Fortinet’s director of product strategy, Patrick Grillo, recently took to the Gartner Security & Risk Management Summit stage to deliver a session titled ‘The Internet of “Very Bad” Things’, but just before he did, I was able to sit down with him to dig a little deeper into what he thinks is so ‘Very Bad’ about the IoT, and what it means for the industry.
What do you mean by the Internet of ‘Very Bad’ Things? Why do you describe it like that?
From a security aspect, we always look at these things from a negative. It’s because there’s a certain degree of naivety about the IoT from a technology perspective; we do things quite frequently without thinking about the consequences. It’s not just the IoT, think back to when smartphones became prevalent; it was more about ‘look what I can do’.
IoT is building on that, but it’s the scale of the issue that’s frightening. We’re talking about billions and billions of devices that can do anything, that have a role to play but security is not at the forefront of the majority of these products. Every day you can find another article about somebody putting in a home heating management system or doorbells linked to your home security system and they are all connected to the internet, opening the attack surface even further.
Particularly from a consumer perspective, houses aren’t protected and here you are adding hundreds and thousands of additional ways for somebody to break into the network.
Do you see a difference between IoT devices and services created by security-minded companies, who have spent the last ten or so years learning from computer security, and those which are generated by the consumer sector, who still haven’t grasped it?
In IoT, we have an adage: Your three characteristics are speed, price and security – but you can only have two out of the three. In the consumer market, it’s all about speed and price. These are poorly built, poorly designed devices that are in a constant refresh, and security is just not part of the mind-set – it’s a combination of naivety and somebody doing something with technology who isn’t aware of the implications.
You mention the ‘two out of three’ mantra; do you think it will ever be possible to have all three of these characteristics when it comes to IoT?
In the real industrial market, it has to happen. In the consumer/low-end business market, then no – because these devices have such a short shelf life and they are what we call ‘headless devices’ – so more and more security intelligence needs to go into the network itself.
What needs to be done to tackle this, to make security the first thought instead of the last?
That is the objective of Fortinet and every other company in the sector, and unfortunately the thing that puzzles me – as I read about data breaches on a daily basis – is that you would think by now it would raise the awareness and put security at the forefront. However, in a lot of organizations, security has no value or they see it as a business inhibitor – that has to change.
Have we really seen the full scale of the dangers that surround the IoT, or do you think it will take something drastic to make people really sit up and take head of the fact that security needs to be brought to the fore?
Unfortunately, yes I do. There has to be a significant failure of some form or another, hopefully it doesn’t involve loss of life, but something that doesn’t stop technology evolving, but brings another consideration to it that ‘yes we can do these things; yes they add value; yes we can differentiate ourselves with these things’ but yet another way to differentiate yourself is by doing it securely.