IoT Blog | August, 2017
Head of Business Development, Vodafone IoT
IoT: understanding and managing the risks
Security is top of mind for Internet of Things (IoT) vendors. Phil Skipper, Head of Business Development at Vodafone IoT, argues that the industry should be starting a different conversation with customers.
What do you need to know to protect your business?
At Mobile World Congress a few months ago, every vendor I walked past seemed to be talking about how they solve the security problem. Don’t get me wrong: talking about security is much better than ignoring it, and I’m glad that vendors are taking it seriously.
IoT businesses are rarely experts in security. What they want is confidence that what they buy is secure. They need confidence: confidence to move forward with their strategies, to pursue opportunities, to balance risk against reward, to make decisions every day.
It seems to me that when anyone starts talking about “security”, you’re automatically into a technological discussion. Security is about firewalls and encryption, authentication and access controls, intrusion detection and logging, attack and defence.
When you’re looking to protect your business — and that’s ultimately what you care about — discussions about security technology are only a small part of the picture. If you’re going to make your decisions with confidence, you first need to know what you’re trying to protect, what it’s worth to your business, what risks it faces, and what the consequences are (of both action and inaction).
In other words, you have to be confident that you know the problem before you can find a solution that’s the right fit for your needs. Otherwise you’re not making decisions — you’re making guesses.
Learning to live in an imperfect world
When vendors talk about how their latest gateway, device or cloud platform is secure, enterprises can often get the wrong impression. Make sure you’re seeing things from your perspective, not theirs.
You need to know that there’s no such thing as perfect security, and that security is always a balancing act against other factors, like usability, performance and price. You could store your wallet in a bank vault to prevent pick-pocketing, but not only would it be expensive to install, it would make your life difficult when it came to paying for groceries.
Confidence means making the best possible choice to protect your business and balancing these limitations against a full understanding of your requirements.
You might decide that the most secure option is simply not to gather or retain a certain kind of data in the first place.
Looking beyond prevention
When vendors talk about how effective their security is, it can come across as complacent. Complacency is dangerous.
If you can’t rely on perfect security to prevent problems from happening in the first place, you need to be confident that your security teams and your provider aren’t just relying on preventative measures. They need to look at ways of minimising the impact that a security incident can cause, how to detect a breach quickly, close it, and perform forensic analysis to work out the origin and adapt processes to stop the same attack succeeding again. In other words, security isn’t something you have, it’s something you do.
And that means you really need to have confidence — trust — in your suppliers. You need to know that they are transparent about what they do to secure your IoT, and about the threat level they’re facing at any given moment. Only then can you feel confident to tell your customers that you’re worthy of their trust, too.
Security isn’t optional
Ultimately, organisations need confidence that their systems and data are protected — and that in the event something catastrophic does happen, their day-to-day business will continue uninterrupted. That level of confidence is only possible if security is a key deliverable from day one.
You shouldn’t be thinking of security as an add on. When people think of it that way, they start to see it as a cost — and costs can be cut. But security isn’t something you can decide to leave out. You don’t buy security — it should be there no matter what. Approach security with that mindset, and you’ll have the confidence to grow.