The explosion of IoT devices in recent years has resulted in a wealth of new data that can help inform the decisions of organizational leaders regarding a wide range of issues. Whether it is leveraging video analytics to enforce social distancing requirements in the wake of the pandemic or installing smart sensors to determine when there are potential problems with machinery at a warehouse or factory, connected solutions have forever altered the security and business landscapes.
However, the downside to having an ever-increasing number of devices on the network is that there are also many more potential entry points for hackers looking to steal sensitive data or just wreak havoc. These vulnerabilities were on full display for the physical security industry last month when cloud-based video surveillance provider Verkada suffered a breach of its network that led to more than 150,000 of its cameras being accessed by a hacker collective.
One of the problems most often cited by cybersecurity experts regarding the vulnerability of IoT devices is that security oftentimes is neglected during the development of these products in the rush to get them to market. Some states, and even the federal government, have stepped up recently to ensure that cybersecurity in these devices does not go overlooked in the future. In 2019, California passed a new Internet of Things Security Law that requires all IoT devices sold in the state be equipped with “reasonable security measures.” And in December, former President Donald Trump signed into law the Internet of Things Cybersecurity Improvement Act, which sets minimum security standards for all IoT devices purchased by the federal government.
The problem historically for many device makers, according to Ray Espinoza, CISO of Pentest as a Service provider Cobalt, is that there is often a disconnect between security and engineering teams in these companies, which leads to many of the common vulnerabilities found in IoT products today.
“Typically, there are not enough security team members to be able to scale to meet the needs, the demands of the different development teams at these companies. Because of that, there is not enough attention being given and there are usually these artificial barriers or gates to be able to pass through when developing software, developing products where security ends up having some sort of an eye or a view, typically looking for vulnerabilities – maybe it is a penetration test, a code review, etc.,” explains Espinoza, who has also served in IT security roles at Cisco and Amazon throughout his career. “But there are times when that has caused friction because security hasn’t been involved early enough in the process and then you have these eleventh-hour gates and likely even a security-related issue with being able to take that product to market, to get that new feature released, etc.”
So, what can organizations do to prevent these types of internal conflicts and make sure security is getting baked into their solutions? Espinoza says the answer is relatively simple: seek out and find “security champions” within the company.
Recruiting Security Champions
Because most businesses are not going to be able to go out and hire the number of security engineers that they need to embed within these different departments, Espinoza says the next best alternative is to recruit people in the company – typically tenured or senior engineers that understand the importance of incorporating robust security measures into these products – and having them essentially serve as advocates for security throughout the development process.
“We’ve always found several engineering leaders, engineering managers that tend to be security-leaning. They genuinely care about the customer information or data that they process, and they think it’s cool and they’ve always wanted to learn more,” Espinoza says. “In the past, we have enabled some of that and used that to our advantage to say, ‘hey, you are already security leaning and a fantastic partner of ours, why don’t we get you and other engineering leaders from across the organization, and we’ll train you up, we’ll listen and better understand the problems that you solve and see what we can do to collectively solve them. Can we find outputs that you can take to your team and provide them value? And, as we train you up, you can be an additional set of eyes and ears as they are going through planning to say, hey folks, I think we need to involve security as part of the larger or initiative or hey folks, have you thought about this.’”
Espinoza emphasizes that security champions need to be senior-level personnel in the organization and not interns or recent college grads as they do not have the necessary level or expertise or influence that would ensure success in such a program.
Balancing Priorities
Having the proper breadth of experience within a firm means that a security champion will also likely know how to properly weigh security issues that come to the fore against tight internal timelines and other issues that may arise throughout the product development lifecycle.
“When you have the right level of experience and seniority, you’ve already earned some of those battle scars around what are real issues and what may be issues that we can live with,” Espinoza adds. “What it ultimately comes down to is can we better educate some of these leaders to understand what the company’s risk tolerance is? If we have an idea of the types of issues we may be able to live with and the types of issues we absolutely cannot, then they become armed to be able to say this is something that could definitely put our customers’ data at risk and that is not something we are willing to live with, but we may not have full visibility as we continue to create this feature and that’s okay because we have these supporting controls, like pentesting and other additional testing, where we may be able to find these issues and address them as we go.”
Espinoza says the advice that he has given to many of his own security champions as well those in other organizations is to be pragmatic, specific and to pick their battles. Additionally, Espinoza says that companies also need a way to measure the effectiveness of a security champion program, such as surveys, to make sure their teams are benefitting from it. “It’s really sort of that tribal knowledge of bringing folks together to be able to learn from each other while still having guidance around the outcome we want to achieve,” he adds.
Espinoza says that these and similar programs have proven successful at organizations both large and small.
“I’ve seen it work at the largest levels possible and I’ve also seen it work at much smaller organizations,” he says. “My advice would be start small, measure and then be pragmatic with the additional add-ons that you want to do to make the program successful. You don’t have to build a rocket ship on day one. You can build a wagon, provide some value, collect some feedback and figure out where do we go from here.”
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
