as untrusted until it is verified.
These results create issues of incredible complexity and scale. With the IoT, as the surface area grows, it also becomes less and less defined. It is difficult to discern where a network begins and where it ends when literally thousands of devices can access it—and it also serves as an access point to anyone who can surpass the limited security of the devices.
Unfortunately, in such a complex and expanding environment, many organizations simply lack the visibility needed. As a result, they don't know what they don't know, much less how to secure everything they can detect.
As this new reality intensifies, it will create a primary need for better tooling for visibility; network access controls; and stronger threat detection, prediction, and response capabilities. But even with all these important defenses in place, it is not enough. The IoT is simply too vast to be managed and mitigated by people alone.
As the scale increases and vulnerabilities become more complex, the standard manual human security operations center or threat defense responders will no longer be a viable first line of defense. Success will depend on deeper machine intelligence and automation. That said, investing in the technology is only a small part of the solution—and even then, it requires a great deal of insight and understanding of the network and the greater connectivity landscape to design a model that is appropriate.
To create scalable and sustainable solutions, it's important to recognize that these problems are organizational—not individual or team-based. Before designing security strategies, executive leadership needs to fully understand the importance of addressing the problem systematically, with a cross-functional, cross-divisional program.
This program will have to include good security policies and architecture review processes. But it will also have to address the new reality that software engineers and application developers can no longer assume that they are building on top of a naturally secure and private underlying network. Secure coding practices must become so deeply ingrained in the philosophy, processes, and deployment pipelines that they simply become a part of the natural practices of the developer. The bar is high here, and these individuals must understand everything from user authentication to data obfuscation and secure data transport. Organizations will quickly see the need to develop repeatable patterns with consistent, standardized, and reusable security code libraries.
In short, addressing the connectivity challenge will require even deeper levels of cooperation and collaboration across an organization, from the coding level up. And to do that effectively requires both funding and expertise. As many CISOs and their teams know, this is a square one reality that they must advocate and evangelize to decision makers in the C suite, and even to the board of directors.
As daunting as organizational and cultural change can be, it is important to start where you are and move forward from there. If a company doesn't have experience and expertise in these areas, there may be an inclination to delay planning. But it is better to take modest first steps rather than to do nothing. External assistance from a trusted adviser will often prove valuable, even if only to provide a roadmap that an organization can follow. Find those outside experts and advocates as necessary and then scale their services to fit the budgets available. If nothing else, doing so will begin to build the network of strategic partnerships that will become increasingly needed and valuable.
Funding limitations are a reality all CISOs and their teams must contend with, but the cost of securing the enterprise is too often considered just on the basis of hard allocations—the tools, time, and resources needed. Intangibles and opportunity costs must be considered as well. Is the return on the investment of resources to build that next application feature greater than the costs of an inevitable breach and the reputation and brand harm it has created? These can be complex and challenging questions for any organization, but they are the types of questions that all companies should become more comfortable answering.
And they pale in comparison to the complexities and challenges of ever-expanding and complicated networks, sprawling outward with more and more consumer-level devices. The longer an organization delays, though, the more difficult the path forward could be.
The telltale sign of a need to focus on these areas is the recognition that you haven't already. Too many companies use a breach as an indicator—perhaps not understanding the substantial risks involved. If you are not already implementing secure coding practices, if you are not already looking for the presence of unauthorized IoT devices joining the network, you are already behind the curve. It's almost a certainty that you have devices and code that are easily compromised. The fact that you don't know for sure indicates how great the risk can be—and reveals how critical visibility, and the insights it provides, is to strategically managing and mitigating the intensifying levels of connectivity in the IoT era.
ABOUT THE CONTRIBUTOR
Brian Talbert – Director of Network and Connectivity Solutions, Alaska Airlines
Brian Talbert leads the Network and Security Engineering division of Alaska Airlines. Brian is responsible for the strategic direction and platform development that secures the infrastructure responsible for flying 33 million passengers per year to over 115 destinations. In the 20 years prior to Alaska Airlines, Brian worked for leading service providers and enterprises building solutions and organizations that drive information security technology.
CYBERSPACE: MAKING SOME SENSE OF IT ALL
Chris Inglis, Former NSA Deputy Director
Cyber. Few words enjoy more widespread use across languages and cultures. Used variously as a noun and an adjective, it conveys more meaning in five letters than the vast majority of its counterparts in any language. As a direct consequence of the varied uses of the term, many discussions involving cyber fail in the simplest goal of human communication, namely to ensure that the participants understand or mean the same things in their attempt to communicate.
To that end, this section lays out a foundation for understanding the essential elements of cyber as a literal place—hereafter referred to as cyberspace. Of note, the term cyberspace includes, but is not limited to, the sum of hardware, software, and interconnections that are collectively referred to as the Internet.
One of the most important things that the curiosity-minded pioneers of the Scientific Revolution did was to intellectually (and sometimes literally) peel apart a common thing—a leaf, a parasite, a hillside—to better understand what it was made of and how its parts were connected, trying to understand how each layer worked and helped govern the whole.
THE CASE FOR CYBERSPACE AS A DOMAIN
Various writers have argued that cyberspace is not a domain, since it is man-made and therefore lacking in the enduring and unchanging properties inherent in domains resulting from immutable laws of nature, time, and space. The case for cyberspace as a domain is found in the simple fact that, on the whole, it has unique properties that can be understood, or purposely altered, only by studying cyber as a thing in its own right. It is a center point that is the result of integrating diverse technologies and human actions, while it also serves as a resource enabling widespread collaboration and integration.
TEASING OUT THE CONSTITUENT PARTS OF CYBERSPACE
Mention the term cyberspace in any otherwise polite conversation and the mind's eye of the listener immediately conjures up a jumbled mess of technology, wires, people, and communications racing across
