IoT security: The work on raising the bar continues

One of the main goals of Chief Information Security Officers should be to help the organization succeed, and they are unlikely to do that by denying their organization the ability to take advantage of new technologies.

“While the Internet of Things is not new for enterprises – printers, routers, building control systems, and so on have been a part of corporate networks for decades – the number of connected devices on the network grows, and so does the challenge of managing them and securing them,” says Alex Gantman, VP of Engineering at Qualcomm.

“But the basics are still the same: know your threat model, compartmentalize your network, manage device configuration and lifecycle (including firmware updates), and work with trustworthy, dependable suppliers that can deliver the benefits of new technology while helping you manage the associated risks.”

IoT offers opportunity

Gantman thinks that the real risk to organizations is missing the opportunity offered by new technologies and falling behind because of fear.

He also believes that the goal should be not to eliminate the use of new technology, but to maximize the value while minimizing the risk.

“The IoT has tremendous beneficial opportunities for individuals and organizations. Connectivity is an amazing force multiplier,” he notes.

“We are still in the early phases of this technological transformation, and it will take some time and considerable trial and error to see what benefits consumers embrace in the long run. And as the use cases evolve, so do the threat models: what we consider important to protect, from whom, and how much risk we are willing to tolerate in exchange for the received benefit.”

At the same time, products are getting more secure, not less.

“Talk to anyone teaching security today and you will see that they have to re-create 1990’s-era conditions to make exploitation accessible to beginners. The bar set by today’s leading devices is significantly higher,” he adds.

Even though this progress has not been universal – there is no shortage of poorly designed or misconfigured products out there – it would be a mistake to see the entire industry in this light, he feels. But the work on raising the bar even higher must continue, and greater collaboration between stakeholders across hardware, software, network, and cloud will lead to stronger integrated solutions, where security is built in from the beginning from the silicon on up.

“For decades, we have been investing considerable effort into advancing security of connected devices. By leveraging and building upon advancements made in the mobile industry we are enabling new IoT products and services that provide ever-increasing levels of privacy and security,” he notes.

Moving mountains takes time

Gantman joined Qualcomm as a software engineering intern in 1996 and has spent pretty much all his professional career there. In 2010 he became the leader of the Qualcomm Product Security Initiative (QPSI), which provides product security support to the entire company, and in 2011 he filled the post of VP of Engineering responsible for product security.

Decades of experience as a security engineer, familiarity with the company culture, and understanding of the company business and the broader industry ecosystem have prepared him for that latest role, he says.

Take a step back and look at the long-term changes

“Engineers tend to misjudge the complexity and significance of non-technical dimensions of the problem space. For example: vulnerabilities are introduced in the course of routine software and hardware development. Preventing vulnerabilities requires changing the development process, which implies changing development culture,” he explains.

“Understanding of systemic forces – markets, customers, competitors, regulations – and their impact on people and processes is essential to bringing about organizational change. Some big changes may seem instantaneous from outside but, almost always, the reality is that there were many years of behind-the-scenes work to prepare and position the organization to make the seemingly sudden transition. Big changes require big effort, sustained over many years.”

If he occasionally runs the risk of becoming disheartened by day-to-day challenges, he takes a step back and look at the long-term changes we have experienced.

“The progress of the last two decades is unmistakable: today’s mainstream devices are significantly more secure than those of twenty years ago. And I expect that twenty years from now we will be saying the same thing,” he concludes.