Gartner Blog Network


The Death of IoT Security As You Know It

by Earl Perkins  |  December 7, 2017  |  Submit a Comment

There is a topic that I wanted to share with you that we at Gartner have delivered research on during 2017. We have been developing research on the topic for some time now and I thought as the year draws to a close it might be a good time to share our findings.

IoT security doesn’t really exist in the classical sense as a formally defined market.

I know this may cause some consternation on the part of most “IoT security” companies. But it is important that we view the development of securing IoT devices and supporting systems properly if we are going to our proper place in planning for IoT security and providing a means to adjust to a post digital-business world. It is my belief after researching IoT security for several years that the concept of IoT security itself is part of a larger historical pattern we have seen many times.

We start off at a significant technology inflection point (such as the evolution of sophisticated smartphones and their use or the broad introduction of cloud services) using the descriptor (cloud, mobile) as an adjective to “security”: cloud security, mobile security. A market then begins to evolve in an effort to address specific requirements germane to the adjective. During the early period of that market, there are unique functions developed for unique use cases. Over time, those functions possibly involve new companies (product and service) along with possibly older, established companies expanding existing products and services to incorporate those functions. Older companies acquire the newer companies if they want to evolve inorganically. The market pursues standards to those functions and (often grudgingly) adopt them.

We’ve seen this evolution many times. What makes us think that IoT security functions are any different? Now there ARE some unique aspects to IoT– their relative cost, the sheer innovation across all verticals that is breathtaking, their ubiquity– it is both an exciting and a terrifying time if you’re in cybersecurity and are trying to address IoT security concerns. I also believe that IoT has specific functions that aren’t found in traditional cybersecurity, even to the point where I’ve wanted to call cybersecurity something else to underscore the changes cybersecurity will experience as a result of IoT’s introduction– digital security. More importantly, business transformation with IoT has been significant, even profound.

I DO believe there are distinctive IoT markets of products and services. Where I’m having a challenge with IoT security is that every time I seek unique, never-before-seen patterns in IoT security across the vertical industries, I have trouble. I do find there are some interesting areas of cybersecurity that are changing and experiencing market changes. For example, “embedded” security functions at the hardware/firmware level have given rise to vendors that attempt to address to specific concerns for identity, data encryption or secure applications processing. The variety of networks used by IoT at present has given rise to vendors that provide functions capable of operating across multiple wireless networks and offer the ability to segment IoT networks from “traditional” IT networks. Different types of cloud-based services, consulting and system integration are creating features that deal with significant volumes of data and the overall scale of function across those networks.

However, the development of new companies and the development of features in traditional IT (and operational technology, or OT) security companies is occurring almost simultaneously. Even IoT security acquisitions of new companies by older companies are happening earlier in technology evolution of security. Do not misunderstand my comments– there ARE IoT security companies. But there are also cybersecurity companies engaged in becoming digital security companies at a rate that is attempting to match the pace of IoT deployment and use. Make no mistake– this ISN’T like IT security of the past. IoT is accelerating a convergence that was already occurring between IT and OT security. That convergence had introduced the “cyber-physical” requirements to IT security, and the past 5-7 years have been devoted to incorporating cyber-physical concepts into our IT and OT security to accommodate. Think of it as a bottom-up evolution driven by engineers for requirements in a world driven by physical changes meeting a top-down evolution driven by information technology specialists to handle the uses of information in the cyber world. The needs of IoT security have put both of those evolutionary movements on steroids. Ironically, the final outcome won’t be thought of so much as IoT security, rather IoT changes will be absorbed into the final outcome of IT/OT convergence.

The title of this blog was meant to be provocative, and to make us all think about the context of the changes we’re seeing. There ARE IoT security companies, don’t misunderstand me. But this IoT evolution looks more like a revolution in terms of its pace and pervasiveness. Attempts to secure IoT must be addressed in the proper context, and hopefully this provides one contextual view to consider as you leave 2017. Happy Holidays, everyone, and may 2018 be even MORE exciting– in a good way.

Category: cyber-physical-systems  cybersecurity  industrial-automation-and-control-systems  industrial-control-systems  internet-of-things  operational-technology  ot-security  security  trends-predictions  

Tags: iot  iot-security  

Earl Perkins
Research VP
5 years at Gartner
32 years IT industry

Earl Perkins is a research vice president in the Security and Privacy team at Gartner. His focus areas include identity and access management (IAM), including user provisioning, role life cycle management… Read Full Bio




Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.