Cyber Risk Engineer, AIG Europe Limited
Cyber Risk Engineer, AIG Europe Limited
Sebastian Hess has been Cyber Risk Engineer for Austria, Germany, and Switzerland of AIG Europe Limited in Frankfurt since June 1, 2017 with responsibility for the strategic further development of Cyber Risk Consulting. He is an international business leader with experience in both the military and private sectors and specialization in Information Technology Security and Cyber Defense. He has spent the last 20 years working for high level and highly exposed national and global organizations focusing on protecting their IT environments. He has racked up an impressive record of achievements and advancements on multiple continents.
Prior to Security of Things World Berlin, Sebastian talked us through his presentation about the costs of security problems and the most important security measures for the next wave of IoT implementation.
Sebastian Hess: In my opinion, a total lack of security would be a big problem for IoT devices. But, fortunately, that is not the trend we are witnessing today. As with every product / service, security is a factor – an important factor – but not the single determining factor. Manufactures will have to find ways to implement security while bringing profitable products to the market. Therefore, in my opinion, it is less a problem of lacking security, the challenge is to develop security frameworks that are suitable for the IoT space.
Sebastian Hess: I see two big aspects coming into play here, which are intertwined. First, IoT devices need to have a tamper-proof way to validate and execute codes, and, second, they need to have an over-the-air update mechanism that allows for the timely patching of newly discovered vulnerabilities.
Sebastian Hess: As with everything security related, it is important to have a holistic approach to security that doesn’t try to add security components as an afterthought. To enable this, I’d like to see standardized frameworks and ecosystems emerge that allow for a secure operation of IoT devices on a large scale. In my opinion, an approach like Microsoft’s Azure Sphere will be part of the solution.
Sebastian Hess: In my opinion there are two important success factors: one has to find a way to make security a topic that an employee cares about on a personal level, and, one needs to find ways to tie security to the value generation of the business. Not every company has the same security requirements as the next one.
Sebastian Hess: Standards always play a big role in security, and IoT security is not different here. It is important to develop industry-wide standards to bring the costs for securing devices down while actively providing better ways to secure them. Few IoT vendors will have the capability to run the necessary ecosystems required to ensure secure operation of their devices. Standards will allow specialized service providers to focus on security functions while ensuring proper security under an economy of scale paradigm.
Sebastian Hess: In my opinion, the ultimate responsibility lies with the manufacturer. However, a delegation of tasks / outsourcing will be a standard activity.
Sebastian Hess: It is important to find the right balance for each product / service when it comes to security components. I will try to make a business case that having a solid security foundation is actually beneficial for IoT vendors.
Sebastian Hess: Events like this are always a great opportunity to broaden your own horizon. That means I am looking forward to listening to the presentations and also meeting the attendees. It is the individual stories that make such an event worth attending.
Sebastian Hess: What is lacking to make secure IoT a reality?
Sebastian Hess: I always like reading anything that Bruce Schneier publishes. On the more local market, it is always worth following the work of the teams surrounding Sebastian Schinzel, a professor at the Münster University. Recently, he was in the news discovering the PGP/S-MIME issues.