17 Aug External IoT Security Assessment? Yep, but do so Wisely
By Bruce Sinclair
It’s a no-brainer. Since it’s very unlikely your organization has cyber security expertise in network security and web/cloud security and app security and mobile security and, as importantly, system security that considers the interdependencies between these different security frameworks, you’re going to need some help.
When developing an IoT product be sure not to underfund or overfund your security. Finding the right balance starts with knowing what your vulnerabilities are.
For a relatively modest fee, an external security assessment and advisory firm will work with you to test the strength of your IoT product’s security. The predominant technique employed is penetration testing, otherwise known as pen testing, which is used to identify security vulnerabilities, prioritize them and then to provide suggestions for how to remediate them. This is done under the guise of a white hat or black hat approach.
Whichever hat or combination of hats worn, there are three main things you need to complete internally before engaging with one of these firms:
- Outline your goals and motivations for the assessment.
- Pull out or document your technical security architecture along with the security frameworks used.
- Have a remediation plan. There’s no sense in engaging with an assessment firm to find the vulnerabilities without the resources and budget to fix them.
For $10K – $50K you can discover where your security vulnerabilities lie. This then needs to be followed up by putting a price tag on each of those vulnerabilities as part of the risk assessment process within your risk management program i.e. the process of quantifying the cost of the risk and its probability of happening. This will direct how much time and effort you should spend in fixing each of the vulnerabilities found.
When developing an IoT product be sure not to underfund or overfund your security. Finding the right balance starts with knowing what your vulnerabilities are.
Get the first chapter of Bruce’s book, IoT Inc.
Have an opinion? Join the discussion in our LinkedIn group
Have you used an external IoT security assessment firm?
Click here if you have an opinion on this podcast or want to see the opinion of others