By Dr. May Wang, CTO of IoT Security at Palo Alto Networks and the Co-founder, Chief Technology Officer (CTO), and board member of Zingbox\n\nAt the foundation of cybersecurity is the need to understand your risks and how to minimize them. Individuals and organizations often think about risk in terms of what they\u2019re trying to protect. When talking about risk in the IT world, we mainly talk about data, with terms like data privacy, data leakage and data loss. But there is more to cybersecurity risk than just protecting data. So, what should our security risk management strategies consider? Protecting data and blocking known vulnerabilities are good tactics for cybersecurity, but those activities are not the only components of what CISOs should be considering and doing. What\u2019s often missing is a comprehensive approach to risk management and a strategy that considers more than just data.\n\nThe modern IT enterprise certainly consumes and generates data, but it also has myriad devices, including IoT devices, which are often not under the direct supervision or control of central IT operations. While data loss is a risk, so too are service interruptions, especially as IoT and OT devices continue to play critical roles across society. For a healthcare operation for example, a failure of a medical device could lead to life or death consequences.\n\nChallenges of Security Risk Management\n\nAttacks are changing all the time, and device configurations can often be in flux. Just like IT itself is always in motion, it\u2019s important to emphasize that risk management is not static.\n\nIn fact, risk management is a very dynamic thing, so thinking about risk as a point-in-time exercise is missing the mark. There is a need to consider multiple dimensions of the IT and IoT landscape when evaluating risk. There are different users, applications, deployment locations and usage patterns that organizations need to manage risk for, and those things can and will change often and regularly.\n\nThere are a number of challenges with security risk management, not the least of which is sheer size and complexity of the IT and IoT estate. CISOs today can easily be overwhelmed by information and by data, coming from an increasing volume of devices. Alongside the volume is a large variety of different types of devices, each with its own particular attack surface. Awareness of all IT and IoT assets and the particular risk each one can represent is not an easy thing for a human to accurately document. The complexity of managing a diverse array of policies, devices and access controls across a distributed enterprise, in an approach that minimizes risk, is not a trivial task.\n\nA Better Strategy to Manage Security Risks\n\nSecurity risk management is not a single task, or a single tool. It\u2019s a strategy that involves several key components that can help CISOs to eliminate gaps and better set the groundwork for positive outcomes.\n\nEstablishing visibility. To eliminate gaps, organizations need to first know what they have. IT and IoT asset management isn\u2019t just about knowing what managed devices are present, but also knowing unmanaged IoT devices and understanding what operating systems and application versions are present at all times.\n\nEnsuring continuous monitoring. Risk is not static, and monitoring shouldn\u2019t be either. Continuous monitoring of all the changes, including who is accessing the network, where devices are connecting and what applications are doing, is critical to managing risk.\n\nFocusing on network segmentation. Reducing risk in the event of a potential security incident can often be achieved by reducing the \u201cblast radius\u201d of a threat. With network segmentation, where different services and devices only run on specific segments of a network, the attack surface can be minimized and we can avoid unseen and unmanaged IoT devices as springboards for attacks for other areas of the network. So, instead of an exploit in one system impacting an entire organization, the impact can be limited to just the network segment that was attacked.\n\nPrioritizing threat prevention. Threat prevention technologies such as endpoint and network protection are also foundational components of an effective security risk management strategy. Equally important for threat prevention is having the right policy configuration and least-privileged access in place on endpoints including IoT devices and network protection technologies to prevent potential attacks from happening.\n\nExecuting the strategic components above at scale can be optimally achieved with machine learning and automation. With the growing volume of data, network traffic and devices, it\u2019s just not possible for any one human, or even group of humans to keep up. By making use of machine learning-based automation, it\u2019s possible to rapidly identify all IT, IoT, OT and BYOD devices to improve visibility, correlate activity in continuous monitoring, recommend the right policies for least-privileged access, suggest optimized configuration for network segmentation and add an additional layer of security with proactive threat prevention.\n\nAbout Dr. May Wang:\n\nDr. May Wang is the CTO of IoT Security at Palo Alto Networks and the Co-founder, Chief Technology Officer (CTO), and board member of Zingbox, which was acquired by Palo Alto Networks in 2019 for its security solutions to Internet of Things (IoT).