IoT must bridge its skills gap to avoid a security disaster

There has been a slew of reports that have presented a worrying skills gap in companies building and deploying internet of things apps and devices.

A survey from Vanson Bourne and Inmarsat found that 76% of respondents said their companies need more people at a senior level to carry out IoT deployments and 72% said there were shortages in management-level experience for IoT. The survey polled 500 senior staffers in IT firms in North America, EMEA, and APAC.

Research from IT trade organisation CompTIA said that a lack of skilled workers would inhibit the adoption of IoT while according to IT recruitment firm TEKsystems, there were over three million IT jobs posted last year in the US but there aren’t enough skilled people to fill them. Projects lacking the relevant skills may lead to failed products and gaping security holes.

The internet of things, by its nature, is very broad but also still relatively new. We saw similar apparent shortages in skills in cloud computing and virtualisation in the past. Professionals eventually caught up but things may be a little different with IoT, given the vast amount of data at stake.

There has always been a struggle to sufficiently fill roles in IT and IoT now means more companies than ever are dipping into the same labour pool, says Jason Hayman, market research manager at TEKsystems. Every company in a sense is becoming a software company and they may not have the right talent on tap to deal with that.

“Even though they are established businesses, it is the first time they are adopting a modern software development process. Security is a part of that, and it’s a skill that is hard to recruit for,” explains Michiel Prins, cofounder of HackerOne.

Big picture thinking needed

In the field of IoT and security, “big picture” and “design thinking” professionals are hard to find, according to Kevin Richards managing director at Accenture Strategy Security for North America. There is growing demand specifically for professionals with skills in strong secure software development and secure devops experiences, privacy, cybersecurity, and data protection skills.

“Innovation within IoT requires people that walk in even more rarefied air—big thinkers that can convert digital potential into tangible customer value are a special breed,” Richards says. “Equally important are those people that can embed and instil digital trust within all elements of the IoT ecosystem to meet a growing market expectation for personal privacy and cyber resilience.”

There are a lot of different projections out there but it’s generally tipped that there will be around 50 billion devices connected in some way within the next decade. These devices are gateways into our data and lives, whether personal or professional, meaning developers of these services and hardware have a swelling responsibility to be more diligent.

“There is definitely a gap,” says Sean Sullivan, security advisor at F-Secure. “IoT hardware and its related software is not generally designed by security minded engineers and there’s a lack of teachers to even teach or train tomorrow’s engineers.”

Sullivan points to the burgeoning smart home space; he has Philips Hue Lights in his home with the accompanying app:

Now, suppose my elementary aged son would like to be able to turn on a lighting scheme. I would need to install the app on one of his devices. But then, if I do that, I end up giving what’s basically administrative control to a child. There is no admin vs. user mode for these apps.

Numerous tech is engineered this way. Any access equals complete access. The engineers typically only think of how to restrict outsiders. Almost zero thought seems to go into providing compartmentalisation and access controls for insiders. The gaps in security thinking begin there and grow wider as systems get more complex.

There is a need for a shift in mentality in how IoT products are developed if security is to be taken seriously.

Training desperately required

“There is no denying the cybersecurity skills gap. Every company is faced with trying to recruit and keep security talent on a budget, and it’s always going to be hard,” continues HackerOne’s Prins. “What’s even more challenging is that most universities still don’t offer cybersecurity classes or majors, so the gap could get wider if we don’t do anything about it.”

Collaboration skills are key to building a good IoT product as different competences must come together to build something that can collect, store, and analyse data in a safe and efficient way.

“How do we go about training? Is it doing it ourselves or is it partnering with colleges and universities to develop people? Or hackathons, sponsoring events like that,” adds TEKsystems’ Hayman.

With all the talk of skills shortages, another route is to look beyond the traditional computing and programming vocations, where you’re hiring people “on paper”. Rik Ferguson, VP of security research Trend Micro, is a regular critic of the cybersecurity skills gap, calling on companies to diversify their thinking of what makes a security pro and look to other disciplines.

One way or another, companies will need to get smarter in hiring because expectations and more importantly, legislation is getting tougher. GDPR is well publicised and will put a greater onus on companies to secure their data but for IoT specifically, the EU is considering a system for IoT devices that is similar to the CE marking for electronics that certifies the security of a product. Either way, IoT needs to be a higher standard than ever before and the pros need to keep up.