So what's a CISO to do? Here's some good news: 74% of organizations have IoT security assessment controls in place already, and just over 60% of organizations have password protected their IoT devices.
But the scale of the IoT security challenge requires an additional two-tiered approach: automate and institutionalize. The former assures fast and routine controls across thousands of tiny IoT sensors. The latter curtails risks from the get-go and ensures CISOs can develop their tools as hacking gets more sophisticated.
Automation: fighting botnets with bots
Automated security takes several forms. Automated platforms can look for "Indicators of Compromise," check VPNs, and detect and shut down intrusions in progress. Using artificial intelligence, automated security platforms can spot abnormal activity-the rogue fish tank was uncovered because it was the casino's only device sending data to Finland. The number of companies using "Security Orchestration, Automation, and Response" tools is expected to jump to 15% in 2020, from 1% in 2017.
New security automation solutions will be able to "speak" to IoT devices, even very simple ones like CCTV cameras or biometric sensors. This is important, considering the incredible variety of IoT devices, and the fact that they often are deployed in large numbers. Automated software is being developed that could reach out and patch any device as soon as a vulnerability is discovered. One example, called Mayhem, won a Pentagon contest to create automated patching.
In the meantime, machine authentication verifies any device connecting to your network at a more sophisticated level than simply username and password, instead using a digital certificate that will stop your thermostat from talking to a hacker.
Getting security into the institution's DNA
But automation isn't enough. IoT should undergo the same due diligence that any IT infrastructure gets. A building supervisor installing a smart electronic key system, a product engineer choosing IoT components, or a casino manager adding a smart thermometer to a fish tank today are not likely to ponder over the security of their selections. Those decisions should be made under a CISO's institutionalized supervision. To ensure technological advances don't introduce security flaws, CISOs and their tools should be part of purchasing, designing, or implementing all technological transformations, including IoT.
This requires a paradigmatic shift in the CISOs' role; they shouldn't be siloed within an organization, but rather should be involved in all aspects of an institution-from employee training to vendor selection. The lack of standardization in innovative hardware and software like IoT means that security especially needs to be baked in from the moment a company even considers adding sensors or smart devices-before any purchase is made.
Integrating security from the beginning also keeps security from being seen as a hindrance to innovation. As more smart lights, smart cameras, smart printers, and smart aquariums are compromised, people will see that what's really smart is to make sure connected devices are secure from the start.
It's one thing to adopt innovative technology. It's another to deploy that technology smartly and safely.