Six ways CEOs can Promote Cybersecurity in the IoT Age
by Kishan Cv CEO Helping organizations effectively use cloud,Billions of devices are being brought online as the Internet of Things develops, creating new vulnerabilities. Here’s how leaders can regain control.
As digitization has risen on the executive
agenda, cybersecurity skills and processes in most companies have also
advanced, though at a slower pace. But rapid growth in the Internet of Things
(IoT) is changing the game. Cybersecurity is more relevant and
challenging than ever, and companies need to build capabilities in this
area—quickly.
IoT holds great potential to help companies
improve their products and services or increase production efficiency by
harnessing sensors and actuators that seamlessly connect objects to
computing systems. No wonder, then, that many companies are bringing
more and more devices, products, or production systems online.
Conventional estimates suggest we could reach 20 billion to 30 billion
connected devices globally by 2020, up from 10 billion to 15 billion
devices in 2015. However, as devices proliferate, the security risks
will increase sharply. Historically, risking the confidentiality and
integrity of information was the prime concern compared with any risk
regarding availability. In the IoT world, lack of availability of key
plants or—even worse—tampering with a customer product becomes the
dominating risk. How can CEOs and senior executives hedge against that
threat?
The challenge of cybersecurity in the Internet of Things
With the IoT, security challenges move from a company’s traditional IT infrastructure
into its connected products in the field. And these challenges remain
an issue through the entire product life cycle, long after products have
been sold. What’s more, industrial IoT, or Industry 4.0, means that
security becomes a pervasive issue in production as well. Cyberthreats
in the world of IoT can have consequences beyond compromised customer
privacy. Critical equipment, such as pacemakers and entire manufacturing
plants, is now vulnerable—meaning that customer health and a company’s
total production capability are at risk.
The sheer number of
cybersecurity attack vectors increases dramatically as ever more
“things” are connected. Earlier, a large corporate network might have
somewhere between 50,000 and 500,000 endpoints; with the IoT, we are
talking about millions or tens of millions of endpoints. Unfortunately,
many of these consist of legacy devices with inadequate security, or no
security at all.
This added complexity makes the IoT a more
difficult security environment for companies to manage. Those that
succeed, though, could use strong cybersecurity to differentiate
themselves in many industries.
To explore views on the relevance
of and companies’ preparedness for IoT security, McKinsey conducted a
multinational expert survey with 400 managers from Germany, Japan, the
United Kingdom, and the United States. The results indicate a yawning
gap between perceived priority and the level of preparedness:
Of
the IoT-involved experts surveyed, 75 percent say that IoT security is
either important or very important, and that its relevance will
increase. But only 16 percent say their company is well prepared for the
challenge (Exhibit 1). The survey also indicated that low preparedness
is often linked to insufficient budget allocated to IoT cybersecurity.
Our
interviews revealed that companies are ill prepared at every step of
the IoT security action chain (predict, prevent, detect, react).
Especially weak are prediction capabilities; 16 percent feel well
prepared, compared with 24 to 28 percent on prevent, detect, and react.
More
than one-third of companies lack a cybersecurity strategy that also
covers the IoT. The rest have some sort of strategy but many report
struggling to implement it.
Why haven’t companies made progress on cybersecurity implementation, given the perceived risk? Our survey indicated a few factors:
Lack
of prioritization. In general, there isn’t an “act now” mentality among
senior management. Few leaders have made the business case for a
specific IoT security strategy that would, in turn, make the effort a
priority and trigger the allocation of sufficient resources.
Unclear
responsibility. There needs to be a holistic cybersecurity concept for
the entire IoT stack, but often no single player feels responsible for
creating it. First, there is the question of whether initial
responsibility lies with product makers or with suppliers. And within
organizations, it’s proved difficult to determine which unit (IT
security, production, product development, or customer service) should
take the lead. Product or plant managers often do not have cybersecurity
expertise, while corporate IT does not have sufficient access to
product teams or the industrial control systems “behind the fence.”
Lack
of standards and technical skills. There are some industry working
groups, but IoT security standards are still largely nonexistent. Even
if there were standards in place, the technical competence to implement
them—a mix of operational technology and IT security knowledge—is in
short supply.
With the advent of the IoT, cybersecurity
affects the entire business model. Adequately addressing the threat
means bringing together several business perspectives, including the
market, the customer, production, and IT. And the CEO is often the only
leader with the authority to make cybersecurity a priority across all
these areas.
Six recommendations for CEOs
Although there is no single winning approach for tackling cybersecurity in the IoT, six recommendations can guide senior executives. Three concern strategic lenses for thinking about IoT security, and the other three are actions to help CEOs and other leaders set their organizations up for success.
1. Understand what IoT security will mean for your industry and business model
Across
all industries, a certain minimum level of IoT security will be
required as a matter of “hygiene.” The recent WannaCry attack largely
compromised organizations with legacy operating systems that had not
been patched appropriately. Simple patch management—a matter of adequate
IT management, not sophisticated cyberdefense—should be routine, not
something customers pay a price premium for.
However, we think there
is potential for treating security as more than just hygiene. In the
past decade, many companies saw IT evolve from a cost center to a source
of real differentiation, driving customer satisfaction and willingness
to pay. A similar change could lie ahead for IoT security, and in an
increasing number of industries, we are already witnessing it today. One
example is the physical security industry. Door-lock companies can
already today demand a price premium for products with especially strong
cybersecurity features, as cybersecurity can make or break the main
function of the product.
Effective IoT security solutions
consider an organization’s business model, where it lies in the value
chain, and the industry structures in which it operates (see sidebar,
“More trust, less downtime: Examples of the role and relevance of IoT
security by industry”).
CEOs must understand the role and
relevance of IoT security in their industries and how to monetize
solutions in alignment with their business model. A thorough
understanding of what IoT security means for a company cannot end at the
strategic level, though. CEOs need to be aware of the main points of
vulnerability. Typically, an overview of the top attack scenarios for a
specific company and an understanding of attackers and their motivations
will be a good base for further strategy development and budget
allocations. Security investments must be targeted according to the risk
most detrimental to the specific business or industry.
2. Set up clear roles and responsibilities for IoT security along your supply chain
IoT
requires a holistic cybersecurity concept that extends across the
entire IoT stack—all layers of the application, communication, and
sensors. Of course, each layer needs to be secured, but companies also
need to prepare for cross-layer threats (Exhibit 2).
This
will require a strategic dialogue with upstream and downstream business
partners, whether suppliers or customers, to sort out responsibilities
for security along the entire supply chain. A starting point for this
discussion should be identifying the weakest links in the holistic
model; from an attacker’s point of view, these will be targeted first to
harm the entire chain. Who then takes on which role should depend on
who has the competence and who has the incentives, which might include a
monetization model. Industry players active in each part of the IoT
stack bring certain advantages they can build on to provide an
integrated solution:
Device and semiconductor manufacturers
active at the lower level of the stack can build on their design
capabilities of low-level (hardware) security as an advantage for
designing higher (software) security.
Network equipment manufacturers
profit from the fact that many key competencies in transport-layer
security design are applicable to the application layer. Beyond that,
they can build on their hardware design capabilities to offer an
integrated solution.
Application designers can leverage their
control of application interfaces or customer access as an advantage in
defining low-level architectures.
3. Engage in strategic conversations with your regulator and collaborate with other industry players
A
company’s cybersecurity creates externalities that go far beyond the
effects on the company’s performance itself and thus needs to be tackled
across the classic government–business divide. Most current
cybersecurity standards fall short because they are neither industry
specific nor detailed enough, and they neglect most layers of the IoT
stack, including production and product development. Regulators will
eventually step in to address this gap, and companies need to get
involved in the discussion, or set the tone.
Industry leaders can
shape these structures by bringing together key players to establish
IoT security standards for their industry. Partnerships with other
players, including competitors, can also lead to a mutually beneficial
pooling of resources beyond official industry standards. In the banking
sector, for instance, one company got several competitors together to
set up “shared assessments” to evaluate security technology vendors,
resulting in enormous efficiency gains for both the banks and their
suppliers. Another example from the sector is FS-ISAC, an information
community through which competing banks share information on security
weaknesses, attacks, and successful countermeasures.
4. Conceive of cybersecurity as a priority for the entire product life cycle, and develop relevant skills to achieve it
Security
needs to be part of the entire product life cycle, from product design
to the development process, and continuing each day of the product’s
use. Fundamental to the security of products in the field is “security
by design” in the product-development stage. It’s also crucial to ensure
security during the production or manufacturing process, given the role
of Industry 4.0 in driving the proliferation of IoT on shop floors and
in other production settings. Last, a concept is required for securing
products after they have been sold. To this end, companies need a
strategy to deliver security patches to products in the field, for
example, via over-the-air update capabilities.
Achieving
cybersecurity throughout the product life cycle requires organizational
and technological changes. The organizational component involves clear
responsibility for cybersecurity in the product and production
environment. A few companies have acted by giving the chief information
security officer (CISO) responsibility for cybersecurity in both
information technology (IT) and operating technology (OT). Whatever the
structural setup, aligning on goals is crucial, since there must be
strong collaboration among the CISO function and other departments, be
it product development, production, or even customer service.
Additionally, new roles should be created that systematically integrate
security into all relevant products and processes. A European telco and
media company, for example, is leveraging large-scale training programs
to create a community of “security champions” throughout the
organization. These security champions get additional decision-making
authority within their teams as a result of achieving “cybersecurity
capable” status. The company’s CISO organization has used these
trainings to grow its reach by a factor of four.
5. Be rigorous in transforming mind-sets and skills
Institutionalizing
the notion that security is everyone’s business starts at the top.
Executives should role model security behavior and cultivate a culture
where security is constantly evolving and where people are rewarded, not
punished, for identifying weak spots.
Additionally, CEOs need to
ensure that security-specific knowledge and qualifications become a
standard requirement for employees in IT, product development, and
production. On the one hand, additional training programs for current
employees may help; on the other, specific IoT security talent needs to
be developed. Cybersecurity specialists must understand product
development and production as well as IT security. To develop these
crossover skills at scale, companies should consider working with other
players in the industry, for example, to create university programs and
vocational training curricula.
6. Create a point-of-contact system for external security researchers and implement a postbreach response plan
Companies
need to implement a single, visible point of contact for
IoT-security-related notifications or complaints. In the past two years,
and especially in the IoT context, there have been numerous examples of
security researchers trying to notify a company several times after
discovering a breach and the company either not following up at all, or
the researcher being handed from one department to the next without
anyone taking responsibility for the matter.
In addition,
companies need a response plan in place for different attack scenarios.
The fallout from an unprofessional response to an incident is often more
damaging than the incident itself. In an IoT world, incidents can
affect the heart of a company’s operations, so cybersecurity needs to be
part of business continuity management and disaster-recovery planning.
Maybe most important, organizations must design a strong communication
strategy that is scenario specific and delivers current, transparent,
and appropriate messaging to customers, regulators, investors—and
potentially the general public.
Cybersecurity remains much talked
about, but it’s not yet used as a differentiating factor on the
business side. With the advent of the Internet of Things, there’s an
opportunity to move ahead and designate the security of products,
production processes, and platforms as a strategic priority. The breadth
of the challenge spans the entire supply chain and the whole product
life cycle and includes both the regulatory and the communication
strategy. For CEOs in IoT organizations, we believe cybersecurity should
be at the top of the agenda until rigorous processes are in place,
resilience is established, and mind-sets are transformed.
This
Article Source is From:
http://www.mckinsey.com/global-themes/internet-of-things/our-insights/six-ways-ceos-can-promote-cybersecurity-in-the-iot-age
Sponsor Ads
Created on Sep 7th 2017 02:47. Viewed 536 times.