“Forget about perfection; focus on progression, and compound the improvements.” —Sir Dave Brailsford
In the early 2000s, there was an apparent uptick in experts claiming to make surprising discoveries by applying statistics and economics to random-seeming subjects. The 2003 book “Moneyball” explored the use of analytical tools to competitive baseball. Two years after that, “Freakonomics” used economic theory to analyze such subjects as sumo wrestling and parenting. In 2002, Sir Dave Brailsford brought the idea of continuous improvement, a hallmark of Kaizen and Six Sigma methodologies to British cycling. Having earned an MBA, Brailsford helped popularize what he termed “aggregation of marginal gains.” The basic idea is that an organization can make dramatic progress by taking a complex problem, breaking it into smaller elements and aiming to improve each of those by 1 percent. Long story short, Brailsford went on see great success at the Olympics and later, with Britain's first professional cycling team.
The time is ripe to embrace such an analytics- and economics-driven approach to address the current IoT security challenge. A casual glance at the IoT security landscape reveals a whirlwind of vendors with dramatically different messaging and products. Listening to the profusion of messages can lead to the conclusion that an organization can achieve a rarified security level by purchasing a slew of security products and services. But your organization could spend an infinite level on IoT security and still get hacked.
Framing security through an economic lens — and working with partners that share that vision — is a more fruitful approach than viewing cybersecurity in binary terms.
In the IT space, the idea of risk alignment in business and security has been popular for about a decade. But while it is easy to pay lip service to the notion of business-minded IoT security, there are numerous examples of insecure IoT products in the field today that indicate this approach is rarer than it should be.
The problem is often rooted in a cultural disconnect that separates executives as well as IT and OT professionals. “Executives generally treat [security] like a technical problem handled by technical people buried in IT,” said Paul Proctor, VP and distinguished analyst at Gartner at the last Gartner Symposium in Barcelona. In theory, executives want their products to be secure “until you start telling them that it is going to double their budget, double their schedule and negatively impact customer experience,’” Proctor added.
Something similar to this scenario is happening in the IoT world, where too many organizations hawking IoT products have been lackadaisical about security, rushing products to the market with security snafus such as hard-coded passwords, insecure web interfaces and shoddy cloud interfaces.
While there is certainly a value in analyzing common IoT security challenges and mistakes, it is perhaps more helpful to view them as symptoms of a larger problem: carelessness. There’s also the idea that achieving IoT security is a goal that runs counter to business aims — triggering, for instance delays, usability hassles and added costs. But organizations with such a cavalier attitude toward security invite “black swan” events — “high-impact events that are rare and unpredictable, but in retrospect seem not so improbable,” as Harvard Business Review puts it. In the IoT realm, such episodes are costly and can even have fatal consequences under the right circumstances. For instance, a 2015 Jeep hack by a pair of security researchers managed to trigger a recall of 1.4 million vehicles by remotely killing a Jeep on the freeway with the driver’s consent. Imagine the possible consequences if black hat hackers pulled a similar stunt to an unsuspecting motorist.
Given the very real possibility for such outcomes, organizations should view security as a critical business consideration, working to improve their security posture at every possible level and with every team member. By incrementally improving security throughout, organizations can dramatically curb their risk of falling prey to cyber disasters, while developing a higher resolution view of the state of their business and the risks it faces. In fact, each discrete business unit within an organization should “decide how much security they want and how much they want to spend,” Proctor recommended. Proctor also is a fan of framing security like Olympic medals — with gold, silver and bronze options.
Organizations shooting for gold-security would do well to take to heart Sir Dave Brailsford’s so-called podium principles, built on strategy, performance and continuous improvement. Such an approach can transform security from something that seems abstract and unobtainable to something vital and within reach, as the prospect of winning gold medals first seemed to the British Cycling team in 2002 — when they won just one gold medal in 76 years. “To give you a bit of background, when we first started out, the top of the Olympic podium seemed like a very long way away. Aiming for gold was too daunting,” Brailsford told Harvard Business Review. In the 2008 and 2012 Olympics, the team went on to win seven of the 10 gold medals possible. What a difference a bit of economic theory and some hard work can make — for athletics, IoT or nearly anything else.