IoT and Cybersecurity: Key Questions CISOs and Risk Managers Should Be Asking

In what has become a regular experience over the past two decades, I had the privilege of attending CES®2019 in Las Vegas, Nev. As presented in a press release by the Consumer Technology Association, an Arlington, Va.-based trade organization that owns and produces CES, this year's event covered a wide-array of topics including 5G, artificial intelligence, digital health (MedCity News provides four takeaways from the 2019 Digital Health Summit), and autonomous vehicles. Cybersecurity was also a dominant theme during this year's event.

The "Getting Hacked: IoT and Beyond" was one of several conference sessions at this year's CES, which focused on cybersecurity. The description for this particular session notes that "smarter homes, cars, buildings and networks powered by the Internet of Things change the risk landscape for companies and consumers." While I recommend watching an archived video through this link of representatives from American International Group, Inc. (AIG), an American insurer, and other risk experts exploring how devices meant to improve lives and business operations make us vulnerable to attacks, this blog post focuses on a report that is aimed to provide Chief Information Security Officers (CISOs), "Risk Managers and other decision-makers with questions they can ask each other to help establish and strengthen relationships and ultimately lead to stronger protections for their organizations."

The report importantly notes: "There's no question that cyber risk represents one of the top threats facing enterprises today, and addressing the challenge will require a coordinated effort among leaders at all levels of the organization."

Furthermore, "As enterprises seek to address rapidly evolving cyber risks, they may discover a common challenge: a yawning gap between the person responsible for ensuring the organization is protected from cyber attacks -- usually a Chief Information Security Officer or similar position -- and the person responsible for ensuring the organization is protected from the risk of financial loss that inevitably results from those attacks -- typically a Risk Manager, Treasurer or General Counsel. Boards of Directors are increasingly responsible for oversight of both."

The report also crucially explains that "cyber threats are rarely contained within a clearly defined box. They combine characteristics of multiple kinds of threats, and can create a wide range of impacts depending on the attacker’s motives and the unintended consequences inherent to a viral attack."

What is more, "Attackers will take the path of least resistance. IoT devices usually ship with insecure configurations. Without vast improvement in consumer adoption of security best practices, they will create substantial risk for the foreseeable future. Even individuals and enterprises who practice good security basics aren't guaranteed to be safe without massive support from vendors to keep IoT updated with the latest security patches.

"The fluidity and complexity of cyber threats highlight the critical need to align prevention and remediation efforts. The individuals working to prevent cyber attacks from occurring ultimately share the same goal as the individuals working to protect the organization from the fallout of a breach, and they will be most effective in meeting their shared goal when they work together."

Having followed the interconnected relationship between IoT and cybersecurity by reading various reports and attending multiple conferences on the topic, I concur that "Risk Managers can and should communicate closely with CISOs to better understand not only where cyber vulnerabilities exist for their enterprise, but also what is being done to prevent them, as well as the likelihood and potential impact of a cyber event, should those prevention efforts be circumvented. Similarly, CISOs can and should communicate closely with Risk Managers to better understand how cyber risk transfer can complement the CISO’s efforts to prevent cyber attacks."

The report presents the following three questions for Risk Managers to ask:

1. What are our unique vulnerabilities?
2. How do we already protect ourselves?
3. What could those vulnerabilities cost us?

Questions for CISOs to ask include:

1. Why should we consider cyber insurance?
2. What does cyber insurance cover?
3. How is the legal landscape going to change the IoT?

AIG's report concludes that "connectivity enabled by the Internet of Things is creating new risks for enterprises. It is critical for those enterprises to close the gap between the person responsible for ensuring the organization is protected from cyber attacks and the person responsible for ensuring the organization is protected from the risk of financial loss stemming from attacks that do occur.

"The collaboration between Risk Managers and CISOs, and among them and other business leaders from across the company, should mirror the complexity and interconnectedness of attacks themselves. Only when leaders work together will businesses be well positioned to prevent attacks that can be prevented, respond as quickly as possible to attacks that do occur, and achieve restoration in a timely manner that minimizes long-term fallout.

"It all starts with a conversation."

What conversations are you having with your colleagues about IoT and cybersecurity?



Aaron Rose is an advisor to talented entrepreneurs and co-founder of great companies. He also serves as the editor of Solutions for a Sustainable World.