Published on 11/25/2016 | Strategy
The High Level Problem
Close to 20 billion IoT devices will be added to the Internet in the next 4-5 years. The lack of IoT security was made clear after the DDoS attack on Brian Krebs' website followed by the attacks on the Dyn, an Internet Infrastructure company, which pretty much brought the Internet down.
So why is it hard to make products secure? It turns out that we are using 20th century techniques for solving 21st century security problems.
The CEO of XYZ, Inc. either (a) reads the news and decides that company needs to make secure products or (b) his company's products have been hacked and he needs to take immediate action. He requests the V.P. Engineering for a solution. The V.P. Engineering hires a security engineer who patches the system as best as she can. However, the vulnerabilities and attacks keep on piling up and the customers stop buying his products. The product schedules slip, the sales and marketing teams are up in arms, the engineering team is overworked. The CEO quickly turns around and ships the half secured product and, guess what? The product gets hacked again.
Security impacts all parts of the organization in many interesting ways, some of which are described below:
Security Metrics:Security of the product is defined differently and even its impact is rated differently by different parts of the organization. It is also extremely hard for most engineering organizations to assess the vulnerabilities in their products. I was once told by a manager that I would not be allowed to assess the product as the company hadn't reached profitability yet. Executive Management must be able to get an independent security assessment of their product. This can be done by a vendor or a separate team reporting to the executive team. The assessment must go beyond simple penetration tests and must involve code evaluation and threat modeling.
Customer Impact: Good security can impact customers and if it is too difficult to use the product, the customer will throw it away. For example, digital certificates provide almost perfect security solutions for a class of problems but are painful to use even by experts. On the other hand, bad security can have extremely negative consequences; webcams are being returned and customers are very wary and the sales of vulnerable devices will dry up. Executive management must take an active role in understanding customer needs and their capacity to understand and deploy secure products.
Sales Impact: Sales timelines can be adversely impacted by the increased delay in developing security solutions or the increased complexity of the product. This means that sales numbers can be adversely impacted. Salespersons are compensated when a product is sold. The impact of mass hack attacks, negative publicity, RMA costs, etc. are not felt by them. Opportunity costs due to schedule slips can have negative impact. Executive management must take any revenue number adjustments and balance them against long-term benefits due to fewer and less severe security issues. For example, they can compensate sales personnel more for selling secure products because of the reduced security exposure at a later time.
Marketing Impact: Marketing teams need to be able to explain the value of extra security and help customers understand how to use it. Customer education is hard and Product marketing needs to insist on making security easy to use. Product marketing and management may also see an impact on their schedules and they are generally measured on product delivery, customer impact and feedback, etc. Executive management may want make security one of the key measurable object for the products. More on this later.
Vendor Impact: Very few products are built with only the manufacturer supplied hardware and software. Vendors who supply software and hardware components must meet security requirements to let a manufacturer meet its security goals. Security issues with libraries, drivers, networking stacks, application framework, etc. can make the most well-intentioned efforts go to waste. This may delay engineering schedules and there may be pushback from engineering, marketing and sales teams. Executives must request vendors to meet security requirements as defined.
Manufacturing Impact:Most manufacturing systems are streamlined for extreme efficiencies. Introducing concepts like injection of unique keys, secure boot, encrypted communication, hardware access lockout, etc. creates enormous problems in the manufacturing line. This is the primary reason why most devices ship with default passwords and keys. Executives must provide manufacturing organizations buy and deploy the right tools to enable secure manufacturing.
Human Factors: Ease of use can get adversely impacted. Forcing a customer to create, use, and remember long passwords is a travesty. IOS is probably one of the most complex devices yet the most secure. Executives must involve the Human Factors team early on.
Engineering Impact: Teams vary in their ability to do secure design and coding. Even inside a team, the skill level may vary by engineer. Writing secure code and building secure hardware requires upfront investment. Without evidence, most engineering management will push back on security features. Executives need to use Security Metrics as a method of measuring engineering quality and provide adequate resources to implement the changes
In essence, Executive management must drive for the following:
Security Metrics: Driving unbiased (internal and third-party) security assessments of products and services and determine the priorities. It is hard to build a roadmap to fix issues and to convince engineering teams to move. I know this: one engineering team resisted assessments of one product for 1 full year till a security vendor showed 10 different ways to break in. Engineers need proof.
Understand Customer Requirements: Understand customer requirements and assess the threat priorities. It is good to know how your product is used and how a hacker can use it to adversely impact the customer's key assets and values.
Organizational impact: Understand the impact on the organization and proactively solve issues. One can't emphasize this aspect enough. The very tribal nature of teams can create a lot of friction. Use recognition rewards, not punishments.
Security is not free. Executives must budget (Cost, time, people) in order to get what they want.
Start Small: Pick a project where the team is motivated or has severe security issues. Use this team to test out security solutions. Involve marketing, engineering and sales teams.
And when in doubt, you can always email me for free advice. I have fought this battle, along with my security buddies.
I couldn't have done this without help from many people. Some of them are:
1. Sling Media: Raman RV, Raghu Tarra, Ilya Anastis, Aparna Akella, Gireesh M., Senthil Doss, Aravind N., Andrey Abramov, Arun Gangotri, Alex Huang, and many more.
2. Echostar: Geoff Kemp, Kyle Haugsness, Mark Templeman, Evan Anderson, and many more who helped me in the setting clear goals.
3. Itron: Ben Loomis, Ido Dubrawsky, Michael Stuber, Ishtiaq Rouf, Sakib Muhamed, Scott Howard, Greg Barrett, Janice Tucker, Taresa Nephew, Kris Ramberg, Karen Livingston, Jackie Batson, Ryan Wilson, Jerry Hicks, etc.
This article was originally posted on LinkedIn.