Debt in the IoT domain

It’s no stretch to say that the Internet of Things (IoT) is going to revolutionise connectivity for everyone – to at least some degree. Already manufacturers are reaping the benefits of connected machines; cutting down the amount of tasks that required more human-based synchronisation such as managing machine repairs thanks to predictive maintenance IoT. Connected doors can also cut down heating costs, making for more eco-friendly workplaces. With Gartner forecasting that the enterprise and automotive market alone for the IoT will grow to 5.8 billion endpoints in 2020, there is a huge potential for this to go sour.

However, there is a problem with all this: to keep IoT devices ubiquitous, production costs need to be kept low. This is where the concept of technical debt comes in. The premise of this is that if a developer cuts corners in creating code, the repercussions will be felt later – including when that code is either modified or further developed. When this is scaled up to each application within an IoT device, that debt spirals – often out of control. This is exacerbated when drawing parallels with this and security. As a result, technical security debt has become a large problem.

The questions we need to ask ourselves in regard to the IoT are these: will poor risk assessment and accumulated security debt cause a crash similar to the financial crisis in 2008? Is the whole IT industry borrowing security time at a rate that will never be repaid?

Our debt is so fragmented, re-constituted and resold in IoT products that no-one will ever really figure out what theirs really is. It could be that we just need one major incident that affects connected devices for the bottom to fall out of the entire industry. This is what happened with housing and mortgages in 2008, so it isn’t a big leap to draw a parallel between then and now. While we haven’t seen anything close to this happen yet, the ‘Spectre’ and ‘Meltdown’ vulnerabilities in Intel CPU chips really demonstrated how real this possibility is. If we look specifically at the IoT, VXWorks is a widely used OS in the IoT, and it also faces its own problems. The security industry needs to take stock and learn from other industries that have tackled these problems.

Repaying our debts

So how do we at least try and get our security finances back in order? The first step is for the industry to look at calculating security debt, and a paper exploring just this has already been written by Dan Geer and Gunnar Peterson. It offers a starting point on tackling the challenge; involving a Margin of Safety calculation, which compares the “book value” of IT assets and the security controls and services used to defend those same assets. The figure given can then be used for working out the technical or security debt ratio in the organisation. Apply that ratio to your cost structure to get a fiscal value, and then interest can be determined using risk management language.

As a crucial overarching theme to security debt, businesses must understand that servicing security debt sooner rather than later is incredibly important. If not addressed, it will accrue interest and will become toxic over time. Security debt brought on by large investments in the IoT could potentially bankrupt a business or a technology– and no one wants to be put in a position of forced repayment and foreclosure. Instead, organisations should be making efforts to understand the debt that is being run and put the right processes in place to manage that debt and risk.

Even though the concept of calculating technical security debt is theoretical, the thought process driving it is very real. Perhaps by looking at our connected businesses through a financial perspective, we may find more effective ways to manage and mitigate the security risk associated with the IoT, before it falls through and affects connected businesses more than we can imagine.

We know that this viewpoint may seem daunting, but it’s not an unsurmountable challenge. If you’d like to discuss how we can help protect your connected business, let’s talk. No matter the industry, we will be able to help.

  • Share