IoT Security: 20 Years Behind Enterprise ComputingSean Peasley of Deloitte Says Controls and Monitoring Are Key
While IoT devices are entering enterprises at a rapid pace, the security practices around them are as much as 20 years behind those for enterprise computing, says Sean Peasley of Deloitte.
"There's still quite a bit to do," he says in an interview with Information Security Media Group. For example, organizations need to assess how they are going to use IoT devices, evaluate the risks and develop strategies for those risks, Peasley says. That may include improvements such as security controls and monitoring capabilities.
More enterprises are doing vulnerability assessments, but the difficulty of carrying those out varies by industry, he notes. For example, they're particularly challenging in industrial applications where factories could be disrupted, he points out.
"If you have some sort of outage or down time, that could affect their revenue stream," Peasley says. "Organizations are definitely concerned about that, and those that are trying to improve their risk management and their security need to understand those objectives because they are part of the lifeblood of an organization."
But approaches such as passive scanning and collection of data about anomalies could provide better confidence about the security of deployed IoT devices, he says.
In this interview (see audio link below photo), Peasley discusses:
- How organizations should structure third-party risk management plans;
- How IoT manufacturers are dealing with emerging attacks;
- What's on the horizon in the next two years for IoT security.
Peasley is a partner with Deloitte & Touche and serves as its consumer and industrial products lead. He's also the firm's IoT security lead within Deloitte's Cyber Risk Services. He specializes in cyber risk management, privacy and data protection and business resilience.