5 Ways CEOs Can Promote Cybersecurity In The IoT Era

by CXOtoday News Desk    Sep 01, 2017


In the past decade, many companies saw IT evolve from a cost center to a source of real differentiation, driving customer satisfaction and willingness to pay. A similar change could lie ahead for IoT security, believe McKinsey researchers and author of a recent report Harald Bauer, Gundbert Scherf, and Valerie von der Tann. With the IoT, security challenges move from a company’s traditional IT infrastructure into its connected products in the field. And these challenges remain an issue through the entire product life cycle, long after products have been sold.

While a certain minimum level of IoT security will be required as a matter of “hygiene” there is potential for treating security as more than just hygiene believe authors of the report. Effective IoT security solutions consider an organization’s business model, where it lies in the value chain, and the industry structures in which it operates 

Although there is no single winning approach for tackling cybersecurity in the IoT, McKinsey researchers offer some recommendations that can guide senior executives to attain cyber security in the IoT era.

1. Understand IoT security to fit your industry/ business model

According to the author, CEOs must understand the role and relevance of IoT security in their industries and how to monetize solutions in alignment with their business model. A thorough understanding of what IoT security means for a company cannot end at the strategic level, though.

“CEOs need to be aware of the main points of vulnerability. Typically, an overview of the top attack scenarios for a specific company and an understanding of attackers and their motivations will be a good base for further strategy development and budget allocations. Security investments must be targeted according to the risk most detrimental to the specific business or industry,” they said.

2. Set up clear roles and responsibilities for IoT security

IoT requires a holistic cybersecurity concept that extends across the entire IoT stack—all layers of the application, communication, and sensors. Of course, each layer needs to be secured, but companies also need to prepare for cross-layer threats

This will require a strategic dialogue with business partners, [if possible to suppliers or customers] to sort out responsibilities for security along the entire supply chain. A starting point for this discussion should be identifying the weakest links in the holistic model; from an attacker’s point of view, these will be targeted first to harm the entire chain.

3. Engage in strategic conversations with stakeholders

Most current cybersecurity standards fall short because they are neither industry specific nor detailed enough, and they neglect most layers of the IoT stack, including production and product development. Regulators will eventually step in to address this gap, and companies need to get involved in the discussion, or set the tone, said the authors.

In such a scenario, industry leaders can shape these structures by bringing together key players to establish IoT security standards for their industry. Partnerships with other players, including competitors, can also lead to a mutually beneficial pooling of resources beyond official industry standards. 

4. Be rigorous in transforming mind-sets and skills

Institutionalizing the notion that security is everyone’s business starts at the top. Executives should role model security behavior and cultivate a culture where security is constantly evolving and where people are rewarded, not punished, for identifying weak spots.

Additionally, CEOs need to ensure that security-specific knowledge and qualifications become a standard requirement for employees in IT, product development, and production. On the one hand, additional training programs for current employees may help; on the other, specific IoT security talent needs to be developed. Cybersecurity specialists must understand product development and production as well as IT security. To develop these crossover skills at scale, companies should consider working with other players in the industry, for example, to create university programs and vocational training curricula.

5. Implementing a postbreach response plan

Companies need to implement a single, visible point of contact for IoT-security-related notifications or complaints. In addition, companies need a response plan in place for different attack scenarios. The fallout from an unprofessional response to an incident is often more damaging than the incident itself. In an IoT world, incidents can affect the heart of a company’s operations, so cybersecurity needs to be part of business continuity management and disaster-recovery planning. Maybe most important, organizations must design a strong communication strategy that is scenario specific and delivers current, transparent, and appropriate messaging to customers, regulators, investors—and potentially the general public.

Cybersecurity remains much talked about, but it’s not yet used as a differentiating factor on the business side. With the advent of the Internet of Things, there’s an opportunity to move ahead and designate the security of products, production processes, and platforms as a strategic priority. For CEOs in IoT organizations, the authors believe, cybersecurity should be at the top of the agenda so as to progress on the business growth in the IoT era.