Posted in:

Six ways CEOs can promote cyber security in the IoT age

Billions of devices are being brought online as the Internet of Things develops, creating new vulnerabilities. Here’s how leaders can regain control.

A

s digitisation has risen on the executive agenda, cyber security skills and processes in most companies have also advanced, though at a slower pace. But rapid growth in the Internet of Things (IoT) is changing the game. Cyber security is more relevant and challenging than ever, and companies need to build capabilities in this area – quickly.
IoT holds great potential to help companies improve their products and services or increase production efficiency by harnessing sensors and actuators that seamlessly connect objects to computing systems. No wonder, then, that many companies are bringing more and more devices, products, or production systems online. Conventional estimates suggest we could reach 20 billion to 30 billion connected devices globally by 2020, up from 10 billion to 15 billion devices in 2015. However, as devices proliferate, the security risks will increase sharply. Historically, risking the confidentiality and integrity of information was the prime concern compared with any risk regarding availability. In the IoT world, lack of availability of key plants or – even worse – tampering with a customer product becomes the dominating risk. How can CEOs and senior executives hedge against that threat?

The challenge of cybersecurity in the IoT

With the IoT, security challenges move from a company’s traditional IT infrastructure into its connected products in the field. And these challenges remain an issue through the entire product life cycle, long after products have been sold. What’s more, industrial IoT, or Industry 4.0, means that security becomes a pervasive issue in production as well. Cyber threats in the world of IoT can have consequences beyond compromised customer privacy. Critical equipment, such as pacemakers and entire manufacturing plants, is now vulnerable – meaning that customer health and a company’s total production capability are at risk.
The sheer number of cyber security attack vectors increases dramatically as ever more “things” are connected. Earlier, a large corporate network might have somewhere between 50,000 and 500,000 endpoints; with the IoT, we are talking about millions or tens of millions of endpoints. Unfortunately, many of these consist of legacy devices with inadequate security, or no security at all.

This added complexity makes the IoT a more difficult security environment for companies to manage. Those that succeed, though, could use strong cyber security to differentiate themselves in many industries.
To explore views on the relevance of and companies’ preparedness for IoT security, McKinsey conducted a multinational expert survey with 400 managers from Germany, Japan, the United Kingdom, and the United States. The results indicate a yawning gap between perceived priority and the level of preparedness:
• Of the IoT-involved experts surveyed, 75 percent say that IoT security is either important or very important and that its relevance will increase. But only 16 percent say their company is well prepared for the challenge. The survey also indicated that low preparedness is often linked to the insufficient budget allocated to IoT cyber security.
• Our interviews revealed that companies are ill-prepared at every step of the IoT security action chain (predict, prevent, detect, react). Especially weak are prediction capabilities; 16 percent feel well prepared, compared with 24 to 28 percent on prevent, detect, and react.
• More than one-third of companies lack a cyber security strategy that also covers the IoT. The rest have some sort of strategy but many reports struggling to implement it.

Why haven’t companies made progress on cyber security implementation, given the perceived risk? Our survey indicated a few factors:
• Lack of prioritisation. In general, there isn’t an “act now” mentality among senior management. Few leaders have made the business case for a specific IoT security strategy that would, in turn, make the effort a priority and trigger the allocation of sufficient resources.
• Unclear responsibility. There needs to be a holistic cyber security concept for the entire IoT stack, but often no single player feels responsible for creating it. First, there is the question of whether initial responsibility lies with product makers or with suppliers. And within organisations, it’s proved difficult to determine which unit (IT security, production, product development, or customer service) should take the lead. Product or plant managers often do not have cyber security expertise, while corporate IT does not have sufficient access to product teams or the industrial control systems “behind the fence.”
• Lack of standards and technical skills. There are some industry working groups, but IoT security standards are still largely non-existent. Even if there were standards in place, the technical competence to implement them – a mix of operational technology and IT security knowledge – is in short supply.

There are some industry working groups, but IoT security standards are still largely non-existent.

With the advent of the IoT, cyber security affects the entire business model. Adequately addressing the threat means bringing together several business perspectives, including the market, the customer, production, and IT. And the CEO is often the only leader with the authority to make cyber security a priority across all these areas.

Six recommendations for CEOs

Although there is no single winning approach to tackling cyber security in the IoT, six recommendations can guide senior executives. Three concern strategic lenses for thinking about IoT security, and the other three are actions to help CEOs and other leaders set their organisations up for success.

1. Understand what IoT security will mean for your industry and business model

Across all industries, a certain minimum level of IoT security will be required as a matter of “hygiene.” The recent WannaCry attack largely compromised organisations with legacy operating systems that had not been patched appropriately. Simple patch management – a matter of adequate IT management, not sophisticated cyber defense – should be routine, not something customers pay a price premium for.

However, we think there is potential for treating security as more than just hygiene. In the past decade, many companies saw IT evolve from a cost centre to a source of real differentiation, driving customer satisfaction and willingness to pay. A similar change could lie ahead for IoT security, and in an increasing number of industries, we are already witnessing it today. One example is the physical security industry. Door-lock companies can already today demand a price premium for products with especially strong cyber security features, as cyber security can make or break the main function of the product.

Effective IoT security solutions consider an organization’s business model, where it lies in the value chain, and the industry structures in which it operates.
CEOs must understand the role and relevance of IoT security in their industries and how to monetise solutions in alignment with their business model. A thorough understanding of what IoT security means for a company cannot end at the strategic level, though. CEOs need to be aware of the main points of vulnerability. Typically, an overview of the top attack scenarios for a specific company and an understanding of attackers and their motivations will be a good base for further strategy development and budget allocations. Security investments must be targeted according to the risk most detrimental to the specific business or industry.

2. Set up clear roles and responsibilities for IoT security along your supply chain

IoT requires a holistic cyber security concept that extends across the entire IoT stack—all layers of the application, communication, and sensors. Of course, each layer needs to be secured, but companies also need to prepare for cross-layer threats.

This will require a strategic dialogue with upstream and downstream business partners, whether suppliers or customers, to sort out responsibilities for security along the entire supply chain. A starting point for this discussion should be identifying the weakest links in the holistic model; from an attacker’s point of view, these will be targeted first to harm the entire chain. Who then takes on which role should depend on who has the competence and who has the incentives, which might include a monetization model. Industry players active in each part of the IoT stack bring certain advantages they can build on to provide an integrated solution:
• Device and semiconductor manufacturers active at the lower level of the stack can build on their design capabilities of low-level (hardware) security as an advantage for designing higher (software) security.
• Network equipment manufacturers profit from the fact that many key competencies in transport-layer security design are applicable to the application layer. Beyond that, they can build on their hardware design capabilities to offer an integrated solution.
• Application designers can leverage their control of application interfaces or customer access as an advantage in defining low-level architectures.

3. Engage in strategic conversations with your regulator and collaborate with other industry players

A company’s cyber security creates externalities that go far beyond the effects on the company’s performance itself and thus needs to be tackled across the classic government–business divide. Most current cyber security standards fall short because they are neither industry-specific nor detailed enough, and they neglect most layers of the IoT stack, including production and product development. Regulators will eventually step in to address this gap, and companies need to get involved in the discussion or set the tone.
Industry leaders can shape these structures by bringing together key players to establish IoT security standards for their industry. Partnerships with other players, including competitors, can also lead to a mutually beneficial pooling of resources beyond official industry standards. In the banking sector, for instance, one company got several competitors together to set up “shared assessments” to evaluate security technology vendors, resulting in enormous efficiency gains for both the banks and their suppliers. Another example from the sector is FS-ISAC, an information community through which competing banks share information on security weaknesses, attacks, and successful countermeasures.

4. Conceive of cyber security as a priority for the entire product lifecycle, and develop relevant skills to achieve itSecurity needs to be part of the entire product lifecycle, from product design to the development process, and continuing each day of the product’s use. Fundamental to the security of products in the field is “security by design” in the product-development stage. It’s also crucial to ensure security during the production or manufacturing process, given the role of Industry 4.0 in driving the proliferation of IoT on shop floors and in other production settings. Last, a concept is required for securing products after they have been sold. To this end, companies need a strategy to deliver security patches to products in the field, for example, via over-the-air update capabilities.

Achieving cyber security throughout the product life cycle requires organisational and technological changes. The organisational component involves clear responsibility for cyber security in the product and production environment. A few companies have acted by giving the chief information security officer (CISO) responsibility for cyber security in both information technology (IT) and operating technology (OT). Whatever the structural setup, aligning on goals is crucial, since there must be strong collaboration among the CISO function and other departments, be it product development, production, or even customer service. Additionally, new roles should be created that systematically integrate security into all relevant products and processes. A European telecom and media company, for example, is leveraging large-scale training programs to create a community of “security champions” throughout the organization. These security champions get additional decision-making authority within their teams as a result of achieving “cyber security capable” status. The company’s CISO organisation has used these training to grow its reach by a factor of four.

5. Be rigorous in transforming mindsets and skills

Institutionalising the notion that security is everyone’s business starts at the top. Executives should role model security behavior and cultivate a culture where security is constantly evolving and where people are rewarded, not punished, for identifying weak spots.
Additionally, CEOs need to ensure that security-specific knowledge and qualifications become a standard requirement for employees in IT, product development, and production. On the one hand, additional training programs for current employees may help; on the other, specific IoT security talent needs to be developed. Cyber security specialists must understand product development and production as well as IT security. To develop these crossover skills at scale, companies should consider working with other players in the industry, for example, to create university programs and vocational training curricula.

6. Create a point-of-contact system for external security researchers and implement a post-breach response plan

Companies need to implement a single, visible point of contact for IoT-security-related notifications or complaints. In the past two years, and especially in the IoT context, there have been numerous examples of security researchers trying to notify a company several times after discovering a breach and the company either not following up at all, or the researcher being handed from one department to the next without anyone taking responsibility for the matter.
In addition, companies need a response plan in place for different attack scenarios. The fallout from an unprofessional response to an incident is often more damaging than the incident itself. In an IoT world, incidents can affect the heart of a company’s operations, so cyber security needs to be part of business continuity management and disaster-recovery planning. Maybe most important, organisations must design a strong communication strategy that is scenario specific and delivers current, transparent, and appropriate messaging to customers, regulators, investors—and potentially the general public.

Cyber security remains much talked about, but it’s not yet used as a differentiating factor on the business side. With the advent of the Internet of Things, there’s an opportunity to move ahead and designate the security of products, production processes, and platforms as a strategic priority. The breadth of the challenge spans the entire supply chain and the whole product lifecycle and includes both the regulatory and the communication strategy. For CEOs in IoT organizations, we believe cyber security should be at the top of the agenda until rigorous processes are in place, resilience is established, and mindsets are transformed.

This article is part of McKinsey and Company’s Insight series.
Harald Bauer is a Senior Partner in McKinsey’s Frankfurt office, and Gundbert Scherf is a Partner in the Berlin office, where Valerie von der Tannis is a Consultant.