Cisco security chief backs government IoT regulation

Connected devices are giving CISOs a "headache", and authorities should step in to impose minimum standards


Governments should implement a set of legally-enforceable minimum standards for new internet of things (IoT) devices to allay businesses’ fears around the technology, Cisco’s security leader has claimed.

A swathe of IoT devices that are unsecure by default are on the market and are giving security teams and CISOs a “headache” about how to deal with them, according to the networking firm’s VP for global security sales, John Maynard.

Given the prospect of an exponentially rising attack surface, the authorities should produce a set of minimum standards that device makers must adhere to, he told delegates at this year's Cisco Live in Barcelona. The alternative scenario is security teams using systems to secure each individual IoT device as they are connected to their network. This is partially why the promise of IoT hasn’t been fulfilled.

“Frankly, the job of a CISO is extremely challenging right now because IoT, in its multiple form factors, is just expanding the attack surface for the security professional beyond levels that it's ever been,” Maynard said.

“You're connecting operational technology to the network. You're connecting numerous devices that could communicate with different parts of the organisation. We need to get a handle on it.”

He argued that the vast majority of connected devices that can be added to organisations’ networks are insecure by design, although that shouldn’t put a total block to all such devices from being connected. The result, however, is that security professionals now have the added task of having to secure reams of unsecure endpoints.

“You either solve it with at a device level, and you regulate and from a governmental perspective and standards perspective – secure by design – which is what it should be,” he continued. 

“Or you say, 'I need to be able to monitor what is connected to my infrastructure, I need to be able to segment my network so if a connected device is doing something abnormal, I can detect it and then I can quarantine it and just restrict the access'.”

“I do believe there needs to be minimum standards of what security should look like in IoT devices, but it’s extremely complicated because you’re looking at cars, you’re looking at refrigerators, toasters, anything.”

Authorities across the world have cottoned onto the fact that many IoT devices are not build with security in mind, with the UK government, for example, last year opening a consultation on introducing new IoT security laws.

This week, the Department for Digital, Culture, Media and Sport (DCMS) introduced plans that could see device makers have to comply with a set of security requirements when manufacturing IoT devices. 

These measures include shipping connected devices with unique passwords that cannot be reset to any universal factory settings, as well as a point of contact that can be used in order to report any vulnerabilities discovered.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022