Cybersecurity spending is significantly driven by regulatory compliance and new personal data protection and privacy laws. The most often mentioned example is the impact of the EU’s GDPR, which is to be followed by the ePrivacy Regulation that covers electronic communications.
By 2021, Gartner predicts that regulatory compliance will become the prime influencer for IoT security uptake. Industries having to comply with regulations and guidelines aimed at improving critical infrastructure protection (CIP) are being compelled to increase their focus on security as a result of IoT permeating the industrial world.
While the GDPR has broadened the definition of personal data to include identifiers in the scope of M2M and the Internet of Things, the ePrivacy Regulation dives even deeper into this area. With additional data subject rights and strict rules regarding the legal bases for lawfully processing personal data (including sensor-generated data and so forth) which can be related to data subjects (EU citizens), strong personal data processing principles and changes in the regime of consent, the new regulations impact IoT and IoT security as well.
While there are still quite some uncertainties on the level of IoT in the ePrivacy Regulation (which isn’t published yet) and, frankly, also in the GDPR, IoT security spending has shown to be impacted by the new regulatory frameworks as previously reported.
However, these regulations are far from the only ones. In fact, Gartner doesn’t even mention them in the announcement of its report “Forecast: IoT Security, Worldwide, 2018” (March 21, 2018). So why mention them at all?
Because Gartner expects regulatory compliance overall to be the number one influencer for IoT security uptake by 2021.
We also guarantee that, although perhaps not being the major gamechanger regarding a far better IoT security approach and higher IoT security spending and ‘only’ touching upon personal data, the ePrivacy Regulation will cause quite some concern in myriad IoT use cases. And in the areas where Gartner sees new regulations coming inevitably the personal data aspect is present too as you’ll read.
Worldwide IoT security spending 2018: from $1.5 Billion in 2018 to $3.1 billion in 2021
In its forecast for worldwide IoT security spending for 2018, poised to reach $1.5 Billion, Gartner (building upon research from CEB, acquired by Gartner) points out that almost 20 percent of organizations have observed at least one IoT-based attack in the past three years.
Along with growing awareness regarding IoT security challenges, the impact of regulations and the risks associated with IoT-based attacks, not in the least in critical environments and Industry 4.0, this increase by 28 percent in IoT security spending shows in all areas and keeps growing steadily throughout 2021 as the table screenshot below shows.
Nearly 20 percent of organizations observed at least one IoT-based attack in the past three years (Gartner)
However, there is still a lack of good security practices and strategies despite the fact that IoT security keeps being mentioned as a primary concern, Gartner research director Ruggero Contu emphasizes. There is, among others, a lack of prioritization and implementation of security best practices and tools when IoT projects are planned, not just hampering IoT security spending potential but also leading to ad hoc initiatives with all the associated risks and the absence of security by design in the IoT market.
It’s specifically in the absence of a security by design (and in the scope of GDPR we might add privacy by design) approach that regulations are expected to change the game whereas now these regulations aren’t there yet.
Gartner sees specific and stringent regulations showing up in highly regulated industries such as healthcare where IoT is already quite present (and not just in healthcare facilities and the improvement of healthcare quality but most certainly also increasingly in areas where personal data are key in the broader healthcare ecosystem) and in automotive (where on top of the industrial aspect we also meet the personal data dimension whereby there are already discussions regarding vehicle data ownership as previously reported).
IoT security spending and regulations in critical infrastructure and Industry 4.0
The research firm mainly sees regulations and guidelines aiming to improve the protection of critical infrastructure though. So, Industry 4.0 and Industrial IoT areas including utilities, resources industries and so forth where there have been issues in the past, also with state-sponsored attacks that can have huge consequences.
Through 2020, the biggest inhibitor to growth for IoT security will come from a lack of prioritization and implementation of security best practices and tools in IoT initiative planning
Ruggero Contu: “Interest is growing in improving automation in operational processes through the deployment of intelligent connected devices, such as sensors, robots and remote connectivity, often through cloud-based services. This innovation, often described as Industrial Internet of Things (IIoT) or Industry 4.0, is already impacting security in industry sectors deploying operational technology (OT), such as energy, oil and gas, transportation, and manufacturing”.
Obviously it’s not just in these environments that IoT security spending is on the rise or that regulations will force organizations to prioritize IoT security.
Some issues on top of the mentioned ones:
- Most IoT security implementations have happened at the level of the business unit whereby IT does get involved but not sufficiently.
- Organizations (customers) don’t have control over the software and hardware in the IoT stack which the need for their deployments.
- There is a lack of coordination via common architecture or a consistent security strategy.
- Selection of IoT device vendors, IoT gateways, IoT services etc. is largely ad hoc, based upon the partnerships and ecosystems of device providers.
- The basic security patterns which have been revealed in many vertical projects, haven’t been codified into policy or design templates for consistent reuse. The result: “technical standards for specific IoT security components in the industry are only now just starting to be addressed across established IT security standards bodies, consortium organizations and vendor alliances”.
Looking at the main areas of IoT security investments over the forecast period Ruggero Contu expects to see growing demand for tools and services for better discovery and asset management, software and hardware security assessment, and penetration testing. He also expects organizations to increase their understanding of the implications of externalizing network connectivity.
These elements are all among the main drivers of IoT security spending growth whereby total spending should reach $3.1 billion in 2021 when regulatory compliance will be that main IoT security spending influencer.
Top image: Shutterstock – Copyright: Pe3k – All other images are the property of their respective mentioned owners.