An extensive new study reveals what’s really worrying IT and security professionals. It also reveals a little of their (Deeply human) hypocrisy.
Everything they do carries with it a large portent of the future.
They perform research to back up their case, often coupled with a dramatic headline.
This is a sample that just crossed my eyes. I mean, literally crossed my eyes: “IoT, Authentication and Cloud Services Drive Staggering Increase in PKI adoption and in Certificate Volume.”
Naturally, I was staggered. So much so that I looked further. There were many numbers and many words, densely packed together.
I needed to concentrate. For this was the annual Global PKI and IoT Trends Study, performed by the Ponemon Institute on behalf of security company nCipher, which is now owned by Entrust. Which will surely soon be bought by a company called Enlighten, Enhance or, I don’t know, Enematronics.
Last year, I perused this study and offered the thought that IT and security professionals believe regular employees are just the worst.
Well, here we are again and things don’t seem to have got much better. More than 6,000 IT and security professionals were interviewed for this study and I detected that the understandably dry presentation concealed their rabid need to ululate in public and retrain as fire-eaters.
I also detected a touch of hypocrisy in at least one element of their beings.
I therefore asked John Grimm, Entrust’s vice president strategy for digital solutions, whether my suspicions had validity.
This study seems to reveal that IT people are being driven demented by the fact that they have no idea what sort of Internet of Things devices are being connected to their corporate networks.
What sort of employee does that? (My suspicions fall upon the people in sales and, well, senior executives who think they can do anything,)
Grimm explained: “This is often consumer devices that the user is using for convenience. An Alexa for verbal commands, a smartwatch for email on the go, a connected coffee pot to have coffee ready for the first worker in.”
How painfully modern to think that employees need Amazon’s Alexa to function at work. And a connected coffee pot? Is it too much trouble to make it on your own nut-milk latte when you get there? It seems not.
“The danger is that these devices aren’t typically secured by design,” Grimm told me. “They can basically be like an open door or window to the network that an attacker uses as a means to get on the network and look for more valuable resources — intellectual property, personal information, and more.”
Essentially, then, corporate IT departments are now making it a priority to find devices that careless or halfwitted employees have hooked up so that they can have an easy morning.
“Once IT teams prioritize discovery and employ tools to scan the network for such devices, they can decide whether to allow them to remain, blacklist them, or add security agents to them before allowing ongoing connectivity,’ Grimm told me.
See also: Amazon’s Alexa gets a new brain on Echo | Alexa, why should I upgrade my Echo? | Which Echo to buy? How to pick the best Alexa device for your needs | Why Amazon needs to stop selling us new Echos
At this point, I felt deep sympathy with the IT community, as they desperately try to keep corporations away from another embarrassing headline.
But then I noticed another oddity, one that was equally disturbing.
It seems that these IT professionals put securing delivery of patches and updates to IoT devices as their lowest priority. This despite the fact that they ranked altering the function of a device (say, by loading malware) as the biggest thing to fear.
I sensed Grimm might find this somewhat frustrating. Or even a touch hypocritical.
“It’s like replacing the tires on your car when the brakes aren’t working,” he told me. I thought I detected the rolling of eyeballs and the gritting of teeth.
I see swathes of hope in all this.
Employees remain perfectly human, failing to anticipate the most dramatic issues because they’re enthralled by the mundane things technology can do for them. (And goodness do they whine when the network is suddenly down for urgent maintenance.)
IT and security professionals are also perfectly human. They might seem like automatons, but they’re just as willfully inconsistent and maddeningly myopic as everyone else.