Six ways CEOs can promote cybersecurity in the IoT age
Billions
of devices are being brought online as the Internet of Things develops,
creating new vulnerabilities. Here’s how leaders can regain control.
As digitization has
risen on the executive
agenda, cybersecurity skills and processes in most companies have also
advanced, though at a slower pace. But rapid growth in the Internet of
Things (IoT) is changing
the game. Cybersecurity is more relevant and challenging than ever, and
companies need to build capabilities in this area—quickly.
IoT holds great
potential to help companies improve their products and services or increase
production efficiency by harnessing sensors and actuators that seamlessly
connect objects to computing systems. No wonder, then, that many companies are
bringing more and more devices, products, or production systems online.
Conventional estimates suggest we could reach 20 billion to 30 billion
connected devices globally by 2020, up from 10 billion to 15 billion devices in
2015. However, as devices proliferate, the security risks will increase
sharply. Historically, risking the confidentiality and integrity of information
was the prime concern compared with any risk regarding availability. In the IoT
world, lack of availability of key plants or—even worse—tampering with a
customer product becomes the dominating risk. How can CEOs and senior
executives hedge against that threat?
The challenge of cybersecurity in the Internet of Things
With the IoT, security
challenges move from a company’s traditional IT infrastructure into its
connected products in the field. And these challenges remain an issue through
the entire product life cycle, long after products have been sold. What’s more,
industrial IoT, or Industry 4.0, means that security becomes a pervasive issue in production as well. Cyberthreats in the
world of IoT can have consequences beyond compromised customer privacy. Critical
equipment, such as pacemakers and entire manufacturing plants, is now
vulnerable—meaning that customer health and a company’s total production
capability are at risk.
The sheer number of
cybersecurity attack vectors increases dramatically as ever more “things” are
connected. Earlier, a large corporate network might have somewhere between
50,000 and 500,000 endpoints; with the IoT, we are talking about millions or
tens of millions of endpoints. Unfortunately, many of these consist of legacy
devices with inadequate security, or no security at all.
This added complexity
makes the IoT a more difficult security environment for companies to manage.
Those that succeed, though, could use strong cybersecurity to differentiate
themselves in many industries.
To explore views on the
relevance of and companies’ preparedness for IoT security, McKinsey conducted a
multinational expert survey with 400 managers from Germany, Japan, the United
Kingdom, and the United States. The results indicate a yawning gap between perceived
priority and the level of preparedness:
·
Of the IoT-involved experts surveyed, 75
percent say that IoT security is either important or very important, and that
its relevance will increase. But only 16 percent say their company is well
prepared for the challenge . The survey also indicated that low preparedness is
often linked to insufficient budget allocated to IoT cybersecurity.
·
Our interviews revealed that companies are
ill prepared at every step of the IoT security action chain (predict, prevent,
detect, react). Especially weak are prediction capabilities; 16 percent feel
well prepared, compared with 24 to 28 percent on prevent, detect, and react.
·
More than one-third of companies lack a
cybersecurity strategy that also covers the IoT. The rest have some sort of
strategy but many report struggling to implement it.
Why haven’t companies
made progress on cybersecurity implementation, given the perceived risk? Our
survey indicated a few factors:
·
Lack of prioritization. In general, there isn’t an “act now” mentality
among senior management. Few leaders have made the business case for a specific
IoT security strategy that would, in turn, make the effort a priority and
trigger the allocation of sufficient resources.
·
Unclear responsibility. There needs to be a holistic cybersecurity concept
for the entire IoT stack, but often no single player feels responsible for
creating it. First, there is the question of whether initial responsibility
lies with product makers or with suppliers. And within organizations, it’s
proved difficult to determine which unit (IT security, production, product
development, or customer service) should take the lead. Product or plant
managers often do not have cybersecurity expertise, while corporate IT does not
have sufficient access to product teams or the industrial control systems
“behind the fence.”
·
Lack of standards and
technical skills. There are some industry working groups,
but IoT security standards are still largely nonexistent. Even if there were
standards in place, the technical competence to implement them—a mix of
operational technology and IT security knowledge—is in short supply.
With the advent of the
IoT, cybersecurity affects the entire business model. Adequately addressing the
threat means bringing together several business perspectives, including the
market, the customer, production, and IT. And the CEO is often the only leader
with the authority to make cybersecurity a priority across all these areas.
Six recommendations for CEOs
Although there is no
single winning approach for tackling cybersecurity in the IoT, six
recommendations can guide senior executives. Three concern strategic lenses for
thinking about IoT security, and the other three are actions to help CEOs and
other leaders set their organizations up for success.
1. Understand what IoT security will mean for
your industry and business model
Across all industries,
a certain minimum level of IoT security will be required as a matter of
“hygiene.” The recent WannaCry attack largely compromised organizations with
legacy operating systems that had not been patched appropriately. Simple patch
management—a matter of adequate IT management, not sophisticated
cyberdefense—should be routine, not something customers pay a price premium
for.
However, we think there
is potential for treating security as more than just hygiene. In the past
decade, many companies saw IT evolve from a cost center to a source of real
differentiation, driving customer satisfaction and willingness to pay. A
similar change could lie ahead for IoT security, and in an increasing number of
industries, we are already witnessing it today. One example is the physical
security industry. Door-lock companies can already today demand a price premium
for products with especially strong cybersecurity features, as cybersecurity
can make or break the main function of the product.
Effective IoT security
solutions consider an organization’s business model, where it lies in the value
chain, and the industry structures in which it operates.
CEOs must understand
the role and relevance of IoT security in their industries and how to monetize
solutions in alignment with their business model. A thorough understanding of
what IoT security means for a company cannot end at the strategic level, though.
CEOs need to be aware of the main points of vulnerability. Typically, an
overview of the top attack scenarios for a specific company and an
understanding of attackers and their motivations will be a good base for
further strategy development and budget allocations. Security investments must
be targeted according to the risk most detrimental to the specific business or
industry.
2. Set up clear roles and responsibilities
for IoT security along your supply chain
IoT requires a holistic
cybersecurity concept that extends across the entire IoT stack—all layers of
the application, communication, and sensors. Of course, each layer needs to be
secured, but companies also need to prepare for cross-layer threats .
This will require a
strategic dialogue with upstream and downstream business partners, whether
suppliers or customers, to sort out responsibilities for security along the
entire supply chain. A starting point for this discussion should be identifying
the weakest links in the holistic model; from an attacker’s point of view,
these will be targeted first to harm the entire chain. Who then takes on which
role should depend on who has the competence and who has the incentives, which
might include a monetization model. Industry players active in each part of the
IoT stack bring certain advantages they can build on to provide an integrated
solution:
·
Device and semiconductor
manufacturers active at the lower level of the stack
can build on their design capabilities of low-level (hardware) security as an
advantage for designing higher (software) security.
·
Network equipment manufacturers profit from
the fact that many key competencies in transport-layer security design are
applicable to the application layer. Beyond that, they can build on their
hardware design capabilities to offer an integrated solution.
·
Application designers can leverage their
control of application interfaces or customer access as an advantage in
defining low-level architectures.
3. Engage in strategic conversations with
your regulator and collaborate with other industry players
A company’s
cybersecurity creates externalities that go far beyond the effects on the
company’s performance itself and thus needs to be tackled across the classic
government–business divide. Most current cybersecurity standards fall short
because they are neither industry specific nor detailed enough, and they
neglect most layers of the IoT stack, including production and product
development. Regulators will eventually step in to address this gap, and
companies need to get involved in the discussion, or set the tone.
Industry leaders can
shape these structures by bringing together key players to establish IoT security
standards for their industry. Partnerships with other players, including
competitors, can also lead to a mutually beneficial pooling of resources beyond
official industry standards. In the banking sector, for instance, one company
got several competitors together to set up “shared assessments” to evaluate
security technology vendors, resulting in enormous efficiency gains for both
the banks and their suppliers. Another example from the sector is FS-ISAC, an
information community through which competing banks share information on
security weaknesses, attacks, and successful countermeasures.
4. Conceive of cybersecurity as a priority
for the entire product life cycle, and develop relevant skills to achieve it
Security needs to be
part of the entire product life cycle, from product design to the development
process, and continuing each day of the product’s use. Fundamental to the
security of products in the field is “security by design” in the
product-development stage. It’s also crucial to ensure security during the
production or manufacturing process, given the role of Industry 4.0 in driving
the proliferation of IoT on shop floors and in other production settings. Last,
a concept is required for securing products after they have been sold. To this
end, companies need a strategy to deliver security patches to products in the
field, for example, via over-the-air update capabilities.
Achieving cybersecurity
throughout the product life cycle requires organizational and technological
changes. The organizational component involves clear responsibility for
cybersecurity in the product and production environment. A few companies have
acted by giving the chief information security officer (CISO) responsibility
for cybersecurity in both information technology (IT) and operating technology
(OT). Whatever the structural setup, aligning on goals is crucial, since there
must be strong collaboration among the CISO function and other departments, be
it product development, production, or even customer service. Additionally, new
roles should be created that systematically integrate security into all
relevant products and processes. A European telco and media company, for
example, is leveraging large-scale training programs to create a community of
“security champions” throughout the organization. These security champions get
additional decision-making authority within their teams as a result of
achieving “cybersecurity capable” status. The company’s CISO organization has
used these trainings to grow its reach by a factor of four.
5. Be rigorous in transforming mind-sets and
skills
Institutionalizing the
notion that security is everyone’s business starts at the top. Executives
should role model security behavior and cultivate a culture where security is
constantly evolving and where people are rewarded, not punished, for
identifying weak spots.
Additionally, CEOs need
to ensure that security-specific knowledge and qualifications become a standard
requirement for employees in IT, product development, and production. On the
one hand, additional training programs for current employees may help; on the
other, specific IoT security talent needs to be developed. Cybersecurity
specialists must understand product development and production as well as IT
security. To develop these crossover skills at scale, companies should consider
working with other players in the industry, for example, to create university
programs and vocational training curricula.
6. Create a point-of-contact system for
external security researchers and implement a postbreach response plan
Companies need to
implement a single, visible point of contact for IoT-security-related
notifications or complaints. In the past two years, and especially in the IoT
context, there have been numerous examples of security researchers trying to
notify a company several times after discovering a breach and the company
either not following up at all, or the researcher being handed from one
department to the next without anyone taking responsibility for the matter.
In addition, companies
need a response plan in place for different attack scenarios. The fallout from
an unprofessional response to an incident is often more damaging than the
incident itself. In an IoT world, incidents can affect the heart of a company’s
operations, so cybersecurity needs to be part of business continuity management
and disaster-recovery planning. Maybe most important, organizations must design
a strong communication strategy that is scenario specific and delivers current,
transparent, and appropriate messaging to customers, regulators, investors—and
potentially the general public.
Cybersecurity remains
much talked about, but it’s not yet used as a differentiating factor on the
business side. With the advent of the Internet of Things, there’s an
opportunity to move ahead and designate the security of products, production
processes, and platforms as a strategic priority. The breadth of the challenge
spans the entire supply chain and the whole product life cycle and includes
both the regulatory and the communication strategy. For CEOs in IoT
organizations, we believe cybersecurity should be at the top of the agenda
until rigorous processes are in place, resilience is established, and mind-sets
are transformed.
By Harald Bauer, Gundbert Scherf, and Valerie
von der Tann August 2017
http://www.mckinsey.com/global-themes/internet-of-things/our-insights/six-ways-ceos-can-promote-cybersecurity-in-the-iot-age?cid=other-eml-alt-mip-mck-oth-1708&hlkid=52c54a42075b495884bfae0c6a4759f6&hctky=1627601&hdpid=091cd700-2009-40a5-8470-12fa351fe9ad
No comments:
Post a Comment