How Boards Should Prepare for IoT Security
CISOs: "Reach for Your Life-Vests"
Published 03:08, 30 November 12
The latest Forrester Report on IoT security, called “Prepare Your Security Organisation for the Internet of Things: Why the Next Internet Revolution is Much More Alarming than the Last”, is significant on two counts.
Firstly it asserts that we really are facing a revolution - and that Chief Information Security Officers need to prepare now for the “unprecedented data privacy and security challenge” to come.
Secondly, Andrew Rose, leader author of for the report, being a former corporate CISO himself, speaks to CISOs in their language and mindset.
The Report message is stark (“reach for your life-vests”), and, as part of a wide ranging analysis, pinpoints the six things that CISOs need to do now to prepare for the IoT revolution. Warning that “the potential for innovation and business growth will be irresistible to most organisations”, the Report urges CISOs need to be ready at a moment's notice to discuss with senior management. The need to:
1. Create boundaries and segmentation with industrial control systems to reduce risk and create “air gaps” to stop Stuxnet-like viral attacks spreading.
2. Focus on the physical people safety implications of the system and understand how they may be adversely impacted through interactions with other IoT systems.
3. Define security accountability and implement security checks at the machine level in an autonomous M2M (machine-to-machine) process.
4. Be aware that inconsequential personal data can become very sensitive when collated and cross-referenced and ensure measures are put in to guard against this risk.
5. Anticipate future EU privacy control legislation adopting opt-out “right to be forgotten” clauses so prepare now to build opt-out functionality into systems.
6. Remember that the “I” in IoT “is for Internet”, so to be sure to design out traditional Internet security vulnerabilities.
This Report is timely as conference organisers plan their agendas for 2013 - security was very much an after-thought in the many IoT related conferences I went to this year.