Interviews

AIG Interview: The Costs of IoT Security Problems

Sebastian Hess
Cyber Risk Engineer, AIG Europe Limited

Sebastian Hess
Cyber Risk Engineer, AIG Europe Limited

Sebastian Hess has been Cyber Risk Engineer for Austria, Germany, and Switzerland of AIG Europe Limited in Frankfurt since June 1, 2017 with responsibility for the strategic further development of Cyber Risk Consulting. He is an international business leader with experience in both the military and private sectors and specialization in Information Technology Security and Cyber Defense. He has spent the last 20 years working for high level and highly exposed national and global organizations focusing on protecting their IT environments. He has racked up an impressive record of achievements and advancements on multiple continents.
Prior to Security of Things World Berlin, Sebastian talked us through his presentation about the costs of security problems and the most important security measures for the next wave of IoT implementation.

we.CONECT: How big a problem will a lack of security with IoT devices be?

Sebastian Hess: In my opinion, a total lack of security would be a big problem for IoT devices. But, fortunately, that is not the trend we are witnessing today. As with every product / service, security is a factor – an important factor – but not the single determining factor. Manufactures will have to find ways to implement security while bringing profitable products to the market. Therefore, in my opinion, it is less a problem of lacking security, the challenge is to develop security frameworks that are suitable for the IoT space.

we.CONECT: Which security measures do you see as being the most important for the next wave of IoT implementation?

Sebastian Hess: I see two big aspects coming into play here, which are intertwined. First, IoT devices need to have a tamper-proof way to validate and execute codes, and, second, they need to have an over-the-air update mechanism that allows for the timely patching of newly discovered vulnerabilities.

we.CONECT: What change would you like to see when it comes to implementing IoT security?

Sebastian Hess: As with everything security related, it is important to have a holistic approach to security that doesn’t try to add security components as an afterthought. To enable this, I’d like to see standardized frameworks and ecosystems emerge that allow for a secure operation of IoT devices on a large scale. In my opinion, an approach like Microsoft’s Azure Sphere will be part of the solution.

we.CONECT: How can organisations develop a security mind-set within their companies?

Sebastian Hess: In my opinion there are two important success factors: one has to find a way to make security a topic that an employee cares about on a personal level, and, one needs to find ways to tie security to the value generation of the business. Not every company has the same security requirements as the next one.

we.CONECT: What role do standards play in managing IoT Security?

Sebastian Hess: Standards always play a big role in security, and IoT security is not different here. It is important to develop industry-wide standards to bring the costs for securing devices down while actively providing better ways to secure them. Few IoT vendors will have the capability to run the necessary ecosystems required to ensure secure operation of their devices. Standards will allow specialized service providers to focus on security functions while ensuring proper security under an economy of scale paradigm.

we.CONECT: Who should be responsible for providing IoT Security?

Sebastian Hess: In my opinion, the ultimate responsibility lies with the manufacturer. However, a delegation of tasks / outsourcing will be a standard activity.

we.CONECT: You’ll be speaking at Security of Things World in Berlin about the costs of security problems. Please can you give us an idea of what delegates will take away from the session?

Sebastian Hess: It is important to find the right balance for each product / service when it comes to security components. I will try to make a business case that having a solid security foundation is actually beneficial for IoT vendors.

we.CONECT: What expectations do you have regarding the Security of Things World event in Berlin? Which outcomes and benefits do you expect to gain from the exchange with the participants?

Sebastian Hess: Events like this are always a great opportunity to broaden your own horizon. That means I am looking forward to listening to the presentations and also meeting the attendees. It is the individual stories that make such an event worth attending.

we.CONECT: Which burning questions would you like to discuss within the Security of Things World community?

Sebastian Hess: What is lacking to make secure IoT a reality?

we.CONECT: Time for some shout outs! What did you read recently that would interest other like-minded people? Have you seen/heard any inspirational speakers recently? Who is an IoT Security guru or inspiration in your eyes?

Sebastian Hess: I always like reading anything that Bruce Schneier publishes. On the more local market, it is always worth following the work of the teams surrounding Sebastian Schinzel, a professor at the Münster University. Recently, he was in the news discovering the PGP/S-MIME issues.

we.CONECT: Thank you very much for participating in this interview.
Previous ArticleNext Article