AA+W - Fotolia
When it comes to security in IoT devices, it's important to remember that fundamental IT security principles are still applicable, according to Ravi Thatavarthy, director of information security and CISO at Bedford, Mass.-based consumer robotics company iRobot. Thatavarthy spoke with SearchCIO at the recent CDM Media CIO Summit in Boston, where he discussed how IoT is affecting the cybersecurity threat landscape, suggested best practices for securing IoT devices and delineated the role that CISOs play in these processes. He also offered pointers on how CISOs can build a strategic relationship with their organization's chief risk officers and shed light on the biggest challenge that CISOs face today.
This Q&A has been edited for clarity and length.
How is the internet of things changing the threat landscape?
Ravi Thatavarthy: When it comes to the internet of things, the landscape is different, but not necessarily the threats. The attack vectors are easy to get into because the devices are perimeter-less in the internet. Security principles like ITM and identity management are translating into IoT, but the bigger problem is that the risks are magnified in the IoT space if those principles are not applied properly. But the fundamental principles for securing IoT are nothing different from securing IT.
What role does a CISO play when it comes to ensuring security in IoT devices?
Thatavarthy: It's more important that the CISOs today incorporate security in IoT devices starting at the chip level and make sure that secure updates are possible in those devices. If consumers needed to do a firmware update on their devices, the update should be seamless to the consumer. They should be able to do the upgrades very quickly and the devices should also have the ability to execute upgrades from a trusted source.
When you are talking about smart homes, the primary responsibilities of a CISO is to promote the consumerization of the smart home by getting rid of the fear factor that smart home devices can affect your privacy. There will be products and there will be risks that people need to take. In the next ten years there will be a big phenomenon where these smart home devices can really make your life smart. On the product development side, the CISOs have the responsibility to promote security, starting from the inception.
What's the biggest challenge that CISOs face today?
Irrespective of the IoT or IT field, the biggest challenge every security officer faces today is weighing the business value with the risks. You should be able to support the business in a way that the product can be launched quickly so that the market can be captured appropriately, but at the same time the risks should be articulated. Being able to articulate the risks in the language of business will always be a learning exercise for every security professional.
Sometimes businesses will make decisions based on the risks and you should be ready to flow with it. Sometimes the decisions will be made in favor of security. Either way, security should not be a blocker to business.
How can CISOs build a strategic relationship with chief risk officers?
Thatavarthy: When you're talking to the business units, it is very important that you involve the chief risk officer all the time. The chief risk officer may not be able to understand the risk levels when they are articulated in a technical language and not the business language. It's very important to cultivate the culture that you always have this dialogue around what business risk means and what technical risk means.
Read about security in IoT devices and managing IoT security
Read about the dangers in an IoT-enabled world