According to a McKinsey survey, 75% of cybersecurity experts surveyed say cyber security in the Internet of Things (IoT) is either a top priority or very important.
Whatever your view is on IoT, you can guarantee that there is some of it floating in your enterprise and much like shadow IT, it solves a business problem that either wasn’t addressed by the IT function or was never flagged. As the lines blur between IT and ‘the business’ and as traditionally non technology solutions integrate technology components, open communication and tight bonds with the broader business are key.
If it acts like shadow IT you need to resolve it in a similar way:
- Find it
- Engage with the teams who need it
- Evaluate the risk
- Find a path to securing or replacing it
- Get ahead of future requests by planning an enterprise solution to the business problem
How do we find it?
Communicate, communicate, communicate - ask the business to ‘bring out their dead’ and have an IoT amnesty. If you promise not to pull the plug it opens the door for discussion, clear communication and relationship building is key.
Understand what business function it is serving, perform standard risk analysis processes to understand what controls are needed, consider the elements that can be more challenging in the IoT space:
- Vulnerability management & Patching
- Protecting the physical device
- Impact on ‘the real world’
If executed correctly, this exercise can bring IT and the broader business closer together. It can help open new lines of communication and allow architecture and solution teams to work with InfoSec and the business, pre-empting business demands and finding the right forward thinking technical solution.