New technologies are not only being adopted as quickly as they are created, but they are also being woven together in ways that are disrupting even the latest networking strategies. Cloud computing has not only moved computing and applications out of the core network, but with the adoption of things like SD-WAN, the core network — including the data center — is being replaced with a widely distributed network of physical and virtual peer devices and nodes.
Likewise, the internet of things is now much more than new devices that do things like track inventory or monitor physical systems. Business Insider predicted that by 2020, there will be more than 24 billion installed IoT devices — several times more than the number of people on earth — and many of these devices are being designed and deployed to extend and expand our hyper-meshed networks, creating bridges between users, devices, applications, systems and clouds.
And the advent of 5G is set to completely revolutionize digital transformation yet again. High-speed availability of even the most latency-sensitive rich media content will push data centers, applications and a new generation of IoT devices out to the edge. This will distribute computing even more as more devices, users and services become connected, while further blurring traditional notions of the enterprise perimeter.
The need for more security professionals
There are two sides to this coin of astronomical growth. The first is the ability to provide critical data, information and solutions to the farthest reaches of the globe — enabling IoT manufacturers and service providers to flourish by continuing to push our digital society forward through new innovation. However, the other side of that coin is that keeping up with tracking, managing and securing all of these devices — especially those being deployed outside the traditional core network — is highly complex and overwhelming the resources of many organizations.
The world is becoming interconnected in unprecedented ways, and staying ahead of the expanding attack surface requires an unprecedented number of skilled employees. The fact is, security concerns are the primary gating factor for the adoption of new IoT systems, so having the right cybersecurity talent in place enables innovation and competitive advantage. They are essential to the growth of the IoT sector. Unfortunately, the industry is not producing new cybersecurity professionals fast enough, and the lack of these workers not only makes IoT devices progressively more risky to use, but also impedes our progress toward building a digital society. In an interconnected world in which IoT is no longer an option but a necessity, what can be done?
The skills gap is not being filled
Cybersecurity professionals are some of the most highly sought-after individuals across industries, but because demand for seasoned professionals has surpassed supply, they are increasingly difficult to hire.
This couldn’t happen at a more inopportune time. Networks are rapidly expanding, our reliance on the digital economy and marketplace is growing, threats are becoming more sophisticated and pervasive, and the stakes in terms of regulatory punishment and reputational damage have never been higher. In this new world, cybersecurity experts can essentially write their own tickets, as the cybersecurity field currently enjoys a zero percent unemployment rate. Of course, this also means that smaller organizations are often priced out of the market.
This is a problem of epic proportions that demands epic solutions. The answer will not come from one sector; it requires a multi-phase, multipronged approach that marshals all current available resources and uses private-public partnerships to create a kind of cybersecurity skills moonshot.
Best practices for a secure IoT environment
Providing secure IoT devices and services, and using them safely within organizations, needs to be a top concern for the IoT industry. Here are six best practices that we all need to promote:
- The IoT industry needs to adopt a security lifecycle development approach so that security is considered from the outset and not as an afterthought. Code needs to be sanitized, devices need to be hardened, operating systems need to be patchable and industry standards need to be established and adhered to.
- People currently working in IT need hands-on training. Organizations need to implement a system whereby interested IT personnel can receive cybersecurity training. This can include a mentoring or apprenticeship program within an organization, funding hands-on training in an accredited educational or industrial setting, or creating a consortium of organizations willing to work together to cross-train security professionals.
- Actively recruit military veterans who are transitioning to civilian life. Today’s modern military relies on technology, which means that transitioning military personnel already have exposure to many of the latest IT tools. In addition, they already have the proper cybersecurity mindset because they understand things like chain of command, establishing and monitoring a fluid perimeter, and following established protocols.
- The formal educational process needs a reboot. Students should be exposed to security issues at an early age and then continually throughout their education. Students should be encouraged to enter educational programs that emphasize science and technology, especially computer science, engineering and cybersecurity. Additionally, governments and organizations can sponsor technical labs for secondary education and university programs, provide mentors and fund scholarships.
- Greater candidate diversity must be encouraged. Special attention needs to be paid to encouraging women and minorities to participate in cybersecurity training programs as these groups are not only significantly underrepresented in the tech industry, but because they represent more than half of the population, they also represent a very real solution to closing the cyber-skills gap at scale. To accomplish this, educational institutions and corporations need to develop programs to identify and support women and minorities, fund diversity scholarships and create targeted cybersecurity internships.
- Organizations need to step up their adoption of machine learning and automation. Cybercriminals have been using new technologies to close the time interval between a successful attack through the compromise and exfiltration of data. The adversaries’ growing sophistication also means it more difficult than ever before to detect malicious activity. For example, advanced evasion techniques now allow infected botnets to remain undetected in networks for an average of nearly 12 days. Based on the current state of the cyber-skills shortage, we can no longer rely on humans to detect and respond to cyberthreats. We need to rely on automation and machine learning to help humans process the massive amount of data needed to detect and mitigate.
Further, as machine learning and automation enables security tools to take over many of an organization’s more mundane IoT security tasks, scarce security resources can be refocused on higher-order tasks.
Creating an environment for success
Gartner forecasted that worldwide spending on information security will grow to $124 billion this year. Part of that growth is being fueled by an ever-expanding threat landscape comprised of literally billions of IoT endpoints. Organizations cannot merely hope candidates with the right cybersecurity skills will show up on their doorstep. Instead, they must proactively promote and offer training, advocate for formal education systems to be overhauled, and work with existing employees and veterans to turn the corner on this looming crisis. Tools like automation and machine learning will also help organizations continue to grow and flourish in today’s IoT-dominated environment, rather than shrinking back in fear and risking obsolescence.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.