constraints and long lifecycles, what practical approaches can organizations take to secure IoT devices after deployment?

Always start by knowing what to defend and then applying least privilege principles. Adopt an “assume breach” mindset. Build and maintain a living inventory from passive discovery and existing logs (DHCP, DNS, NetFlow). Treat unknown devices as unsafe until proven otherwise. Segment by function and criticality, place cameras with recorders, payment devices with gateways, and default deny inter-boundary traffic. Where devices can’t handle cryptography or authentication, broker through gateways that terminate TLS and can enforce policy while providing observability.

Patch when you can, shield when you can’t with virtual patching (IPS/WAF). Establish strict egress allow-lists and DNS filtering. Eliminate default credentials and transition to per-device secrets or certificates. Establish simple behavior baselines (ports, destinations, update cadence) to detect drift without heavyweight agents. Use your procurement function as a control: require SBOMs, update commitments and require remote access models you can audit or don’t buy them.

OT environments are notoriously difficult to secure without disrupting operations. What strategies have proven most effective for reducing risk in these contexts?

Treat OT changes as business changes (because they are). Involve plant managers, safety managers, and maintenance leadership in risk decisions. Be sure to test all changes in a development environment that adequately models the production environment where possible. Schedule changes during planned downtime with rollbacks ready. Build visibility passively with read-only collectors and protocol-aware monitoring to create asset and traffic maps without requiring PLC access.

Tighten remote access by brokering all vendor sessions through MFA-enforced jump hosts with time-boxed approvals and session recording. Identify and retire ad hoc modems and unmanaged tunnels. Maintain golden images, validated backups and hot spares to enable swap and restore.

If you were advising a board or CISO, what would you say are the top three priorities for reducing risk across IoT, OT, and supply chains?

I would give very different advice to a board than I would to a CISO. For a board, my advice would be simple: Find a CISO who can understand your business operations, risk appetites and communicate a vision for a high-performing cybersecurity function.

The top three priorities for reducing risk I would advise for a CISO:

1. Reduce blast radius. Identify crown jewel processes and actively test to ensure your segmentation, identity and least privilege hold up around those processes. Be sure to measure your desired outcomes, including the percentage of assets in inventory, the percentage segmented, the percentage of remote access under MFA and the time to isolate a zone.

2. Harden the control planes and the supply chain. Secure the consoles, APIs, update servers and third-party pathways that can change multiple things simultaneously. Contract for SBOMs, right to audit, and patch SLAs. Continuously monitor third-party attack surface and privileged access, pre-plan “safe mode operations” if a supplier is down or compromised.

3. Prepare to recover safely. Maintain and exercise cross-domain incident playbooks that include operations, vendors, cleanroom restore capabilities and business RTO/RPO targets for critical lines. Don’t report to leadership with your intent—report evidence from exercises and tabletops.

With the convergence of IT, OT, and IoT, where do you see the greatest risks emerging in the next 3-5 years?

No one can predict the future. However, if the past is an indicator of the future, adversaries will continue to increasingly bypass devices and hijack cloud consoles, API tokens and remote management platforms to impact businesses on an industrial scale.

Another area of risk is the firmware supply chain. Tiny devices often carry third-party code that we can’t easily patch. We’ll face more “patch by replacement” realities, where the only fix is swapping hardware.

Additionally, machine identities at the edge, such as certificates and tokens, will outnumber humans by orders of magnitude. The lifecycle and privileges of those identities are the new perimeter.

From a threat perspective, we will see an increasing number of ransomware attacks targeting physical disruption to increase leverage for the threat actors, as well as private 5G/smart facilities that, if misconfigured, propagate risk faster than any LAN ever has.

We should treat IoT, OT and the supply chain as first-class citizens of enterprise risk, not special exceptions. Inventory relentlessly, segment mercilessly, verify continuously and rehearse recovery with the people who keep the business running.