The IoT, or “Internet of Things” (everyday objects and systems that have connections to a network to provide data-sharing and virtual control), is a fast-growing arena of technology growth. The potential uses of the IoT to build a “smart world” of connected devices is enormously convenient and brings a whole new level of mobile management to every aspect of consumer and business activities. We are now able to start our cars from our phone, lock our front doors from our PC, or turn on the crockpot in our kitchen from a tablet in the office. Who knows what we will be able to do in the very near future?
Unfortunately, the IoT brings with it not just convenient access for users of the “things” on the IoT, but also convenient access for those wanting to exploit those things. More access points mean more places for attackers to get in. More remote control means more ability to hijack that control. All that leaves big problems for the organizations that design, build, and sell, or buy, implement, and use these products. With HVAC systems, point of sale systems, communications systems, manufacturing lines – entire organizations, in fact – tied into the connected world, the IoT is opening increasing risk (security and operational) every day to businesses whose operations are more and more often tied into the network, whether they are making or using IoT devices.
Dealing with Risks on the IoT
The key to dealing with the changes in the security risk environment brought about by the ongoing evolution of the IoT is to focus, not on a detailed plan for any specific risks (which are ever-changing), but more on organizational resilience and risk-principle-based security management in general. The protection and continuation of business operations in the risk environment of the IoT goes beyond the scope of just information security. The risks associated with these networked devices transcend technology and reach deep into the realm of overall business resiliency and, as such, must involve stakeholders from across the business.
Organizational resilience enables enterprises to respond nimbly, pivot on a dime to change focus and alter activities, and keep fulfilling their mission no matter what is happening around them. It’s a philosophy that relies more on an attitude of preparedness – on understanding that a crisis is likely to occur no matter how many mitigation plans you put in place – than on hard-and-fast rules for responding to a crisis event. Organizational resilience is a team approach that allows the risk managers and business leaders to work together in a partnership to ensure that critical functions can continue no matter what. It’s an outlook that enables a quick response to events that can quickly escalate – exactly the type of events we can expect when dealing with a fast-changing environment like the IoT.
Enterprise Security Risk Management (ESRM) is a security paradigm that is gaining significant traction in the security world and is a perfect response to the kinds of changing risk environments associated with the IoT. It’s a risk-based security management philosophy that is based on building partnerships across the business to manage security risk and to ensure that business leaders are making educated risk decisions for their assets and critical functions. ESRM embraces risk identification and mitigation while at the same time recognizing that businesses need to sometimes take risks to succeed. It enables business owners and security practitioners to work together to find the best solution for protecting the company while not stifling its ability to get the job done.
Using the two complementary philosophies of enterprise security risk management and organizational resilience, the business organization is in a better place to both protect itself from harm and embrace positive change due to uncertainty in the business environment. Resilience works both ways in an enterprise, to flexibly adapt to good or bad risk outcomes – both are highly possible when dealing with the IoT universe.
These philosophies drive all parts of the business to recognize and proactively deal with security risk, not simply put the responsibility solely on the technology or security department. ESRM is a security management system that any organization can take and adapt to its needs to build out a flexible and business-based program that will help it along the path to true organizational resilience, no matter what risks it is exposed to in the present or the future. Now is the time for security leaders to embrace these philosophies and strengthen the resilience of their enterprises, because the future of the IoT is already here.
Rachelle Loyear, CISM, MBCP, AFBCI, PMP, Partner, Security Risk Governance Group
[ISACA Now Blog]