The Internet of Things is really about services and people
Internet of Things is really about services and people
Markus Braendle is Group Head of Cyber Security for ABB. Reliable and secure digital interfaces between industrial components and installations have been an important part of ABB's business for many years. The goal of Braendle’s team is to ensure that ABB offerings support customers' cyber security needs. He makes a strong argument that we shouldn't promote security for the sake of avoiding painful incidents, but rather focus on the business value that secure products and services can offer.
There hardly is any doubt that security will play a vital role in the Internet of Things, a world where nearly everything will be interconnected and where the physical world will increasingly merge with the digital domain. The million dollar question is: how do we make sure that this new reality – often cited as the fourth industrial revolution – is reliable and secure?
First of all, at ABB we don't talk about the Internet of Things. We talk about the Internet of Things, services and people. Because that's what it's basically about. Connecting stuff to the internet is a means to an end, what really matters is what you do with it. Moreover we also think that the fourth industrial revolution is an evolution rather than a revolution. The interconnectedness has been increasing for many years now. Having said that, there's of course no doubt that it is essential to warrant security in this domain. I am convinced that to achieve a secure environment in this new and very complex environment, we must not put too much focus on the technological perspective of security. There is a wealth of technological solutions around and a large part of this has in fact become a commodity. I believe that the real challenge is making sure that cybersecurity becomes a seamless part of the risk management approach, and earns its place in the hearts and minds of the leadership of companies.
Awareness doesn't really seem to be a problem nowadays, with numerous incidents being broadly exposed in the media. How can we ensure that this awareness translates into effective mitigation of cyber risk?
Generally speaking, many organizations and its management are still largely basing their cyber security investments on fear for incidents. This often results in ad hoc budgeting for cybersecurity and more importantly it is not a very effective approach. The challenge is to talk about the business value of cybersecurity instead of responding to incidents and new threats. Business leaders should be aware that a very interesting new dynamics full of opportunities is emerging and should ask themselves how they can make the most out of it in a controlled manner. How can they increase customer value and customer satisfaction by offering cyber secure products and services? For instance by maximizing uptime, or by improving the efficiency of maintenance programs. However, when it comes to cybersecurity, we traditionally tend to talk in technical lingo. We must translate that into business lingo.
This technical, incident driven approach has been a problem for a number of years now. How optimistic are you about changing this?
The cybersecurity strategy in some companies is largely driven by compliance, while others are more driven by the value that's at stake. It's a heterogeneous landscape, but overall I really do see some good progress in the dialogues that we're having with the market. It's important that we work together with third parties such as KPMG to jointly communicate this message. More generally speaking, I think that collaboration is key to effectively deal with this issue. Melani is doing a good job to bring industries together, but I think we should do more to engage dialogue with the security providers and the consulting companies. It's all about trust of course, and also about understanding each other's world.
What exactly do you mean with that?
I'll give you an example. When we work on a project for a customer, their investment often covers a timeframe of 20 years. This is quite a contrast with the habitat of IT providers who often have a time horizon of just a couple of years. So if we’re using IT in these projects, we must have a dialogue upfront on how we make sure to have fully supported IT components during the whole lifetime. This is one important prerequisite for enabling ‘security by design’. In this interconnected world, seamless cooperation with third parties is increasingly important. This goes beyond clear agreements in contracts. Partners need trust in the relationship. That’s why we engage in dialogue with them; in a continuously dialogue to make sure that we share the same goals, develop a good relationship and are ready to act swiftly when needed.