The Digital Transformation (DT) process, the Impact of Internet of Things (IoT) growth and new security and risk requirements

Digital transformation is the integration of digital technology into all areas of a business, fundamentally changing how you operate and deliver value to customers. It's also a cultural change that requires organizations to continually challenge the status quo, experiment, and get comfortable with failure.

Digital transformation is imperative for all businesses, from the small to the enterprise. That message comes through loud and clear from seemingly every keynote, panel discussion, article, or study related to how businesses can remain competitive and relevant as the world becomes increasingly digital. What's not clear to many business leaders is what digital transformation means.

Europe is in the midst of a digital transition driven by consumers, thriving technology hubs, and some world-renowned companies. But digitization is also about the extent to which firms and industries invest in and use digital. In these respects, Europe is much less advanced. Yet if its laggards double their digital intensity, Europe can add €2.5 trillion to GDP in 2025, boosting GDP growth by 1 percent a year over the next decade.

Today, Europe operates at only an estimated 12 percent of its digital potential, compared with the United States’ 18 percent. In addition, there is enormous variation between Europe’s countries: while France operates at 12 percent of its digital potential, Germany is at 10 percent, and the United Kingdom is at 17 percent.

Europe’s low overall level of digital intensity reflects huge gaps between leaders and laggards. The continent’s economy is digitizing unevenly, with large variations among sectors and firms: while the information and communications technology (ICT) sector is at the digital frontier, closely followed by media and finance, large traditional sectors are far behind. Country effects explain one-third of the variation in digital capability across Europe, indicating that countries can influence the extent of digitization within their domestic economy. Sector effects explain the remaining two-thirds of variation in digital intensity across Europe.

Europe under-performs on its digital potential relative to the United States. The European digital frontier, represented by the ICT sector and its digitization of assets, uses, and labor, is only 60 percent as digitized as the US frontier. Some large sectors such as professional services, wholesale trade, and real estate are further behind the digital frontier in Europe than they are in the United States.

The Internet of Things (IoT) is a core element of Digital Transformation, along with cloud, mobile, automation and analytics. Strong business benefits are driving adoption. “Gartner forecasts that 14.2 billion connected things will be in use in 2019, and that the total will reach 25 billion by 2021, producing immense volume of data.” Sensors, cameras, thermostats, and other networked controls deliver game changing capabilities to consumers, and to organizations of all types and sizes. Industrial Control Systems (ICS) deliver power, water, and transportation services, as well as manufacturing processes like robotics. Large-scale government projects like Smart Cities initiatives break new ground in delivering services and improving quality of life for residents.

While consumers purchase more devices, businesses spend more. In 2017, in terms of hardware spending, the use of connected things among businesses will drive $964 billion. Consumer applications will amount to $725 billion in 2017. By 2020, hardware spending from both segments will reach almost $3 trillion.

Gartner shortlisted the 10 most strategic IoT technologies and trends that will enable new revenue streams and business models, as well as new experiences and relationships:

• Artificial Intelligence (AI) Gartner forecasts that 14.2 billion connected things will be in use in 2019, and that the total will reach 25 billion by 2021, producing immense volume of data. The technology landscape for AI is complex and will remain so through 2023, with many IT vendors investing heavily in AI, variants of AI coexisting, and new AI-based tolls and services emerging. Despite this complexity, it will be possible to achieve good results with AI in a wide range of IoT situations. As a result, CIOs must build an organization with the tools and skills to exploit AI in their IoT strategy.
• Social, Legal and Ethical IoT As the IoT matures and becomes more widely deployed, a wide range of social, legal and ethical issues will grow in importance. These include ownership of data and the deductions made from it; algorithmic bias; privacy; and compliance with regulations such as the General Data Protection Regulation.
• Infonomics and Data Broking Last year’s Gartner survey of IoT projects showed 35 percent of respondents were selling or planning to sell data collected by their products and services. The theory of infonomics takes this monetization of data further by seeing it as a strategic business asset to be recorded in the company accounts. By 2023, the buying and selling of IoT data will become an essential part of many IoT systems. CIOs must educate their organizations on the risks and opportunities related to data broking in order to set the IT policies required in this area and to advise other parts of the organization.
• The Shift from Intelligent Edge to Intelligent Mesh The shift from centralized and cloud to edge architectures is well under way in the IoT space. However, this is not the end point because the neat set of layers associated with edge architecture will evolve to a more unstructured architecture comprising of a wide range of “things” and services connected in a dynamic mesh. These mesh architectures will enable more flexible, intelligent and responsive IoT systems — although often at the cost of additional complexities. CIOs must prepare for mesh architectures’ impact on IT infrastructure, skills and sourcing.
• IoT Governance As the IoT continues to expand, the need for a governance framework that ensures appropriate behavior in the creation, storage, use and deletion of information related to IoT projects will become increasingly important. Governance ranges from simple technical tasks such as device audits and firmware updates to more complex issues such as the control of devices and the usage of the information they generate. CIOs must take on the role of educating their organizations on governance issues and in some cases invest in staff and technologies to tackle governance.
• Sensor Innovation The sensor market will evolve continuously through 2023. New sensors will enable a wider range of situations and events to be detected, current sensors will fall in price to become more affordable or will be packaged in new ways to support new applications, and new algorithms will emerge to deduce more information from current sensor technologies. CIOs should ensure their teams are monitoring sensor innovations to identify those that might assist new opportunities and business innovation.
• Trusted Hardware and Operating System Gartner surveys invariably show that security is the most significant area of technical concern for organizations deploying IoT systems. This is because organizations often don’t have control over the source and nature of the software and hardware being utilized in IoT initiatives.
• Novel IoT User Experiences The IoT user experience (UX) covers a wide range of technologies and design techniques. It will be driven by four factors: new sensors, new algorithms, new experience architectures and context, and socially aware experiences. With an increasing number of interactions occurring with things that don’t have screens and keyboards, organizations’ UX designers will be required to use new technologies and adopt new perspectives if they want to create a superior UX that reduces friction, locks in users, and encourages usage and retention.
• Silicon Chip Innovation By 2023, it’s expected that new special-purpose chips will reduce the power consumption required to run a DNN, enabling new edge architectures and embedded DNN functions in low-power IoT endpoints. This will support new capabilities such as data analytics integrated with sensors, and speech recognition included in low cost battery-powered devices. CIOs are advised to take note of this trend as silicon chips enabling functions such as embedded AI will in turn enable organizations to create highly innovative products and services.
• New Wireless Networking Technologies for IoT. IoT networking involves balancing a set of competing requirements, such as endpoint cost, power consumption, bandwidth, latency, connection density, operating cost, quality of service, and range. No single networking technology optimizes all of these and new IoT networking technologies will provide CIOs with additional choice and flexibility. They should explore 5G, the forthcoming generation of low earth orbit satellites, and backscatter networks.

But if you work in the cybersecurity or risk areas, this proliferation of IoT endpoints creates strain on effective operational security. The bottom line is that IoT introduces a massive volume of new, often unmonitored endpoints across your network; from the same Gartner release: “CIOs should ensure they have the necessary skills and partners to support key emerging IoT trends and technologies, as, by 2023, the average CIO will be responsible for more than three times as many endpoints as this year.”1 And they are all targets for attack.

Based on what said we can identify follow areas that are critical for IoT end-to-end security:

1.      Discovery, Identification & Classification – The discovery process detects the existence of an endpoint at a certain IP address. The identification process then takes this to the next level by detecting the specific information about the device; for example, detecting that a device is a motor from certain manufacturer. Additional information such as model number, serial number, and firmware version number may also be captured. This metadata is correlated with additional information such as known vulnerabilities, operational strengths and weaknesses, and common misuse and misconfiguration scenarios about the device. This deep classification creates additional granularity in tracking and reporting. The IoT requires strong device identity and Root of Trust at its foundation. This remains a weakness on the PC platform. Hardware-based security, where appropriate, is a key ingredient for enabling this functionality.

2.      Risk Management — Once IoT devices are identified, they must be assessed continuously for associated risk. The risk profile of an IoT deployment changes over time, affected by activities such as adding and removing devices to/from the network, changes to access policies, discovery of new vulnerabilities, and the firmware/software updates applied to devices. Third party risk arises, associated with the exchange of IoT data between the enterprise and external service providers. And as digital transformation continues and IoT technology matures, there will be an increasing number of regulations and guidelines for enterprises to track and comply with, such as FDA guidelines for cybersecurity of connected medical devices.

3.      Authentication and Access — Enforcing authentication and access policies ensures operational integrity of the connected environment. This includes protecting access to and from the device. The strengths and weaknesses of access policies should be dynamically reflected in the continuous risk assessment of the overall environment.

4.      Monitoring and Threat Detection — The massive scale of IoT deployments and prevalence of low-power devices creates security and risk challenges but offers one advantage: an abundance of IoT operational data and use data. Analytics can profile devices, baseline the normal behavior, and detect and alert on anomalous activities and compromised devices. Leveraging machine learning and with no requirement to changing IoT devices, these techniques can secure large deployments of sensors and actuators.

5.      Data Protection — The data collected from connected devices is critical to the success of any IoT project. The integrity of IoT data is fundamental to arriving at the desired business insight, reliable operational decisions or sound security analysis. The protection of the data at-rest, in-transit, or in-process is critically important in today’s privacy-focused landscape.

6.      Secure Device Management — It’s essential to have a secure solution for device management in an IoT deployment. As a minimum, this includes secure remote maintenance and Over-The-Air or Over-The-Net update for the software and firmware on the device. Similar to modern IT operations, these features provide better agility for the security staff to deal with vulnerabilities and security incidents, especially given scale of IoT. Building security into the data itself, whether it is in transit (data communication) or at rest (data storage), is valuable in the IoT, given the lack of physical security that resists tampering for most devices. Therefore, tamper-resistant physical security — which can be addressed with hardware security — becomes critical. Key control data and sensor data are now accessible, which can also be addressed with hardware security.

7.      Secure network scale: For many IoT deployments, the number of IoT endpoints will dwarf those in traditional IT projects. Securely managing the network connections and data across these devices requires a scalable solution. Today, public key infrastructure (PKI) is often used to enable trust between systems based on digital certificates. PKI has been proven to scale; however, the device and environmental characteristics of the IoT create a challenge for the secure issuance and processing of certificates. Coupling PKI with a strong device identity is a solution to this problem.

Another differentiator in IoT security is how typical IoT devices function. Many devices are constructed to be “fit for purpose,” in that they are created to perform specific functions that may require only a few operations, such as a sensor detecting five characteristics of an environment or an actuator performing to commands. The rise of the IoT creates a varied and different approach to device function — some devices may be built to only deliver information by the second, while others act as a static storing place for information until something is triggered.

Security and risk decision makers must look at data flow in IoT networks to understand how, when and where to secure data. Data in IoT networks tends to be constantly changing, even if it’s stored. When making key decisions to protect data via encryption, network segmentation or even monitoring and detection, data flow remains a key differentiating.

The challenge now, is the next phase of IoT security evolution to gain more insight about what's happening on devices and detect compromises.

With billions of insecure, old-generation IoT devices already enmeshed in digital infrastructure, it will be decades before the risks from IoT 1.0 are really contained. And many manufacturers still don't feel pressure to improve their practices, because they make generic components or whole devices for other brand names rather than selling the products themselves.

In general, it seems that the hallmark of IoT security is this type of halting two-steps-forward, one-step-back progression. And the industry finally seems poised at the precipice of a next phase. But, unfortunately, it will likely be just as daunting to move through as the last one was.

Finally what I think is: CISOs need to take a pragmatic approach, and recognize that while you should do everything that you can do, you can’t expect to prevent everything so they must adopt this statement as lifestyle “Control what you can and learn to live with calculated risk”.