DevOps Chat: IoT Security with DigiCert’s Mike Nelson

DigiCert, a leader in the digital certificate world, recently conducted a survey on the use and security around Internet of Things (IoT). In this DevOps Chat, we spoke with Mike Nelson, VP of IoT Security at DigiCert. Mike explained the results of the IoT security survey as well as the key things that the top-tier companies are doing that sets them apart.

As usual, the streaming audio is immediately below, followed by the transcript of our conversation.

Transcript

Alan Shimel: Hey everyone, it’s Alan Shimel, DevOps.com, Security Boulevard Container Journal. And we’re listening in on another DevOps Chat. Today’s chat is a lot about IoT security. I am joined by Mike Nelson, who happens to be the vice president of IoT security over at DigiCert. Mike? Welcome.

Mike Nelson: Hello. It’s good to be with you today.

Shimel: Absolutely. Mike, did I get your title right?

Nelson: Got it.

Shimel: Perfect. So Mike, we’re discussing a new survey you guys just released the results on, a state of IoT security survey 2018. And you know, frankly, though there’s a, god knows there’s enough surveys in the world, I haven’t seen many on IoT security. So, let’s, well, I have some questions on it. But before I jump into my questions, let’s kind of level set with our audience. What was the survey about, when was it conducted, why are you doing it?

Nelson: Yeah. Thank you. So, yeah, earlier this year we conducted a survey. The intent was to find out kind of the current state of IoT security. What organizations are doing with it, what their concerns are, and what their challenges are.

And, we reached out to a large group and we had over 700 responses. Our target audience was really the IoT verticals, critical infrastructure. So industrial, consumer, health care, transportation, and we had, you know, an equal division of respondents from each of those verticals. And the respondents were also global. Had a global footprint.

The most important thing, though, is that the respondents all had one of two things. One, responsibility for securing an IoT device within their organization. Or two, the responsibility to secure the data being generated and transmitted to or from the device. And so, really I think the respondents, and not all of them were security engineers. We had some leadership level respondents. But all of them had responsibility for the security of connected devices.

Shimel: Absolutely. Absolutely. So I’ve done a fair amount of these myself, Mike. I, big picture, what do you think were the three biggest takeaways from this?

Nelson: Well, I think as you said, there are tons of surveys that are out there. And you and I both know because of the work we do, IoT is important. and we don’t need a survey to tell us that. But it’s confirming to know the importance of IoT for our organizations.

And I think one of the important things, a takeaway for me, are the areas where organizations are looking to gain the most benefit from IT. And our survey concluded that there were four categories. Operational efficiency, enhancement of customer experience, generating new revenue opportunities, and then finally business agility. And I think that’s a, it’s interesting to see the areas where they feel they’re going to be able to leverage IoT the most.

Another really interesting finding is you kind of dig in and peel the onion back of this study, was the efficacy of security practices. From what I see, Alan, and you’ve probably seen this as well, but you have two types of organizations: those that are acting, and those that have their head in the sand. And a lot of times, I always say that organizations put money toward something for two reasons.

One because they’re having pain, or two, because there’s significant opportunity. And we’ve seen organizations that have dealt with breaches or had security incidents spending money to improve their security posture. But those that haven’t, it’s really interesting to see their reluctance or their hesitation to really jump in, and you know, we applaud those that do.

But what this survey pointed out is the organizations that are actually doing a good job with security, they’re doing basic things like encryption, authentication, risk assessment. So before they deploy their products, they’re doing penetration testing. Making sure that their security approaches are scalable. Organizations that are doing those things are far better off than those that have their head in the sand. And this survey highlights a handful of those benefits.

For example, let me just point to a few of them. Organizations that were, that rated in our top tier, which is their organizations that are actually doing a good job with security. They reported 12% of them had reported data breaches while organizations that were struggling with security reported 70%. And when I say struggling, we categorized our two, we categorized the respondents into three categories: top tier, middle tier and bottom tier. The top tier organizations that are actively putting in place best practices, the bottom tier are the ones that really have their head in the sand and aren’t doing much. So if you’re the leader of an organization, you’re saying, is it really going to be worth the investment. Well, 70% of those that are not doing anything have experienced a data breach compared to 12% of the ones that have.

That’s another, just an important takeaway is that, you know, while it might be hard to put an ROI, a specific ROI number on the investment and security, those things are working and they’re protecting. I mean, the difference between malware. 15% of the top tier compared to 70% of the bottom tier experienced malware. That’s just a dramatic difference to show that those organizations that aren’t doing anything are being hit.

The last thing I would point to is the monetary damage. The bottom tier organizations, 25% of the bottom tier reported that they had $34 million or more in costs incurred within the past two years from IoT security mishaps. $35 million for IoT mishaps. And those, that money came from the following five areas. Monetary damages, loss of productivity, legal and compliance penalties, reputational loss, and then impact on their stock price.

And so, you look at it, Alan, and it’s like, if I’m an executive of an organization trying to decide whether or not to spend money on security, well, you look at the impact. 25% spending more than $34 million over two years to respond to a security incident related to IoT. That’s a big number. And you know, it’s shocking the difference in the results that we have between the top tier and the bottom tier, and it really just highlights the fact, the things the top tier organizations are doing are working. And that was a long answer to your question.

Shimel: No, but it was good. And it, so let me give you my shimmy take on this, right? I hear what you’re saying, and I look at it again this way. No. 1, I don’t think at this point in the game, anyone can seriously argue that the numbers around IoT are staggering, right? The amount of devices, I mean, just in my own home. Recently I was with the kids and I was trying to explain to them how IP numbers work.

And we made a list of all the devices and IP addresses we’re using just in my house. You know, and what I’m using in my house, I used to use in my hosting business 20 years ago, 25 years ago. You know, it’s staggering that we’re up near 100. Because I have every light now with, has its own unique, and so, it’s nuts. But, so you know, and that’s just residential. I’m not talking commercial IoT and devices by the hundreds and thousands and how many are in your car and everywhere else. So I don’t think anyone can seriously argue the numbers.

No. 2, as someone who’s been in security for a long time, right? It bears out something that I always believe in, which is security is security is security, and you can’t leave your common sense at the door. Doing common sense type block and tackle basic security, whether it be on IoT devices or servers or containers or in the cloud or whatever.

Common sense block and tackle, just the basics often. It goes a long way. Yeah, you can get fancy and get very specific to IoT or cloud or all of these different areas. but if you’d just take the time and do the basics, you’re more than halfway there, right?

Nelson: Yeah, it’s interesting you say that. One of the questions we asked the respondents, what are the things you’re doing that are leading to the greatest success? And as I read this list, Alan, you’ll roll your eyes. Because as you said, it’s the basic blocking and tackling of IoT security. Encryption of sensitive data. That’s both at rest and in transit, right?

Shimel: Yep.

Nelson: Ensuring integrity through things like digital signatures. Securing over the air updates. You know, with connected devices. Of course OTA is a critical aspect of that, and making sure that they have the ability to do things like code signing and making sure that all of those updates are done in a secure way. Scalability of your security measures.

That’s a really interesting one with the growth that organizations are pointing to the scalability of their solutions. Because they know how fast the number of devices are growing. And organizations are pointing to that scalability as one of the things that they’re doing that it’s enabling them to be successful. So you’re absolutely right. It’s that basic blocking and tackling. It’s the encryption. It’s the integrity through authentication, and code signing and things like that. And the last one I mentioned was secure key storage. Right? I mean –

Shimel: Yeah.

Nelson: Those are, that all of us in security were like yeah, you can’t compromise on those things.

Shimel: Absolutely. And so, when we look at there’s 3000 security companies in the world. And I always get asked, well, what’s new, what’s new, what’s new. There’s plenty new, but we don’t always do what’s old good first, right? We need to do some of that. And then, you know, the last area, Mike, I wanted to mention was, and this comes more around with the DevOps stuff I’m involved in.

You know, if you look at the state of DevOps reports that the folks at DORA and Nicole Forsgren , Jez Humboldt are putting out. And now over the last couple of years, increasingly we’re seeing a gap between the haves and the have nots. The doers and the do-nots. Right? High-performing IT organizations who take security seriously. Yes, it’s hard to do ROI of security and all that stuff.

I’ve been arguing that for 25 years. But you can look at organizations who have high-performing IT organizations, and look at metrics such as how many vulnerabilities they deal with, how fast they recover from them, what losses they suffer from breaches, how profitable they are. How often they update their software. Customer satisfaction numbers. And the proof is in the pudding. Right?

Nelson: Yep.

Shimel: Those low performers, if they don’t get their act together, you know, they’re not going to be performing at all at some point.

Nelson: Exactly. Let me just give you a few stats, just to hammer in what you said. So, one of the questions was, negative impacts. What negative impacts have you had? And if you compare the top to the bottom, 14 percent of the top tier, the organizations that you’re describing who are doing a good job, 14 percent experience loss of productivity due to security incidents, while 60 percent of the organizations that are not doing anything experience loss of productivity.

Monetary damages, 5 percent of the top tiered compared to 59 percent of the bottom tier. Loss of reputation, or reputational damage. 3 percent of the top tier compared to 43 percent of the bottom. And so, those numbers are shocking in the difference between those who are doing and those who are not doing.

Shimel: Yeah. And the gulf widens, right? If you don’t, because it’s not like you can flip a switch and catch up in a day, right? It’s almost cultural, where you need to implement these programs. And so the gulf continues to widen, and you really do wind up with the haves and the have-nots, the high performers, the low performers. And then within the high performers, you’ll see strata of yet even you know, highest performers versus high performers. But, still those gaps are much smaller than the gap between the high and the bottom tier folks if you will.

So Mike, great, great survey. What, you know, for organizations who are look, they’re all confronting IoT at some level. What’s, what should they do now? What’s the single biggest thing for them to start doing?

Nelson: Yeah, I think it’s a couple things. The first is they need to build security into their product life cycle. And into the DNA of their organization. So when you’re designing and you’re architecting the solution, make sure you’re thinking about security. When you’re testing, make sure you have requirements to test for cyber security. Bring in outside organizations to do penetration testing.

And make sure you understand the risk of your devices. And then once you do that, put in place the basic, as you said, blocking and tackling approaches. Do encryption. Authenticate every connection. Ensure the integrity of the data that’s going to and from the device. Those are basic things that go a long ways to protect your organization.

And you know, on a personal level for organizations, as you look at organizations starting to use this data for more strategic decisions and to help them to understand what to do to be more efficient as a business. Or if you look at it on the health care side. I’m a type 1 diabetic and I have a connected device on my arm, and my cute little 4-year-old, we were talking about it earlier, has the same thing.

She was diagnosed a year ago, and wears a little patch. When it becomes personal to you as an organization or to you as a consumer, the security and the integrity of that data becomes so critical. I mean, if I take the example of my daughter, every five minutes, I get a glucose reading on my phone that tells me what her levels are. If that reading comes in and tells me her blood sugar is 300 and it’s really 100, and I administer her insulin to correct that, that’s a catastrophic result from lack of integrity.

I mean, you become dependent on these devices for life and for business operations. It would become personal for these organizations and for people very quickly. And as soon as that does, I believe we’ll see a dramatic increase in some of these practices that we’ve talked about. And that the survey shows our leading organizations to be successful and to prevent the damages that are happening to those that aren’t acting.

Shimel: Absolutely. And Mike, I’m sorry that it’s a personal situation for you, but I don’t think anything illustrates it better than that.

Nelson: Yeah.

Shimel: In a lot of cases, we’re talking glucose here, we have the same thing with pacemakers. And other monitoring and healthcare stuff. It is, it’s life and death in a lot of things. And you know, you want to talk about mission critical, this is pretty mission critical, right? So you know, we hope that that kind of mission criticality nature of it gets through to people and they understand why this just you know has to be the way it is.

Mike, as I mentioned before we get started, the time here goes quickly and we’re almost out of time. We didn’t even talk about your company, though. I know that you did the survey. Just real quickly. Give our audience a little background.

Nelson: Yeah, thank you Alan. DigiCert is the largest certificate authority globally. We’re the largest trust company, and we provide public key infrastructure solutions and that is for enterprises and also for IOT. And so, in the IOT space, we provide digital certificates that authenticate connections.

We have private and public certificates. So they authenticate connections, they open up encrypted tunnels so data can be transmitted in a sensitive and confidential way. And then we also have solutions like code signing and other things to ensure the integrity of updates, the integrity of data, making sure that those things are in place.

Shimel: Great. And we tend to think of certificates around websites and things like that. But you know, they really play a critical role here in the IoT space.

Nelson: You’re exactly right. And it’s been the backbone of Internet security for years and years. And it’s a proven solution. It’s not snake oil. Public key infrastructure is something that’s been around for a long time. And you know, we’ve been deploying IoT certificates for decades, for things like fax machines and ATMs. And with the rapid growth, that technology is now emerging. Public key infrastructure is emerging as a very critical security component in the IoT security picture.

Shimel: Absolutely. Absolutely. Mike, if people want more information about DigiCert or maybe they want to grab a copy of the survey findings and report, where can they go?

Nelson: So it will be made available tomorrow on the DigiCert website. So people can go to www.digicert.com, and there’ll be links there that can direct them to find the results of the study.

Shimel: And for those who may not be listening to this today and don’t know what tomorrow is, that’s around, it will be out around November, what is it, 14th?

Nelson: 14th. That’s right.

Shimel: 2018. So you can get it there on the DigiCert site. And of course you go to DigiCert anywhere, any time to get good information there. Well Mike, I think that’s going to really kind of wrap up our time for today. Excellent survey. Great findings. And really bringing it home, right? I mean, oftentimes these things are kind of pie in the sky and abstract.

But it’s a good reminder to show how these things really do affect each and every one of us, almost on a daily basis. So I appreciate you coming on. Thanks to DigiCert for doing the survey. And we’ll check in with you guys again. We usually check in at least a couple times a year. So we’ll have you on again soon, and find out what’s happening.

Nelson: Thanks, Alan. Enjoyed being with you.

Shimel: Thank you. This is Alan Shimel for DevOps.com, Security Boulevard Container Journal. You’ve just listened to another DevOps Chat.

Featured eBook
The State of Open Source Vulnerability Management

The State of Open Source Vulnerability Management

The rise in open source usage has led to a dramatic rise in open source vulnerabilities, bringing to the fore interesting developments in open source security. The report drills down into the deeper layers of the open source phenomena and provides the latest insights on how organizations are handling vulnerabilities and what the future holds. 4 Key ... Read More
WhiteSource
Alan Shimel

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 18 posts and counting.See all posts by alan