Over 20% of enterprises will have IoT-centric security by end of 2017: Gartner
CISOs under pressure to find right mix as Internet of Things trend continues
Over 20% of enterprises will have digital security services devoted to protecting Internet of Things solutions by the end of 2017, according to Gartner, Inc.
Business cases using Internet of Things (IoT) devices already exist and their role in business and industry will force enterprises to secure them, the global research firm predicted.
Gartner analysts will discuss cyber security as it relates to the Internet of Things, at the Gartner Security and Risk Management Summit, running from 15 to 16 September, 2014 in Dubai.
"The power of an Internet of Things device to change the state of environments and of itself, will cause chief information security officers [CISOs] to redefine the scope of their security efforts beyond present responsibilities," said Earl Perkins, research vice president at Gartner.
"IoT security needs will be driven by specific business use cases that are resistant to categorisation, compelling CISOs to prioritise initial implementations of IoT scenarios by tactical risk. The requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security."
Gartner predicts that the installed base of "things," excluding PCs, tablets and smartphones, will grow to 26bn units in 2020, which is almost a 30-fold increase from 0.9bn units in 2009. The component cost of IoT-enabled consumer devices will approach $1, and "ghost" devices with unused connectivity will be common.
There will be a $309bn incremental revenue opportunity in 2020 for IoT suppliers from delivering products and services. The total economic value-add from IoT across industries will reach $1.9trn worldwide in 2020 by which time more than 80% of the IoT supplier revenue will be derived from services. The industries likely to see the greatest value added from the IoT will initially be manufacturing, healthcare providers, insurance, and banking and securities. However, this growth will not be confined there but will expand across all industry sectors.
Continues on next page>>
"In an IoT world, information is the fuel that is used to change the physical state of environments through devices that are not general-purpose computers but, instead, devices and services that are designed for specific purposes," said Perkins. "The IoT is a conspicuous inflection point for IT security, and the CISO will be on the front lines of its emerging and complex governance and management."
Perkins said that the Nexus of Forces identified in Gartner research - cloud, social, mobile and information (also known as the third platform) - is driving early-state opportunities in the IoT. The IoT already has a number of commercial and consumer technology use cases that include connected homes, connected automobiles, wearable devices, intelligent medical equipment and sensor systems for smart cities and facilities management.
The characteristics of intelligent, purpose-built devices that are networked to provide information and state changes for themselves or surrounding environments are increasingly used in OT systems, such as those found in industrial control and automation (sometimes referred to as the "industrial IoT"). However, securing the IoT represents new CISO challenges in terms of the type, scale and complexity of the technologies and services that are required.
"At this time, there is no ‘guide to securing IoT' available that provides CISOs with a framework for incorporating IoT principles across all industries and use cases," Perkins pointed out. "What constitutes an IoT device is still up for interpretation, so securing the IoT is a ‘moving target'. However, it is possible for CISOs to establish an interim planning strategy; one that takes advantage of the ‘bottom up' approach available today for securing the IoT.
"Gartner advises security leaders against over-thinking IoT security by attempting to draft a grand strategy that encompasses all IoT security needs to this point in time. Instead, they should lower the residual risk of the IoT by assessing whether the particular business use case provides better control and performance. Lessons from these initial use cases will serve as building blocks for a broader strategy for addressing the security of the IoT."