デバイスセキュリティマニフェスト

世界中の数々の製造業者やベンダ、オペレータ、サービスプロバイダとのコネクテッドデバイスの分野における経験から、Vdoo チームにとって、業界全体で大きな革新が求められていることが明らかになりました。さらに言えば、エコシステム全体でデバイスセキュリティが戦略的優先事項にならないと、この市場は取り返しのつかない転機を迎えることでしょう。この現実的なシナリオは製造業者にとってもユーザーにとっても、評判から利益までビジネスの多くの面に悪影響を与える数々の回避不能なリスクをもたらします。

コネクテッドデバイスに対する攻撃の数は 2019 年だけでも 300% 急増しました。これらがすべてデバイスの機能や稼働性に影響を与えたとしたら、さらには何十万台ものデバイスが使用不能になったとしたら、その影響は想像を絶するものです。そのため、複数業界のエンドユーザーによるこれらの問題への意識が急速に高まっているのも意外ではありません。Bain 社のレポートによれば、企業顧客の 45% がセキュリティのリスクを懸念しコネクテッドデバイスへの投資を制限しており、経営幹部の 93% が製造業者からより優れたセキュリティが提供されるなら今より 70% 多くのデバイスを購入し、22% 多くの対価を支払うと述べています。

つまり、コネクテッドデバイスを開発、製造、供給、販売、または運用するすべての企業が、顧客や株主、メディア、関連規制機関から見れば、コネクテッド製品のセキュリティはすべて自社の責任であるということを理解する必要があります。さらに、コネクテッドデバイスの性質上、製品開発をすべて社内で行ったか特定のコンポーネントをサプライチェーンを通じて第三者からソーシングしたかにかかわらず、製品のセキュリティに対する責任は自社に降りかかってくるのです。

次のステップは、すべての業界におけるこれらの企業が、デバイスのセキュリティが戦略的必須要素となっていることを認識することです。長期的な勝利を収める唯一の手段は、自社のすべての部門と製品ラインのコネクテッドデバイスの製品ライフサイクル全体で、常に最善のセキュリティが提供されるようにすることです。

専門家で構成される製品セキュリティチームを備えた企業でさえ、大規模かつ迅速にデバイスセキュリティを統合し改善しこの目標を達成するには、時間や予算、人員の面で多くの投資が必要となります。しかし、以下に示す 10 のタスクに分けることで、この取り組みはだいぶ楽なものになります。これらのタスクにはデバイスセキュリティの目標の達成に必要なすべての要素が含まれています。

デバイスのセキュリティを確保するための 10 の重要なステップ

1. Establish device security as a strategic, long-term, must-have project

Stop thinking about device security as a tactical short-term reactive task that is required solely to resolve tactical product or customer-related issues at a specific business unit or product line.  

Instead, approach it proactively as a strategic long-term imperative across all business units and product lines that has become a must-have project due to supply chain limitations, risk management needs, regulatory requirements and customer demand.  

2. Make executive decisions to be carried out by an expert device security team  

Stop addressing device security as a sporadic effort that can be handled differently across various parts of the organization, with each business unit typically only having access to more basic security processes and knowledge. 

Instead, create a corporate product security initiative to coordinate device security activities across the entire organization. This cross-functional team should have three main goals - establish a coherent device security strategy, ramp up the company’s device security capabilities, and centralize the device-related decision-making process. They need to become the focal go-to point for device security expertise across the company which provides every product team with access to the specialized know-how, recommended security processes, and automated technologies that are required to properly implement a device-centric approach at the product level.  

3. Provide all relevant employees with access to device security information  

Stop making device security information accessible only to the more technical people at the manager, developer and architect level. Especially since each of them typically has a different view regarding open security issues depending on the specific solution they happen to be using.  

Instead, make sure that the security profiles for all product lines are visible to everyone across the organization – from the C- and VP-level business executives all the way through the product security, compliance and technical teams. This should include actionable insights based on internal and external benchmarks for security profiles so that best practices and recommended solutions can be shared across the organization, enabling cross-company collaboration and learning. 

4. Build up sufficient internal device security resources and expertise  

Stop thinking of device security as secondary to IT security needs even though it is just as critical, which usually means that devices end up being far more vulnerable.  

Instead, since devices mandate a new way of looking at security, companies need to make sure their security experts have the appropriate experience and expertise they need to ensure the security of embedded devices and connected products. 

5. Create a dedicated product security budget as a business enabler 

Stop making people scrounge around for leftover money from discretionary development budgets when they need to handle device security issues. This only leads to making what should be important security decisions based on a cost-center mentality of how they would impact product timing, functionality and prices.  

Instead, provide dedicated device security budgets that are approved at the C-level as strategic business enablers by the corporate device security team. These budgets should be assigned during the planning process to specific product security line items with the idea that they can create new business opportunities for the company as a whole.  

6. Eliminate the patchwork of unsynced point solutions used across the company 

Stop using multiple point solutions including both automated technology solutions such as software analysis (SBOM, SCA, SAST and DAST), vulnerability assessment, run-time protection and real-time monitoring, and security services such as manual penetration testing, threat intelligence data feeds, security architecture consulting and other managed services. Having to manage all these solutions is a waste of time and a drain on resources, not to mention that they cannot by synced with each other and with existing processes without extensive integration efforts. 

Instead, start using a single integrated platform that provides all the capabilities needed to ensure optimal security, which will help maintain coherent standards across multiple product lines and business units. This will save time, cut costs and reduce the need for specialized resources so that teams can keep within business constraints such as product release deadlines, product functionality requirements and budget limitations.  

7. Stop using existing IT security solutions for device security  

Stop taking shortcuts to device security by using tools that were designed for IT security and software development. While it may be easier to work with known solutions, the broad range of device types, operating systems, components, attributes and technologies means that there is no one-fits-all device security solution. Existing solutions for endpoint or software security are simply insufficient to fully address the challenge of device security since they weren’t designed to deal with issues such as low-level programming, closed systems, real-time OSs and more.  

Instead, look for solutions that were designed from the ground up for device security, since only they can address each device in the context of its specific configuration and implementation, and provide the high-quality device-specific prioritized results required to ensure that the right security issues are mitigated at the right time. 

8. Secure devices across their entire lifecycle 

Stop addressing device security at only one step of the device lifecycle, thinking that handling the rest can wait until later in the process. It is very difficult and costly to resolve issues after devices have been deployed in the field so the resulting costs can pile up when serious issues need to be resolved across the entire install base or when regulatory agencies do not approve devices due to their lack of compliance. 

Instead, continuously address security issues at every step of the device lifecycle – from the initial design and development phases and all the way through to deployment and maintenance.  

9. Gain control over the security provided by the software supply chain 

Stop ceding control over device security to complex vendor supply chains. Companies tend to become dependent on the security provided by their vendors and end up having to chase them for patches which then need to be manually implemented. 

Instead, gain visibility into and control over the security of all third-party hardware and software components in order to minimize the monetary risks that come from including them in devices.  

10. Focus on device security without neglecting time-to-market, functionality and costs 

Stop focusing on time-to-market, cost-to-market and functionality while doing the minimum required for security verification. While this may minimize direct costs in the short term, it significantly increases the monetary, legal, compliance and reputational risks which can cost them far more in the long-term when security issues surface and invite malicious attacks.  

Instead, despite ROI models, slim margins and strict constraints, companies need to spend more time, resources and budgets establishing device security processes by working them ahead of time into their launch plans and budgets.