RSA Review: Converged Risk and the Internet of Things

The 2014 RSA Conference this February in San Francisco highlighted the theme of “Threat Intelligence.” Judging from the overflow crowd of 30,000-plus attendees, many are intelligent enough to be very concerned. With business risk at all-time high, managing continuous and converging threats is a challenge. Especially when it appears that our cyber market “messaging” in many regards is overlapping. The fact is that scaling cybersecurity talent is a major problem facing security practitioners, while technology in general is advancing at an accelerated rate and reducing the useful lifecycle of most products. Add to this mix that many physical security solutions are also embracing the IoT (Internet of Things) model to confuse traditional lines of security spending authority. Taken together, we have a very interesting market dynamic at the exact time that the nature of digital risk is converging and evolving. As the saying goes, “May you live in interesting times.”

The “Internet of Everything” is a buzz phrase referring to the tech industry’s evolution to connect all machines and people everywhere on the planet. The IPV4 (Internet Protocol) to IPV6 conversion means tons more IP addresses to drive the productivity and efficiency of man and machine, while simultaneously exploding the total number of potential breach points. The cybersecurity market sector has its hands full with long-term revenue potential, and this was on display with a record number of vendor booths. Mobility, social networking and the cloud continue to drive user behavior, and extend risk well beyond traditional physical boundaries, with your smartphone acting as the lead change agent and breach target.

While “the cloud” has been an industry focal point for years, tech guru Bruce Schneier pontificated on a panel discussion that the “Cloud is actually more secure then on-premise systems.” The session’s overall message being, if your reluctance to embrace the cloud is security driven, you might want to re-evaluate as user acceptance is rapidly expanding. One issue to understand is how digital and physical technologies blend to impact all aspects of operational risk to the business.

This issue is affecting everything from risk exposure at the CEO and board levels, to the roles and responsibilities between C- Suite security executives, to end user education, and the changing focus of all security industry sales channels. In short, the nature of security risk is changing, and RSA had something for everybody.

Change impacts all human beings differently – some embrace it, some follow it and others get run over by it. Change manifests itself in many ways to drive “new” behavior. Change is occurring rapidly as “fundamental” technologies mature to extend end points, drive productivity levels and simultaneously accelerate cyber crime and espionage breaches. These base technologies themselves are not new, but the group acceptance level around them has arrived, and accelerated risk. The Information Technology industry and its close cousin, cybersecurity, are converging to secure all IP-enabled devices to address the “totality of risk” that any networked business faces today.

As noted by industry pundit Nikko Hypponen, Chief Research Officer at F-Secure, “In the future all crime is digital.” Business information (money, intellectual property, patient/customer records, etc.) is aggressively being copied, stolen and sometimes destroyed. Countering the rapid momentum of cyber crime and espionage is driving strategy changes at the CEO and board levels, which are impacting C-Suite security executive positions across the industry. To the CSO, CISO, CIO and even CFO, this direction impacts career paths. To security vendors and integrators alike, this changes business strategies for sales; support, marketing, hiring and even advertising spend. The industry is evolving to a model that “continuously” provides solutions and/or services in support of customer requirements for “real time” risk mitigation and resiliency goals.

This convergence of security solutions adds complexity to the leadership roles in the Security C-Suite. “Who owns responsibility for what solution sets/deployed where and how?” Does decision making reside in the IT organization, with the CSO, or CISO? While the CEO and board own responsibility for the “totality of risk” facing the business, where do they turn for leadership in specific areas? These issues were addressed at numerous sessions during the conference, but the answers are as wide and varied as the business sectors seeking these answers.

One RSA panel discussion, “Large CISOs Aligning Cyber Technologies, Personnel, and Processes,” underscored the fact that every organization is unique in their C-Suite roles and relationships. For example, Michael Papay, CISO, Northrop Grumman, mentioned “INFOSEC and the IT functions are in a state of flux with dotted line responsibilities existing in many large companies.” Andrew Vautier, CISO, Accenture, reports directly to the CIO, and works with both a Policy and Advisory committee on vendor selection, and a vendor integration review board. Lastly, Gary Gagnon at MITRE Corporation, SVP, CSO, and Corporate Director of Cybersecurity, stated: “The CIO operates the network, and the CSO protects the data to enable business operations. The relationship with the CIO is critical for the CSO in any large organization.” “State of Flux” may be the best description of securing business operations during a time of accelerating cyber threats.

In many cases timely discussion needs to take place at the CEO and/or board level as the risk exposure evolves and expands to include integrated physical and cyber solutions. In the “Internet of Everything” risk to the business is a moving target and a singular focus on cyber risk, although critical, can leave an organization vulnerable in other areas.

In another panel discussion “Educating the CEO and Board,” Roland Cloutier, CSO at ADP, mentioned that the “CEOs and boards have to put cybersecurity in the context of risk to the overall business, and there are not (usually) ‘cyber-only’ conversations taking place.” Cloutier also mentioned that the board puts a heavy emphasis on metrics to prove all risk assumptions about the business. In short, the CEO/Board wants to know:

Where are the security gaps?
How did you measure those gaps?
Where is the plan to address the risk(s)?
How do we define success in mitigating the risk(s)?

Cloutier elaborated that the key issue in cyber risk is to deploy a strategy of “continuous resilience.” You never eliminate risk, but mitigate as much of it as possible, while continuing to operate the business. He suggested working with third-party solution providers, and specifically mentioned “Red Team” penetration testing firms as a serious consideration to evaluate vulnerabilities in your network. Roland also noted that the SMB (Small, Medium-Sized Business) has not (as a rule) had cyber risk explained to this level, and subsequently do not fully understand this risk in the context of their unique business strategy. This is an important point, since SMBs are prime targets since many are part of a larger firms supply chain, and hackers are operating on the “weak link in the chain” attack theory.

To underscore how recent the cyber risk discussion is to many boards of directors, Bill Coleman, Advisor at Alsop Louie Ventures, mentioned that during his tenure as a board member of Symantec Corporation (a cybersecurity provider) for the last 10 years, only within the last four years has cyber protection been a top 10 issue at that company. The cyber discussion at the highest levels of American (and international) business (including law enforcement/government) is still a key focus area for the security industry, and best practices are evolving. To that point, Jenny Menna, Director Stakeholder Engagement & Cyber Infrastructure at DHS, highlighted the recently announced NIST Cybersecurity Framework. (Check this month's Cyber Tactics column for more information.)

How will you approach these monumental shifts in technology that drive executive decisions about business risk, policy and practice and affect buying decisions? Today, traditional security sales practices and products do not scale in real time to the level required to answer these threats. Security countermeasures as a rule must be more flexible and intelligence based. Bill Crowell, former Deputy Director at the NSA and current Partner at Alsop Louie Ventures, recognizes the need to address a confluence of threats. He said: “We need security systems that are 'highly integrated' and protect all the places attackers might penetrate and use to access sensitive data. Perimeter is still important (firewalls, IPS, video surveillance, authentication and identity management), but there is not nearly enough focus on content protection (protecting databases and applications through additional layers of security inside the network). We now have additional vulnerabilities because of phishing attacks, insider threats, mobile access and supply chain induced problems (OS, applications, and components, etc.). Integrated solutions to all of these threats and vulnerabilities must be considered to ensure reasonable levels of risk mitigation.”

Two major players representing each market segment (McAfee in cybersecurity and ADT in physical security) have collaborated at the recent Consumer Electronic Show to combine products (McAfee LiveSafe and ADT Pulse) to strengthen security best practices to protect homes, properties, data and personal identities. John Giamatteo, senior vice president and general manager of McAfee consumer business, says, “With the Internet of Things rapidly evolving, our partnership with ADT marks a critical advance in protecting consumers’ property and information in more ways than ever before.”

This is an important union that crosses traditional security boundaries and provides a blueprint for both industry segments to work more closely together. Arthur Orduña, Senior Vice President and Chief Innovation Officer at ADT adds, “Partnering with McAfee adds another vital layer of security to our Pulse solution with McAfee LiveSafe service, and opens up innovation opportunities for our platforms and products.” It is these “innovation opportunities” that are critical for security integrators to address this “converged risk” scenario.

In the context of an integrated security policy, The “Internet of Things” is the ultimate driver of converged risk. Digital crime trumps physical crime, and the gap is widening exponentially everyday. Senior executives and boards are certainly concerned with physical security protections, but cybersecurity can negatively impact the brand and stock price like physical losses rarely will, (with the exception of loss of life events). The cloud is the platform to deploy traditional security protections quickly and cost effectively to address digital risk and counter continuous threats. One security solution migrating to cloud architectures is video surveillance, which accounts for 50 percent of physical security market revenues. The VaaS (Video as a Service) model eliminates costs, installation and administration requirements while offloading bandwidth and encrypts video endpoints, traffic and storage. Cameras act as sensors and solution points (analytics) and are integrated with identity management and access controls, all managed by cloud services to improve security. This traditional physical application is a great example of solution integration across a cloud infrastructure to provide a unified defense in depth strategy.

About the Author: Dan Dunkel brings more than 22 years of sales, management and executive experience in the IT industry to a consulting practice, New Era Associates, focused on the emerging field of security convergence. He is co-author of Physical & Logical Security Convergence.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.