CEOs and Boards of IoT Makers: Society is Depending on You
Ignorance. Or, at best, lip service. That’s how Internet of Things (IoT) cybersecurity is often handled by CEOs and board members of the companies manufacturing our society’s path forward. As IoT makers push ahead in building and deploying over 20 billion devices into the ether by 2020, leaders of these particular companies are putting their shareholders and — more importantly — society at great risk. When these companies neglect to “bake in” cybersecurity functionality into their products and services from the start, highly-connected nations such as the U.S. will face lasting damages that will be hard to undo. Autonomous transportation, manufacturing operations, and healthcare are just a few sample realms where the effects could be disastrous.
The decisions made by executives of these companies will not only determine their near-term profitability, but they will also greatly affect our society’s long-term prosperity.
What we’ve seen over the last 18 months alone illustrates why we can’t afford to get IoT cybersecurity wrong. The Mirai malware, found in late 2016, took control of thousands of vulnerable IoT devices across the world and used them as part of a “botnet” army to launch large attacks in shutting down internet access to large portions of North America and Europe, among other impacts. Another incident involved the so-called Brickerbot malware, which ran amuck in 2017 by exploiting exposed IoT devices and “bricking” them (i.e., rendering them useless). When we get this wrong, it’s easy to attribute this as simply a nuisance. But it’s much more than a nuisance now, and even more so in the near future.
Who’s who in this zoo?
The IoT universe is rather diverse and messy. Just at a high level, we’ve got these major players out there:
- Suppliers — follow Maker specifications in providing components for “things”
- Makers — design the “thing”, request components from Suppliers, build the “thing”, and deliver associated services
- Integrators — install the “thing” in a given operator environment
- Operators — run and maintain the “thing” to extract value
- Regulators — set rules for the end-to-end “thing” lifecycle, and ensure regulation conformance
Now, you could easily — and rightfully — claim that IoT cybersecurity is the responsibility of all parties involved. But that’s the easy way out; to say that “everyone must do their part”. Instead, I argue that IoT Makers (those that design and build the “thing”) have the utmost accountability and authority to ensure that things go well. And while the cyber leaders must do their part in influencing decisions, it’s ultimately the board members and CEOs of these companies that must ignite the change.
Makers are king in the ecosystem
With the IoT ecosystem being such an interdependent group of players, they all naturally have a stake in cybersecurity. But when you really boil things down, here’s why Makers must lead the community’s efforts:
- They are the conceivers, designers, and final assemblers of products (both hardware and software) — the buck stops with this group
- They are the bellybutton of this entire ecosystem; the ones that hand off connected products and services to end customers (both B2B and B2C)
- The specifications that Makers demand, including security features, are what the upstream supply chain builds to, and what the downstream customer community installs and uses
Any why won’t the other players in the ecosystem do anything significant in IoT cybersecurity on their own? Here are a few reasons:
- Suppliers are not incentivized to act (other than meeting Maker specifications, which often isn’t a compelling driver); they’re skilled at following the leader
- Integrators don’t have enough skin in the game to tackle this challenge; they can’t make money off of it, nor will their brand be tarnished if something goes wrong
- Operators (i.e., IoT product users) aren’t going to invest in this, as they deem it the job of upstream parties to offer “secure” products
- Regulators aren’t coming through anytime soon with potent regulation — and frankly, they shouldn’t, because regulation will stifle innovation in this rapidly expanding field
Maker CEOs and board members need to drive action
I’ve personally spent a great amount of blood, sweat, and tears in helping cyber leaders push their agenda for investing in IoT (product/service) security. But this isn’t an easy case to make, even when you’re using leaning on the case of improving the marketability/value of what the business sells. Unless the customer gets another value-enhancing feature, or the “thing” can be made more cheaply, business leaders generally don’t want to hear it. It’s not a priority…yet.
But soon it will be a priority, because the billions of devices that Gartner reminds us of is proliferating around our world like a wildfire in a dry and windy forest…and the attacks will come. I’m generally an optimist, but believe this: there will be extremely negative impacts. Healthcare will be impacted, transportation will slow, and the lights will go out.
In building cybersecurity into IoT products and services, the ultimate accountability for action rests on board members and CEOs of Maker companies. At the end of the day, they ask the tough questions, call the shots, and drive any real change within a company. It’s time that they embrace this accountability, instead of delegating it to lower levels of authority. And they’d better start embracing this now.
Here are some actions to consider:
- Boards: Start by recruiting someone with experience in this space to sit as a permanent board member — someone to hold the company accountable for action. Also, build a consistent “check” for ensuring IoT cybersecurity into the risk/audit committees or processes at the highest order of the enterprise.
- CEOs: Establish proper expectations and incentive models that guide new behaviors among your business leadership communities, particularly the R&D and manufacturing business units. Ensure you’re looking at product-focused cyber risk as part of your enterprise risk management (ERM) function. Your mission here is to change hearts and minds, from security as an afterthought, to security as a core value proposition to your end customer.
Conclusion
I’m not saying that if Makers do their job, then all is fixed. That would be naïve, as we live in a very networked world, with lots of available attack surface. No, what am I saying is that our society can truly experience this envisioned better way of life if makers do their part. So let’s get to moving.
Want to stay in touch? Please follow me on LinkedIn, Twitter, and Medium.
