As internet of things devices become increasingly common in the enterprise, CISOs must lead the way in making sure emerging security issues, including a higher risk of distributed denial-of-service attacks, are adequately addressed, says John Pescatore of the SANS Institute, which offers training for CISOs and others.
"There are a lot of companies that are well positioned to handle IoT, but there are a lot that are so focused on just the day-to-day security work of keeping windows PCs and Linux servers secure, that they haven't gotten started at all," Pesatore says in an interview with Information Security Media Group.
CISOs need to take steps to ensure they're involved in device acquisition decisions in all departments within the enterprise, he stresses. "Security and IT need to be involved in the decisions on building and buying these types of devices so we can make sure they are as secure and safe as possible," he says.
And security staffs need to diversify their skills as a wider variety of devices are used in the enterprise, he adds. "When you look at the internet of things devices, it's a very heterogeneous world. There are all kinds of different operating systems and software and communications standards," he notes. "So within the types of things being used in your industry, it's important that skills get upgraded."
In the interview (see audio link below photo), Pescatore also:
- Highlights three IoT segments and their impacts on enterprises;
- Discusses the need to integrate IT and OT security efforts;
- Describes how implementing IoT security controls is similar to BYOD security efforts.
Pescatore, director of emerging technologies at SANS Institute, has more than 35 years' experience in computer, network and information security. He previously served as Gartner's lead security analyst for 13 years. Prior to that, he was a senior consultant for Entrust Technologies and Trusted Information Systems and spent 11 years with GTE. He began his career at the National Security Agency, where he designed secure voice systems, and the U.S. Secret Service, where he developed secure communications and surveillance systems.