The security requirements of the Internet of Things will reshape and expand over half of all global enterprise IT security programs by 2020 due to changes in supported platform and service scale, diversity and function, according to Gartner.
The research firm said the power of objects in the IoT to change the state of environments will cause chief information security officers (CISOs) to redefine the scope of their security efforts beyond present responsibilities.
"Securing the IoT expands the responsibility of the traditional IT security practice with every new identifying, sensing and communicating device that is added for each new business use case," said Earl Perkins, research VP at Gartner.
Functions that are delivered as purpose-built platforms using embedded technology, sensors and machine-to-machine (M2M) communications for specific business use cases signal a change in the traditional concept of IT and the concept of securing IT.
"Real-time, event-driven applications and nonstandard protocols will require changes to application testing, vulnerability, identity and access management (IAM) — the list goes on,” said Perkins.
Handling network scale, data transfer methods and memory usage differences will also require changes as do governance, management and operations of security functions.
Perkins said CISOs should not automatically assume that existing security technologies and services must be replaced. Instead, they should evaluate the potential of integrating new security solutions with old.
“At this time, there is no 'guide to securing IoT' available that provides CISOs with a framework for incorporating IoT principles across all industries and use cases," he said. "However, it is possible for CISOs to establish an interim planning strategy, one that takes advantage of the 'bottom-up' approach available today for securing the IoT.”
CISOs must also resist the temptation to overthink security planning while patterns and solutions are still emerging. They should start small and develop initial security projects based on specific IoT interactions within specific business use cases.
CISOs can build on these use case experiences to develop common security deployment scenarios, core architectural foundations and competency centers for the future.
"Many of the security requirements for the IoT will look familiar to the CISO,” said Perkins. “The technologies and services that have been used for decades to secure different eras of computing are still applicable in most cases.”