Gartner Blog Network

Webinar QA 2: Manage Risk & Security in the IoT

by Earl Perkins  |  July 8, 2016  |  1 Comment

As I stated in a recent blog, I completed a Gartner webinar that is now recorded– you can find this recording at if you are interested. At the end of that webinar I was able to answer some of the questions asked by attendees, but as in every case I wasn’t able to answer all of them asked. This blog addresses the remaining questions. I will make an effort for every webinar to write a blog for unanswered questions to provide what I hope is additional value to your webinar experience, and for those that did not attend I believe the questions (coming from you!) are extremely valuable and deserve answering. Please see both questions and my answers below.

1- Some employees asked me about certificates. Do you issue anything? Thanks.
Unfortunately, Gartner does not yet offer a certificate or recognized credit for the educational value of the webinar. Perhaps you can let your account executive know this is something you desire and we can change that in the future!

2- Are there IoT providers or any specific IoTs that come with cyber security insurance?
To my knowledge, I am not aware of providers at this stage in IoT security services that provide cybersecurity insurance. They may exist, but if they do I haven’t yet spoken with them. For those companies that do have such services and are reading this blog, I offer that as an invitation to be briefed by you! It would make sense as services mature and become more structured and well-defined that such features of that service like cyber-insurance will be offered.

3- Since I’m the Program Manager in our Directorate, one of my things is for the employees to seek self-improvement training. With this webinar, do you issue any sort of Certificate of Training? That way I can count for the time the spent on the training. Thank you
I’m sorry, but as in question 1, I regret we don’t yet have such a service that is official or certified.

4- Does the “industry” (who?) has to establish a new Governance model to manage international deployment of IoT cross border to enable evolving in a sustainable ecosystem?
I believe existing governance models for digital security can be modified to reflect a sustainable approach. Doing it “cross border” (as in cross-country) will require a level of understanding of individual country regulations and standards that would be built in to such a governance model, along with changes that reflect a balance between resources consumed and services provided. Part of my recommendation about the skills of a “portfolio manager” in the security practice might assume some responsibility to provide the necessary inputs to the governance committee or decision-makers for that effort.

5- Have any studies been conducted on the skills availability to staff the different areas of Digital Security? How big an issue is skills shortage?
If we examine digital security as Gartner defines it, there is to our knowledge no consolidated skills inventory and availability program covering availability of IT, OT, physical and IoT security requirements as an integrated organization. Nor am I aware yet of managed services organizations that provide such an approach. There are some services organizations that are offering combined IT/OT digital security skills, but not that many, and not in as coordinated fashion as they could be. Please note that the concept of the digital security organization is a multi-faceted problem, where you combine external skills availability with your own to try and provide as seamless an experience as possible. It also represents some interesting meetings of culture, since these disciplines arose in parallel but not interleaved paths. That’s why it bears additional study. Gartner is producing a foundation research note on the digital security organization for release in the next 30 days (August, 2016).

6- What is your view on the top distinction between commercial and military in tackling IoT?
Many nations’ military technologies have been using IoT products, systems and services for decades– they just didn’t call them that. Operational technology (OT, or what many call industrial automation and control systems), the military and critical industries were using devices to sense, collect, analyze, connect, transmit, receive and act for a very long time. Most of their products are proprietary and are often expensive. When commercial and consumer markets “discovered” what can be done with such devices and services and began to use less expensive hardware and more standardized networks, the age of IoT was ‘born’. The top distinction between commercial and military in tackling IoT is experience. They are aware of capabilities, they have taken steps particularly at the device level to maximize protection from tampering and counterfeiting, they have used many different wireless communications capabilities over the decades for such devices. This is not to say the military gets it perfectly correct– there are still definite areas of improvement to be had, particularly as they begin to embrace more commercially available solutions and approaches. But they have a head start.

7- How suitable is a Mobile Device Management (MDM) Architecture to a IoT environment?
VERY suitable. In fact, if you examine the history of OT security and mobile security development and management, you are in fact viewing much of the future history of IoT security. I sometimes joke that most IoT devices are mobile devices that don’t move, because of their use of wireless functionality, the design of software for secure virtual environments on the device, the use of management systems for discovery and provisioning– all of these capabilities will have definite applicability in IoT scenarios.

8- How can you protect IoT devices if you are not able to protect the computers that are used for monitoring or maintaining them?
You can’t. Your question is a very good one, because it highlights a critical point: if we aren’t able to provide effective protection for what I call “core” systems, what makes you think that your IoT experience will ever be as secure as you may require it? What IoT’s entrance into your digital life now means is that the time is up to establish foundation security practice. Last year I wrote a blog where I said that “you can’t fix stupid”. What I meant was that if an organization is unwilling to establish even the basic “hygiene” of security proportional to the risks they’re attempting to manage, no technology can save you from eventual (and potentially catastrophic) compromise. IoT magnifies this problem by expanding the complexity surface of accessible points into your digital business. There are ways to minimize the impact of that complexity increase, but not if a foundation of secure practice is absent.

I am not certain what is meant as the question part of this 2014 article, but it highlights key concerns about the IoT that Gartner has also tried to highlight in this webinar and in research. What is comforting is that all of these articles begin to sound alike at some point– as they should.

I hope these answers were useful to both webinar attendees and non-attendees alike. We’ll do this again for our next one.

Category: cyber-physical-systems  cybersecurity  data-security  industrial-automation-and-control-systems  industrial-control-systems  internet-of-things  mobile  operational-technology  ot-security  security  

Earl Perkins
Research VP
5 years at Gartner
32 years IT industry

Earl Perkins is a research vice president in the Security and Privacy team at Gartner. His focus areas include identity and access management (IAM), including user provisioning, role life cycle management… Read Full Bio

Thoughts on Webinar QA 2: Manage Risk & Security in the IoT

  1. Earl, great meeting. I like how you have split it up into 9 steps. I think there are 9 great points there in which people should definitely take notice.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.