“From a purchasing standpoint, that maintenance guy who usually buys the 55 cent light bulbs is now buying $40 light bulbs,” said Thomas Pore, director of IT/services for Plixer, a security vendor that specializes in incident response. “But, clearly, security is not in the thought process.”
Pore stressed that there are clues that executives can be trained to recognize. If the device has its own antenna, for example, “4G is going to be labeled all over the box.”
But what if the device is using satellite communications. “OK, satellite-based? No visibility, none,” Pore said.
Similar to the way that companies were forced to change their security thinking when printers and scanners started getting their own IP addresses, they need to change purchasing and oversight procedures to cope with the IoT. This is nothing that CIOs or CISOs can do on their own — and many executives would probably view any such move suspiciously, as a power grab. This kind of change has to come from the CEO — or, at the very least, the CFO, who does ultimately control the approval on all purchases.
Changing approval processes and adding a lot more (costly) training is never a fun recommendation to make. But unless you want to be done in by your own light bulbs and door locks, you’re going to have to do it.
Sign up for CIO Asia eNewsletters.