Previous blog posts have talked about the expansion of regulatory purview of existing authorities, and how that is affecting businesses of all sizes – whether or not they are specifically regulated. Others have talked about the value of market-based security, and how procurement and contracting can be leveraged.
Regulatory authorities aside, businesses are applying the same scrutiny independently. I’m sure everyone has, at one time or another, seen the questionnaire regarding information protection controls that precedes a network trust relationship. For example, a company that provides outsourced benefits management is going to house customer employee data, to include SSNs, insurance information, and health data. That’s a big target, and before proceeding you would want to make sure that they don’t have any wildly open doors or windows. So we’re all getting used to this.I think this is a good trend, as it makes security more aligned with market forces, providing a capitalism-based approach – you can make more money if you’re secure. It’s also becoming a necessity as we move into more networked means of managing power consumption, traffic management, asset tracking, and all the other “smart” energy / city / hospital / etc. technologies coming into the market.
The manufacturers of these technologies certainly bear the responsibility of ensuring that their products are secure (and a security certification system may be forthcoming), but I think we can all agree that’s good for a point in time only. Things deteriorate. Additionally, an integrator will likely be required to get the technology installed and working. Everyone in this food chain has a responsibility, and hardly ever are those responsibilities articulated contractually.
The manufacturer has a responsibility to address technical vulnerabilities in the product as they are discovered – notify, and provide a patch, update, or workaround – or completely replace the product. The integrator has a responsibility to work with the customer to ensure that the technology is deployed securely – changing default passwords, activating encryption and other controls that may be optional, and potentially applying manufacturer-supplied updates that can apply corrective action across the deployed base. And you – the customer – must provide activity monitoring and incident response capabilities.
Our collective attack surface is growing exponentially during a time of increasing criminal, nation-state and terrorist activity, while Internet-of-Things technologies are becoming preferred targets for extortion and are being weaponized to attack other entities. With this three-pronged method of addressing the life span of the technology – manufacturer’s assurance of security, integrator’s secure deployment and maintenance process, and customer detection and response – are all required. Of the three, two apply to third parties and are driven by contracts.
In short, if it can’t be shown to be secure and there’s no plan for keeping it that way, don’t buy it. Use procurement and contracting as the security tool it can be, or your “smart” organization may end up looking kinda dumb.