June 27, 2019 By Anna Seacat 3 min read

It is easy to see how a chief information security officer (CISO) might predict that challenges related to threat management for traditional assets will be compounded by the rapid adoption of internet of things (IoT) devices in enterprise buildings. Despite these IoT security challenges, as Simon Langley, CISO of U.K. grocery retailer Morrisons, explained in an interview for SecurityIntelligence, security teams should actively prepare for and enable innovation with the IoT.

Myth: Enterprise IoT Security Is Not Yet a Priority

Innovation is an important part of Morrisons’ culture, and the company is already leveraging the IoT to improve the customer experience, realize efficiencies and grow their business.

“At any given time, there could be 10 managers innovating with IoT,” Langley noted. “My department cannot be seen as impeding this innovation.”

Langley is not alone. Enterprises are innovating with IoT technologies at great scale. By 2021, more than 85 percent — or $1 trillion — of enterprise IoT project investments will be built on net-new technology spending.

Yet IoT security — specifically, device visibility — remains elusive for many organizations, making threat management difficult. Internal research from Armis found that at least 40 percent of connected devices are currently invisible to the CISO. Since only half of organizations are monitoring known IoT devices within their environments, according to a Ponemon Institute study, threat management for enterprise IoT is a clear and present priority.

Fact: Threat Management for the IoT Is Here and Now

Because enterprises are expected to invest $520 billion in IoT technologies over the next few years, security analysts predict that more than 25 percent of identified attacks against enterprises will involve the IoT by 2020.

Even if a company isn’t as quick to adopt emerging technology as Morrisons, there is already a significant number of unmanaged assets and connected devices in the enterprise’s retail, office and warehouse spaces. Printers, badge readers, IP cameras and phones, networking equipment, video and phone conferencing equipment, and smart TVs are among the many connected devices that tend to go undiscovered and, as a result, are not included in current threat management programs.

In addition to enterprise-owned IoT devices, Langley pointed out that connected things brought to work by employees pose a threat.

“The threat, of course, is that connected devices employees bring to work can be used to leapfrog onto the network,” he explained.

Since 47 percent of companies already have employee-owned digital assistants in their workplace, according to Infoblox, the inherent threat is here and now.

The IoT Won’t Be the Straw That Breaks the CISO’s Back

With considerable investment in IoT devices in enterprise buildings, as well as the massive number of unmanaged assets and connected things brought to the workplace, the IoT seems like a straw heavy enough to break the CISO’s back.

However, Eric Maass, director of strategy and emerging technology at IBM Security Services, said proactive CISOs like Langley will approach IoT devices as they would any other endpoint.

“Using the existing NIST Cybersecurity Framework, a threat management program can be extended to unmanaged, IoT devices,” Maass explained.

Maass said the IoT poses unique security challenges that demand a shift from traditional approaches to asset management to a new approach that includes:

  • Passively identifying unmanaged devices;
  • Detecting anomalies to understand bespoke communications patterns; and
  • Crowdsourcing connected devices’ behavioral characteristics to establish credible baselines for machine learning models.

While the IoT has a multiplier effect on asset management challenges, Langley also noted that CISOs who get in front of the issue will enable innovation within their organization. In other words, rather than being the last straw for the CISO, threat management for enterprise IoT can be an opportunity to show how proactive security opens the door to enterprisewide innovation.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today