Challenges and Responsibility Gaps in IoT and Mobile Security

The Internet of Things (IoT) is exploding into the mainstream, and even the widespread role of mobile applications in enterprises is expanding. However, concerns about the security of mobile and IoT are rapidly growing.

In short, the challenge is that there is currently no clear responsibility for IoT and mobile security. Applications are developed by vendors and released to market with little or no attention to security. These applications then flow into organizations that often cannot manage them, and it is largely uncertain which applications are used in the workplace.

In short, the mobile and logistics security issues could get worse under better circumstances.

Who is responsible?

A recent Ponemon Institute study, cited by Infosec Island, shows that IBM Security and Arxan face challenges that enterprises also encounter. The confusion over who owns security during development, testing, and deployment remains a problem.

Most organizations (53%) express concern about being compromised via mobile devices, while a larger majority (58%) worry about threats from IoT applications. At the same time, 44% of organizations admit they have taken no protective measures, and 11% are unsure whether they have. This lack of confidence is not a confidence builder.

This uncertainty, especially on the mobile side, extends to the number of applications used within organizations. All 75% of respondents say they are not confident about their employees' use of applications. Of those, half—or 37%—report “distrust” as a theme. Other survey results reinforce the picture of uncertainty and passivity.

Catching up with the market dust of security

If there is little consensus on how to handle these challenges, there will be a large consensus. Over two‑thirds of respondents (69%) say mobile application security is poor because development teams are under pressure to ship quickly. Three‑quarters attribute this to vulnerable management of applications.

The security picture becomes even more complex regarding who owns—or should own—IoT and mobile security. Only 5% of respondents say the CISO bears primary responsibility for IoT security. Conversely, most point to engineering or business departments.

Prioritizing IoT security

Two standout challenges are the fragmentation of the mobile and IoT markets and the pressure on developers to treat security as an afterthought. As a basic design principle, security must be built in from the start, not added later.

A large, fluid, and competitive market excels at innovating technology and delivering it to consumers. However, IoT and mobile security are gradually eroding, and risk will only increase until the security community and market take action.