Managing enterprise security debt with the rise of IoT

Anyone attending the recent Consumer Electronics Show (CES) in Las Vegas would have been left in no doubt about the strength of the continued hype surrounding the Internet of Things (IoT). From an Alexa-equipped showerhead allowing you to shop and sing while you wash, to connected underwear which tracks stress and sleep quality, the event was overflowing with imaginative ways in which the IoT is set to transform our lives.

The much-anticipated growth of 5G and the low latency benefits it brings will strengthen the real-time application of these devices. Gartner predicts that the enterprise and automotive IoT market will grow to 5.8bn endpoints in 2020. While the potential for an ever-more connected society sounds exciting, with this advancement in technology comes a significant problem – each and every one of those connected devices represents a new attack surface with new vulnerabilities waiting to be exploited by malicious actors.

The risk is heightened by the lack of focus on security by many IoT manufacturers who too-frequently still do not even have vulnerability management or software patching processes in place. And yet these endpoints are always on, often deeply embedded into our lives, and permanently connected to the Internet or even the corporate network.

Cyber security for IoT and edge computing

The internet of things has its own unique cybersecurity considerations, as for cyber security and Edge computing, there are a lot of unknowns. Read here

This negligent approach to security often stems from a focus on rapid innovation and minimising production costs. In the race to capture market share, deadlines are tight and costs need to be kept low, which is where the concept of technical debt comes in. Technical debt is the idea that if developers cut corners in creating code, they are actually accruing ‘debt’ in the technology, which accrues interest just like financial debt, and must ultimately be repaid. The repercussions will inevitably be felt later. When this principle applies to all components of an IoT device, that debt spirals – often out of control.

Security debt, like technical debt and financial debt builds up on a business’ balance sheet and grows even more when a business buys a technology that is already debt-laden. As a result, security debt has become a large problem. Fundamental principles require that debt eventually be paid off, and raise the spectre of forced repayment or even insolvency if its not.

It is only by gaining an understanding of this debt that enterprises can start appreciating the true impact of the security made by them, and their technology suppliers. A paper by Dan Geer and Gunnar Peterson exploring the complexities of calculating security debt offers a starting. A ‘Margin of Safety’ calculation compares the ‘book value’ of IT assets and the security controls and services used to defend those same assets. The figure given can then be used for working out the technical or security debt ratio in the organisation. Apply that ratio to your cost structure to get a fiscal value, and then interest can be determined using financial management values and principles.

Technical debt — are companies taking out the software development equivalent of payday loans

IT managers believe non-technical colleagues do not understand the financial impact that technical debt can have on the organisation. Read here

Businesses must understand that avoiding debt creep and servicing security debt sooner rather than later is incredibly important. If not addressed, security debt will accrue interest and will likely become toxic if the technology is ever attacked or compromised. Security debt brought on by irresponsible acquisitions of insecure IoT could potentially ‘bankrupt’ a technology or even a whole business- and no one wants to be put in a position of forced repayment and foreclosure. Instead, organisations should be making efforts to understand the debt that is being run up and put the right processes in place to manage that debt and the risk it creates.

Given that debt is accumulated whenever any technology is adopted, those processes should include an assessment of supply-chain risk. Several serious security incidents in recent memory were caused by supplier vulnerabilities. Businesses investing in IoT devices need to investigate the manufacturing habits and security practices of sellers and assure themselves that their suppliers have their own security debt under control, both now and for the future.

The solution? Make security a primary consideration in any IoT investment you make, from your doorbell to your manufacturing technology. Any compromise you make now is bound to catch up with you later. As more connected devices enter an organisation, it is also vital that IT managers and decision makers take responsibility for enforcing appropriate segmentation, access control and patch management protocols and implementing complete, continuous visibility into the entirety of their network infrastructure.

Even though we still lack practical methods of calculating security debt, the thought process evoked by the notion provide useful new paradigms. Perhaps by looking at our connected businesses through a debt perspective, we may find our businesses better appreciating the security risks they’re taking and adopting more effective ways to manage and mitigate the security risk associated with the IoT.

Written by Charl van der Walt, head of security research at Orange Cyberdefense

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at