It turns out that the word “virus” is an especially accurate term for self-replicating malware. First used in the 1972 sci-fi novel “When HARLIE Was One,” it not only accurately captured how self-reproducing malware can propagate by inserting code into executable files, but also the implausibility of eradicating computer viruses at large. 

Yet as recently as two decades ago, much of the antivirus industry seemed determined to stop each viral strain. Eventually though, the shift switched to more of a risk-mitigation approach, after security professionals began to realize just how prodigious the authors of viruses — and other malware types — are, churning out hundreds of thousands of new malware every day.

The rise of the Internet of Things in enterprise and industrial environments heightens the stakes while increasing the potential attack surface for cybercriminals to exploit. Given this, organizations should adopt a business-focused, risk-based approach to IoT cybersecurity, recommends Zulfikar Ramzan, ‎CTO at RSA Security. “Normally, we tend to think about security in terms of big buckets of things such as prevention, education, detection and response,” he said. But breaking a nebulous problem into similarly vague subdivisions isn’t the best strategy.  “We start spending money on these buckets without really asking ourselves: ‘Is every additional dollar we are spending on that bucket really going to give us an optimal result or is there a better place for us to spend that dollar?’” Ramzan said.

And then there is the issue of diminishing returns. A certain amount of spending on, say, helping employees better understand the risk IoT cybersecurity poses to their organization might be helpful, additional spending might not be. “People will tell you: ‘User education is a good thing. It makes people more aware. It seems like a place to spend money.’ “And what ends up happening with education spending is that, to a certain degree, it works,” Ramzan said. But ultimately, spending on cybersecurity education will fail in neutralizing cyber threats or preventing end users from making security errors.

Normally, we tend to think about security in terms of big buckets of things such as prevention, education, detection and response

The same principle applies to threat prevention. An organization could spend vast amounts of money trying to prevent attacks with the theory that would keep them safe. “But in practice, there is a lot of stuff you still won’t be able to prevent no matter how much money you spend,” Ramzan said. “At this point, it is better to do things like invest in detection and response.” 

It can be tricky, of course, to develop theoretical frameworks for cybersecurity when many executives tend to view the topic in polar terms. “I think the biggest challenge that security people have to deal with is that there is really no easy way to talk about security in the absence of a major failure,” Ramzan said.

[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]

Yet cybersecurity frameworks like FAIR (Factor Analysis of Information Risk) are beginning to catch on, even providing the basis for organizations such as the FAIR Institute. “It is a way to think about cyber risk economics. It is not a perfect science,” Ramzan admitted. “It is very hard to quantify certain parts of cyber risk and really hard to quantify certain aspects such as impact to your reputation and brand and things like that.”

But organizations that have a cybersecurity framework that is consistent and at least fairly rigorous are well equipped to formulate a plan to reduce their cyber risk. “That is actually a reasonable conversation to have,” Ramzan said.

It is helpful to think of security in terms of risk because risk is inherent in any business. “I think security professionals can tie everything we do to a picture of risk. Even though it may not be perfect or optimal, it is still better than what we are doing today which is throwing a bunch of dollars at different buckets and hoping that will solve all of our problems.”

And organizations that can explain how their security spending can, say, improve operational uptime, make an argument that their work is helping support the business. This argument is easier to make when it comes to the IoT cybersecurity–related topics such as safeguarding systems charged with predictive maintenance of, say, industrial equipment. “They could say: ‘We are spending this money now to increase our ability to be up operationally. And the longer we are up, the more money we make,’” Ramzan said. “That is a real clear business proposition.”