Why the Deck Is Stacked in IoT Security

The explosion of connected devices is forcing security professionals to take more of a business-minded approach.

Brian Buntz

May 20, 2017

3 Min Read
Network security can be like poker.

David Sklansky’s fundamental theorem of poker says: “Every time you play your hand the way you would if you could see your opponents’ cards, you gain, and every time your opponents play their cards differently from the way they would play them if they could see your cards, you gain.”

Network security can be like that: One of the primary objectives in both poker and security is to create an information asymmetry against your opponent, constantly assessing your risk and asking when you are justified in acting on that risk, says Zulfikar Ramzan, ‎CTO at RSA Security. In both security and poker, you can rarely get a complete picture of what is going on, but you are constantly looking for a “tell” that could give you a decisive advantage over your opponent. 

IoT security, however, can be like playing against an opponent with a card—or multiple cards—up their sleeve. Peter Tran, GM and senior director of RSA’s Advanced Cyber Defense division, “Vegas rules no longer apply where the odds always favor the ‘house.’ It’s anyone’s game now. With IoT, there’s no security equivalent to a UL or Good Housekeeping seal of approval. You’re not always playing with a standard 52-card deck. It’s entirely possible that, several years from now, we’ll have 52 billion IoT devices—all with their own unique tells.”

“Most organizations have a large number of IoT devices and little control over what those devices can or can’t do,” Ramzan says. “If you are trying to secure an IoT network, taking a one-size-fits-all approach is not going to work. You are going to have blind spots, so you will have to prioritize how you focus your efforts based on what matters most to your organization from a business perspective.” 

In many ways, however, we have already entered this world. Antivirus companies have shifted their focus. “If you think about the security industry 20 years ago, the focus of antivirus was eradicating every virus,” Ramzan explains. The model was based on the ideal of detecting and thwarting every risk. “By about 2008 or 2009, it was becoming clear inside the industry that the old model was broken because the attackers were too fast in coming up with new viral strains,” he adds. “They weren’t coming up with brand new viruses, but they were just taking the same old ones and changing them enough to slip by.” There are roughly 800,000 new variants of malicious code generated every day, according to Tran’s research. Over the past four years, that amounts to approximately 1.2 billion variations. The sheer scale is “mind numbing,” Tran says.    

The Internet of Things continues this trend—both because the technology offers the promise of creating business efficiencies and new business models but also because it opens up new risks to organizations’ operations and brand reputation.

“For the first time, I think we are at an inflection point where security truly has to be more of a business enabler than a matter of having to do security for its own sake,” Ramzan notes. “Ultimately, when you look at the board and CEO level, security has to be tied to what the overall business goals are—otherwise, security initiatives are not going to have any legs.”

About the Author(s)

Brian Buntz

Brian is a veteran journalist with more than ten years’ experience covering an array of technologies including the Internet of Things, 3-D printing, and cybersecurity. Before coming to Penton and later Informa, he served as the editor-in-chief of UBM’s Qmed where he overhauled the brand’s news coverage and helped to grow the site’s traffic volume dramatically. He had previously held managing editor roles on the company’s medical device technology publications including European Medical Device Technology (EMDT) and Medical Device & Diagnostics Industry (MD+DI), and had served as editor-in-chief of Medical Product Manufacturing News (MPMN).

At UBM, Brian also worked closely with the company’s events group on speaker selection and direction and played an important role in cementing famed futurist Ray Kurzweil as a keynote speaker at the 2016 Medical Design & Manufacturing West event in Anaheim. An article of his was also prominently on kurzweilai.net, a website dedicated to Kurzweil’s ideas.

Multilingual, Brian has an M.A. degree in German from the University of Oklahoma.

Sign Up for the Newsletter
The most up-to-date news and insights into the latest emerging technologies ... delivered right to your inbox!

You May Also Like