IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Power of Internet of Things to change CISO security scope
Wed, 24th Sep 2014
FYI, this story is more than a year old

By year-end 2017, over 20 percent of enterprises will have digital security services devoted to protecting business initiatives using devices and services in the Internet of Things.

According to Gartner, business cases using Internet of Things (IoT) devices already exist and their role in business and industry will force enterprises to secure them.

“The power of an Internet of Things device to change the state of environments and of itself will cause chief information security officers (CISOs) to redefine the scope of their security efforts beyond present responsibilities,” says Earl Perkins, research vice president, Gartner.

“IoT security needs will be driven by specific business use cases that are resistant to categorisation, compelling CISOs to prioritize initial implementations of IoT scenarios by tactical risk.

"The requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security.”

Gartner predicts that the installed base of "things," excluding PCs, tablets and smartphones, will grow to 26 billion units in 2020, which is almost a 30-fold increase from 0.9 billion units in 2009.

The component cost of IoT-enabling consumer devices will approach $1, and "ghost" devices with unused connectivity will be common.

There will be a $309 billion incremental revenue opportunity in 2020 for IoT suppliers from delivering products and services.

The total economic value-add from IoT across industries will reach $1.9 trillion worldwide in 2020 by which time more than 80 percent of the IoT supplier revenue will be derived from services.

The industries likely to see the greatest value added from the IoT will initially be manufacturing, healthcare providers, insurance, and banking and securities.

However, this growth will not be confined there but will expand across all industry sectors.

“In an IoT world, information is the ‘fuel’ that is used to change the physical state of environments through devices that are not general-purpose computers but, instead, devices and services that are designed for specific purposes,” Perkins says.

“The IoT is a conspicuous inflection point for IT security — and the CISO will be on the front lines of its emerging and complex governance and management.”

Perkins says that the Nexus of Forces identified in Gartner research— cloud, social, mobile and information — is driving early-state opportunities in the IoT.

The IoT already has a myriad of commercial and consumer technology use cases that range from connected homes and connected automobiles to wearable devices, from intelligent medical equipment to sensor systems for smart cities and facilities management.

The characteristics of intelligent, purpose-built devices that are networked to provide information and state changes for themselves or surrounding environments are increasingly used in OT systems, such as those found in industrial control and automation (sometimes referred to as the "industrial IoT").

However, securing the IoT represents new CISO challenges in terms of the type, scale and complexity of the technologies and services that are required.

“At this time, there is no "guide to securing IoT" available that provides CISOs with a framework for incorporating IoT principles across all industries and use cases," Perkins adds.

"What constitutes an IoT device is still up for interpretation, so securing the IoT is a ‘moving target.’

"However, it is possible for CISOs to establish an interim planning strategy, one that takes advantage of the ‘bottom up’ approach available today for securing the IoT.

“Gartner advises security leaders against over thinking IoT security by attempting to draft a grand strategy that encompasses all IoT security needs to this point in time.

"Instead, they should lower the residual risk of the IoT by assessing whether the particular business use case provides better control and performance.

"Lessons from these initial use cases will serve as building blocks for a broader strategy for addressing the security of the IoT.”