To date, there is no single winning approach to addressing cybersecurity in the IoT, but our six recommendations can help IT executives. Three questions address strategies for thinking about security in the IoT, and the other three are actions for IT executives and business owners to steer their organizations toward success.

Understand what IoT security is significant in your industry and business model

All industries require some minimum level of IoT security as part of “hygiene.” The recent WannaCry attack greatly exposed organizations with outdated operating systems that were not patched appropriately. Simple patch management is a matter of adequate IT management, which should be routine, but it is the added cost that customers must pay for sophisticated cyber security.

However, we believe there is an opportunity to view security as more than just “hygiene.” Over the past decade, many companies have seen IT evolve from an MVH into a source of real differentiation, ensuring customer satisfaction and their willingness to pay. A similar change awaits IoT security in the future, but in certain industries we are already seeing it today. One example is the physical security industry. Door lock companies can already put added value on products with particularly strong cybersecurity features because cybersecurity can make or break a product’s core function.

Executives need to understand the role and relevance of IoT security in their industries and how to monetize solutions to fit their business model. However, a thorough understanding of what IoT security means for a company cannot end at the strategic level. Executives need to know the basics of vulnerability. Typically, reviewing the best attack scenarios for a particular company and understanding the attackers and their motivations will be a good basis for further strategy and budget allocations. Security investments should focus on the risk most likely to occur for a particular business or industry.

Set up clear roles and responsibilities for IoT security along your supply chain

IoT requires a holistic cybersecurity framework that extends across the entire IoT stack – all levels of application, communication and sensors. Of course, every layer needs to be protected, but companies also need to prepare for cross-layer threats.

This will require a strategic dialogue with upstream and downstream business partners, whether suppliers or customers, to determine security responsibilities throughout the supply chain. The starting point for this discussion should be to identify the weak links in the holistic model; from an attacker’s perspective, they will be targeted to harm the entire chain. Everyone then assumes a role, which should depend on who has the competence and incentives to include monetization. The industry players operating in each part of the IoT stack bring certain advantages that they can use to provide an integrated solution:

• Device and semiconductor manufacturers operating at a lower level of the stack can use their low-level (hardware) security design capabilities as an advantage to develop higher-level (software) security.
• Network equipment manufacturers benefit from the fact that many of the key competencies in transport layer security are applicable to the application layer. In addition, they can use their hardware development capabilities to offer an integrated solution.
• Application developers can use their control over application interfaces or client access as an advantage in defining low-level architectures.

Engage in strategic conversations with your regulator and collaborate with other industry players

A company’s cybersecurity creates externalities that go far beyond the impact of the company’s own operations and therefore must be addressed within the classic government-business divide. Most current cybersecurity standards are weakening because they are neither industry-specific nor detailed enough, and they neglect most layers of the IoT stack, including manufacturing and product development. Regulators will eventually begin to address this gap, and companies need to get involved in the discussion or set the tone.

Industry leaders can form these structures by bringing together key players to create IoT security standards for their industry. Partnerships with other players, including competitors, can also result in mutually beneficial pooling of resources that exceed official industry standards. For example, in the banking sector, one company brought together several competitors to create “common assessments” to evaluate security technology vendors, resulting in huge efficiency gains for both banks and their vendors. Another example of this sector is FS-ISAC, an information community through which competing banks share information about security weaknesses, attacks, and successful countermeasures.

Capturing cybersecurity as a priority for the entire product lifecycle and developing the appropriate skills to achieve it

Security should be part of the entire product lifecycle, from product development through the development process and continuous use of the product every day. The foundation of product safety in the field is “safety by design” during the product development phase. It is also important to ensure security during the manufacturing process, given Industry 4.0’s role in driving IoT proliferation on retail sites and in other manufacturing environments. Finally, a vision is needed to protect products after they are sold. To that end, companies need to develop a strategy to provide security patches for products in this area, for example, through automatic update capabilities.

Ensuring cybersecurity throughout the product lifecycle requires organizational and technological change. The organizational component involves clear responsibility for cybersecurity in the product and manufacturing environment. Several companies have acted by giving the Chief Information Security Officer (CISO- Chief Information Security Officer) responsibility for cybersecurity in both information technology (IT) and operational technology (OT). Regardless of the structural setup, alignment of goals is critical because there must be strong collaboration between the CISO’s work and other departments, whether in product development, production, or even customer service. In addition, new roles must be created that systematically integrate security into all relevant products and processes. For example, a European telecommunications company and a media company use large-scale training programs to create a community of “security advocates” throughout the organization. These security advocates gain additional decision-making power within their teams as a result of achieving “cybersecurity” status. CISOs have used these trainings to quadruple their share.

Be rigorous in transforming mindsets and skills

Executives around the world are increasingly adopting a business model where security is constantly evolving and where people are rewarded, not punished, for identifying weaknesses.

In addition, managers must see to it that security-related knowledge and skills become a standard requirement for employees in information technology, product development and manufacturing. On the one hand, additional training programs for current employees can help; on the other hand, a specific IoT security standard must be developed. To develop these crossover skills at scale, companies should consider working with other players in the industry, for example, to create university programs and professional learning curricula.

Create a contact system for external security researchers and develop a response plan after completion

Companies should implement a single visible contact for notifications or complaints related to IT security. Over the past two years, and especially in the IoT context, there have been numerous examples of security researchers attempting to notify the company multiple times after a breach was discovered, and the company either didn’t follow up at all, or the researcher was passed from one department to the next without taking responsibility.

In addition, companies need a response plan for different attack scenarios. The consequences of an unprofessional response to an incident are often more devastating than the incident itself. In the IoT world, incidents can impact company operations, so cybersecurity must be part of business continuity management and disaster recovery planning. Perhaps most importantly, organizations must develop a strong communications strategy specific to certain scenarios and provide ongoing, transparent and relevant messages to users, regulators, investors and perhaps the general public.

Cybersecurity is still much talked about, but it is not yet being used as a differentiating factor on the business side. With the advent of the Internet of Things, there is an opportunity to move forward and designate the security of products, manufacturing processes and platforms as a strategic priority. The breadth of this challenge spans the entire supply chain and product lifecycle and includes both regulatory and communication strategies. For IT leaders, we believe cybersecurity should be on the agenda until rigorous processes are in place, resiliency is established, and priorities are transformed.