Analyst firm Gartner expects the Internet of Things (IoT) to drive a convergence of IT, physical and industrial control security practices over the next several years.
Much of the convergence will result from the sheer heterogeneity and number of devices that will become Internet-enabled by 2020. Current estimates range from Gartner's 26 billion devices to IDC's mind-boggling projection of 212 billion installed devices.
While most of the devices are unlikely to pose security threats, many will intersect with enterprise networks in the form of smart heating and lighting systems, equipment monitoring and maintenance sensors, industrial robots, asset tracking systems, plant control systems and personal devices such as fitness bands and smartwatches.
Managing those devices securely will require a combination of security skills, said Earl Perkins, Gartner analyst and the author of a new report that looks at the security implications of the IoT for CISOs.
"We are at the early stages of a major inflection point in security," Perkins said.
Most of the devices will be function-specific and use a variety of non-standard communication protocols. The devices will also feature embedded operating systems and software that provide little way for IT to add a security layer on top. Some devices will just be sensors for storing and forwarding data. Often, new devices will need to interact with older systems and software.
While IT organizations have been able to add some measure of protection to smartphones, tablets and other mobile devices in the workplace, they will find it hard to do the same with many of the devices that will comprise IoT in a few years.
Instead of layering protection at the device level, organizations may need to think about centralizing and aggregating security controls via gateway devices. The massive number of devices that will need to be managed in this way could pose new problems.
"There will be many different kinds of service providers who will contribute to security" in the enterprise, Perkins predicted. In addition to traditional security vendors, others like embedded application and operating system vendors and equipment manufactures will have a role to play, too.
"All of [these entities] will become players in the security space," Perkins noted. "Some will be customers of security and some will contribute to security."
Dealing with the real-time, event-driven applications and non-standard protocols that define much of IoT will require significant changes to app testing, vulnerability, identity and access management practices, Perkins said. It will also require changes to other practices such as governance, management and enforcement of security functions.
Just as mobile devices and the BYOD trend have forced IT managers to think differently about security, IoT will require companies to rethink what they do. The main difference is that the scale is magnitudes larger than what security managers deal with now, he said.
Sign up for CIO Asia eNewsletters.