Foundations for success

Hi, I'm Matthew Clark. And this is Module 2: IoT Product Security Programs. Well, congratulations. We've completed Module 1. This slide shows our progress towards our certificate of completion. So let's begin our new module with Lesson 2.1: Foundations for Success. Okay. So I admit it. You know, I really like bubbles. I still like bubbles. I liked when I was younger and I like them when I'm an adult. I think that they're pretty cool. And the thing about bubbles is when you first look at them, they all look the same. But when you look closer at them, you realize that they really are, each one is unique. They have different sizes, some are larger, some are smaller, some connect together and make really cool shapes. Others, you know, are really high in the air and some of them float really down low to the ground. And when you look at them, think about the world of IoT and the different devices that are out there, those devices really are unique as well. And the way that they interact in each one of these industries is also very unique, and it's something to think about. And keep in mind that as we go through this course and as you go through your career and you're considering different pieces of security, it's always important to use what you've learned in your past, but always keep yourself open to think about new ways to do things, new risks that may be out there as conditions change. So there's different characteristics of success that I want to go through. And a lot of this kind of centers on the PPT, the people, the process, and technology. And all three of those really work well together to drive security. So, for example, let's start with people. You're going to need someone, of course, in the executive side, you're going to need that leadership support. In the IoT Security Foundation really outlines some of these key roles that you need from the people side to be very successful. You're also going to need a role designated to lead the program. You just can't do it by committee. You can't just hire people and say, okay, this group of people while you build a program, I also build a product. I also want you to consider security, and welcome, here's another hat to wear. And that's the thing about people. The more hats we give them, the more their attention is kind of divided between those different pieces of responsibilities, which is important why we need to map roles and responsibilities together. RACI charts are great for this. Right. Responsible, accountable, consulted, and informed. Being able to map out who should be doing each one of those four roles and making sure that you don't -- that you have the right people in the right roles in order for what you're asking people to do to be successful. Something else to think about too is process. Right. And there's lots of different processes that are out there. And the good thing is that on the enterprise security side, a lot of these processes have already been created. Of course, the bad news is that you just can't lift and shift. You can't take what's existing in the enterprise side and just apply it equally without changing it to the IoT product security piece. So just for example, the process, you're going to need the process to conduct risk assessments. And I put the example figure out there because, you know, I tend to think about risk assessments is something that there's a lot of different frameworks out there that say that you need to do it, but very few ways that actually say how you should do it and go about it. And I'm not a big fan of heat maps, but fair is something fun to learn about and try to apply it. And it's a way to be able to make sure that you're really, you know, challenging yourself as it relates to risk assessments. And I think it works out well in the IoT product side as well. You're going to need a process to handle security incidents. Again, you have this already in place on the enterprise side, but it's different when a security researcher contacts your frontline support people to say, hey, your IoT product, I hooked a sniffer up to it and boy, I can read everything. Right. That's a completely different type of security incident that you're going to need to build a framework for. Another process could be just to issue security advisories. Right. Once you know that there's an incident and a fix, how are you going to advise individuals, customers, and the market on how to handle that? And I can tell you that if you wait to the very end to be able to think this thing through, there's going to be enough other things happening that's going to make that very difficult. It's always easier to think about these processes and put them in place prior to the -- when the emergency happens and you actually need it. And another one is to process third-party suppliers and third-party suppliers are so important that the -- in the IoT security world, because they're everywhere, and I love this quote here. I'm a terrible cook. And so this quote has always given me, you know, hope, and this is from Laurie Colwin. She's a cookbook writer. She said that "No one who cooks, cooks alone. Even at her most solitary, a cook in the kitchen is surrounded by generations of cooks past the advice and menus of cooks present, and the wisdom of cookbook writers." So and this is -- to me, this is -- this applies to IoT security very well, because in the IoT world, when you think about your third-party suppliers, there are an awful lot of cooks in that "kitchen." Right. When you go to develop something, you put software code in there, there could be lots of different hooks in that software with lots of different people, different libraries, and different things that are out there that you may or may not be considering the security of. So another thing to think about is the technology side. And technology is a big piece, of course, of IoT because we're building a physical product. So there's everything from the hardware and roots of trust, different types of communication, software tools to software development kits. Right. Different languages, cloud automation, whether you're dealing with Google or Amazon or Microsoft Azure. You've also got the security and the auditing and the analytics and encryption. It just goes on and on and on because of the technology side. And, of course, when we think about this and this is a really common thing, the people, the process, and the technology. Right. It all fits together. When the process and the technology work well together, then you can automate; and when the technology and the people work together, then you can innovate; and when people and process work together, then you have scale. Right. And then those magic, magic moments when you get to perfect PPT and it all works together, then that's like, you know, success. Nirvana. Right. It's great. But all these things, just like in the enterprise security world, these things work together in the IoT product security world. So something else to think about too is policy. And I know that in light of the PPT, this is really part of the process side of the world. But for each one of those processes that you create, it needs to have an underlying policy behind it. And those policies are really important because they help the enterprise work together. So for example, you're going to need a program charter. Right. A way to that, something that says, hey, we're going to be doing IoT product security and the enterprise is behind this and senior management is forward and they've given us the authority to act. You're going to need an established security framework. On the enterprise security side, you're going to have a framework like Nest, CSF, or maybe even the critical security controls. You're going to use a different framework for the IoT products security. But those two frameworks need to work together under the same umbrella. And the good news is that there's lots of mapping things that are out there already that you can use. Risk management is another good one to think about. Right. There's probably processes for doing that. On the enterprise side, you have risk management and probably enterprise security roles up under other types of risk management for the enterprise as well. And so you're going to want to make sure that your IoT product security risks that you've identified also roll up as well. Vulnerability disclosures. Right. How to handle that, you're going to need a policy for it. And this is for how to -- how a security researcher would communicate a vulnerability once they find one, and then how are you going to handle that disclosure once you receive it? Right. Who's going to look at it? Device updates. That's another good one. Right. I mean, the policies just go on and on. Things to think about. And, again, programs is another area to think about. So in the world, you're going to need -- GRC is a good way to think about these programs. You're going to need a governance program to make sure that you're doing the things that are doing the correct things, right, and they're being done in the correct ways. Risk management side, everything, the risk -- understanding risk appetite to conducting risk assessments and threat management of responsible disclosure. Right. All these different pieces that you have within the risk world developing these individual programs. And of course, you're going to need a compliance program. Right. And that's basically just doing the things that you say that you're going to be doing. And so all these things work together. So in this video, in summary, we identified the characteristics of success of what do successful product security programs have all in common. We took a look at the people, process, and technology, the classic PPT triad and how that applies to the IoT product security world. And lastly, we talked about policy and governance and risk management and compliance, and basically, you know, doing the things that we say that we're doing and making sure that they map back to the enterprise. Well, that's it for this lesson.