Can the Internet of Things and Security Happily Co-exist?
By Ron Green, EVP & CSO, Mastercard
Every day, advances in technology make our lives easier and easier. Think about it—a few years ago, you wouldn’t have thought about being able to program your thermostat remotely so that your home could warm up before you came home from work, start your car from your phone, or stream movies and TV shows from your smart TV?
Of the people who are taking advantage of these and many other conveniences these connected devices offer, how many of them are focused on security at the same time? How many have changed their password from the original one that came with the device? Did the device manufacturer even let the owner know how to secure the device?
Technology has come a long way—and there’s no doubt it has made things easier for everyone. But are we all thinking as much as we need to be about the potential security risks that come along with such a connected lifestyle?
"Security has to be a fundamental part of any company’s DNA"
For businesses, we must be savvy to these concerns. Advances in technology and automation mean that we can do things more efficiently and effectively—but it comes with additional accountability. The benefits of being able to do things faster, better and cheaper through cloud, automation and other emerging technologies—have to include security in that equation. Security has become a core element in how we have to operate. You might see some amazing technology out there, but if it doesn’t protect your information and assets, take a pass. It’s not worth the risk to your company’s reputation.
Security has to be a fundamental part to any company’s DNA. It’s a must for anyone doing business today. The threats and risks are real, and not planning for them as part of your business strategy is a real miss.
At Mastercard, security is a key component of everything we design and build to support our customers and consumers. It has to be! We want our customers and cardholders to know that when they use a Mastercard product, safety and security of their information is paramount. It’s certainly a shift in thinking for businesses to bring security to the table early, as part of the planning process, rather than later, but it’s reaped a lot of rewards for our teams as we think about product design.
It helps from a talent perspective, too. When we have everyone on the Security team—whether it is their actual role or it is a part of what they do, it makes what we collectively produce stronger at its core. And, we can better address issues that arise when bad actors try and take advantage of technology for their own gain.
There are a lot of ways to engage your teams in making sure that everyone is on Team Security. We educate our team members regularly about the threats that are out there in the marketplace—physical, digital, cyber, etc. We host a phishing tournament that is company-wide. It encourages staff to pay more attention to their emails and isolate those that looks suspicious. It’s helped us significantly in our efforts to keep threats off our system and better contained.
None of this means that your security teams can take their foot off the gas pedal, though. If anything, the pace of change and intelligence of bad actors means they have to be even more fastidious in detecting threats to your organization. Ongoing training and education are paramount for your team, because threats and challenges are constantly going to be evolving. And, you have to think about constantly building your team— where is your next talent going to come from? Colleges and universities are beginning to see that our field is critical to business—but we have to partner with them. The things that they’re learning now provide a good foundation for a career in security, but evolving threats now require engagement from companies to help them learn about what’s happening in the marketplace right now.
I’ve always been an advocate for the layered approach to security, and even with the Internet of Things, my approach is not fundamentally different. You have to have a strong team, educated employees, and outreach into the community. You have to partner that with vendors who can help you achieve the goals you’ve set in place for security. And don’t forget that the developer community can be a big help, too— we’ve seen good results from our Bug Bounty program that we launched earlier this year to reward security practitioners who spot potential issues on some of our platforms. It’s just good business to make sure there is a team of people looking out for your security needs.
But it goes beyond that. We already know the bad folks are working together—we have to, as well. It makes sense for us to come together as companies to talk about what’s working, and where we see gaps. Talk about best practices, share challenges we’re facing, share learnings we’ve picked up along the way—because when we do, we collectively become stronger.
It’s a big job—but we can handle it. And, don’t forget to keep asking yourself—what are you doing to improve security at your company each day in 2017?