Pure genius! I witnessed it. Live at the Security of Things Forum in Cambridge last week. The room was full of stunningly brilliant, experienced, kind, feisty security professionals. We were there moderating a panel on (IoT) Internet of Things security in the enterprise.
We learned a ton from these people. And it was more confirmation that time and trust matter as much or more than anything else in IoT. You can read all about it here, in organizer Paul Roberts’ excellent collection of media coverage in the days immediately following the event.
The cost (or affordability) of building security into your IoT solutions depends on a host of factors. There is no one size-fits all in securing IoT devices. Securing the IoT may have as much to do with supply-chain integrity as it does encryption, or authentication, or realtime remote control of connected, unattended devices.
My friend, and panelist Emil Sturniolo has been trying to teach me this for years … It might also have to do with what it is that you are securing—not only the intelligent device, but the physical asset it is instrumenting. It might also have to do with the economics of failing to secure that device of physical asset—not only the cost of downtime and remediation, but the loss or revenue and prestige and more.
And it might certainly have to do with elasticity of demand for the IoT solution under scrutiny—not only the cost implications of building the right level of security into that device, but the resulting impact on demand.
In my role as provocateur for the opening panel, I suggested that ‘we’ – developers, deployers, investors, security professionals—just deal with the fact that securing our IoT solutions we will need to absorb some overhead. Overhead in budget and schedule for some of our IoT projects.
And a couple of corners of the room would have censored me if they had a red button.
But one of the best inputs came from I Am The Calvary’s Josh Corman – endorsed by a handful of people in the room—went something like this (I am paraphrasing):
We got it all wrong when we position security as overhead, or friction. Security will actually ACCELERATE adoption of IoT in part by reducing the cost of deploying, operating and maintaining IoT.
They might be right. Especially if you take the long view. The 30-month horizon. They might be wrong. Especially if you take the now-term view. The 30-day view. The time horizon matters when we discuss the impact of elevating security requirements in our IoT solution development and commercialization.
It is a little bit like, pay me now for pay me later. Invest in security now, and reap the benefits over time with broader market acceptance and adoption, or pay later to redress damage done by real or perceived security flaws.
According to a couple of people with significant IoT startup experience in the room, too many IoT startups are not putting enough time, effort, energy, priority, scope, schedule or budget into securing their devices.
I agree with that. I see some of that. Why? Well, there could be several reasons:
Pressure to launch their device is paramount. First to market is still a critical consideration in a number of these emerging markets.
Pressure to reduce cost basis of the device is paramount. Monetization models in IoT are still evolving and everyone wants to lowest cost BOM possible.
Security is hard. And risky. And fluid. And the gift that keeps on giving – developers headaches as they try to stay ahead of the black hats.
Customers, especially consumers, do not care about, know about, or understand security.
Caveat emptor is the rule of the day.
There is some truth in all of these. Especially if you take the 30-day view. They are all lies. Especially if you take the 30-month view.
Taking the 30-month view – or longer is the answer. For many IoT solutions will be designed and deployed with the need for the edge node to serve as a persistent socket – supporting its mission for 10 years or more in many applications. When we think about the physical assets on the planet that might be most worth instrumenting, we think about those assets that create or preserve water, food/ ag, energy, transportation, population health security.
We want, we need those assets in operation for a long time. We need our IoT edge nodes to be operational – and secure for at least that long. And if the physical assets that we are instrumenting are not long-duty cycle, then the argument shifts. As fast as the market is moving, that is how fast a secure, trusted device can scale. And how fast and far a brand can fall. Decisions made for a 30-day window, on a specific device, can have a 30-month impact on an entire brand.
Yeah, markets can be funny like that. Not funny, ha-ha, but, funny, what happened to our backlog? Taking the 30-month view and elevating security as a brand attribute is the answer to defending the attack on near-term budget requirements and schedule implications of security from those would care only about the next 30-days.
Elevating security will accelerate, expand and deepen market penetration at margin for 30 months or more—right after we accept that the cost of defining, developing and deploying appropriate levels of security will not be free during the first 30 days of our development schedules.
If you want to explore this topic more, join me, Connected World’s Peggy Smedley and Aeris Communciations’ Syed Hosain as we explore a few options for developers and deployers to secure their Internet of Things.
Want to tweet about this article? Use hashtags #M2M #security #Aeris #IoT #Inex