• United States




Does consumer risk outweigh business risk?

Dec 06, 20174 mins
CybercrimeRisk ManagementTechnology Industry

Security spending is focused on businesses and governments while consumers control nearly two-thirds of all devices.

security risk thinkstock keyboard
Credit: Thinkstock

Bitcoin keeps climbing, online holiday shopping sets a new record, political stories fill headlines and another data breach or hack will remind some people of why they hate technology. Equifax, Uber, TIO Networks, the list grows daily and…oh look, another replacement credit card came in the mail today.

In response to the continuous news coverage and increased threat landscape, lawmakers and industry groups propose new standards and compliance requirements to rein in risky behavior. Vendors develop new solutions to combat evolving risks, security practitioners like myself discuss strategies to improve security and extoll the virtues of good cyber hygiene, and universities and certification bodies announce new programs to train and educate a workforce for the rapidly growing cyber field. Gartner predicts cumulative global security spending will hit the trillion-dollar mark over the next five years.

While it is wonderful to see an increase in security investment, nearly all of the focus is on business at a time when most devices belong to consumers.

Large organizations and governments fall victim to attacks daily, despite increased investment in layered defense strategies, solutions, and regulatory changes designed to reduce risks. Smaller organizations have even fewer resources and skilled personnel available to combat common threats. The average consumer with a $50 endpoint solution? Good luck. I hope you backed up your data somewhere safe.

What about me? 

For most of my adult life, security has played a significant role in my career and daily responsibilities. Creating compliance roadmaps, implementing solutions, monitoring and assessing, reporting, investigating, remediating, and nearly any other action verb tied to security – all have a place in my experience toolbox. Surely, someone like myself runs enterprise-grade solutions at home, right?

No. No end of life or gray market gear, no racks of repurposed servers heating a coat closet, no multi-layered, polymorphic hydra of pre-market security awesomeness humming in the background. I use consumer grade and open source stuff. I cannot afford enterprise solutions any more than the next person can. I also have a family that needs access, and I already catch enough grief over complex account passwords. Sophisticated attack defenses? I back up my data.

This should be a truly frightening issue, not merely for consumers, but for the businesses and governments whose resources are continuously exposed to these devices and users. According to Gartner, consumer devices, everything from phones, tablets, and laptops to refrigerators, home theater systems and smart lighting, make up 63% of all Internet of Things (IoT) solutions today.  With that trend expected to continue, and the overall number of devices projected to double before 2020, consumers present the largest target surface. Unfortunately, these same individuals have the least capable defense against the threats.

To improve consumer product security, we will need a security breakthrough at the lowest common denominator, a solution or series of solutions where consumer devices become low risk targets. Smart IoT devices should be incapable of becoming a future bot network, or mining blockchain currencies, or launching denial of service attacks. Educating people will not be enough. The average person should not have to worry about information security or how cyber solutions work anymore than he or she should be expected to know about how airbags, navigation or lane departure systems operate while driving a car.

This puts the problem back into the hands of industry and governments. Some entity must create standards, establish communication and processing protocols related to safety, security, and privacy, and impose limits on use and capabilities. Think of it as an Underwriters Laboratory label for consumer product security – the seal of approval means that a device only operates within certain parameters, and nothing more.

Few people would tolerate a world where homes had no doors, windows, locks, or security protections to prevent burglaries or intrusions. How many would accept handing credit cards to mobsters as they entered restaurants? Who would load all of their personal data and photos onto thumb drives and hand them out to strangers in dark alleys? These examples may sound ridiculous, but are these descriptions all that different from the digital jungle we find ourselves travelling every day?

Whether these future solutions employ machine learning or artificial intelligence, blockchain capability, or some new form of trust-based baselining technology is irrelevant, the need to do something is real. The key is for researchers to find the right pathways and discover the innovations that will make it possible. The alternative is living in an era of amazing technological capabilities marred by increased business and consumer risks and costs, along with lower levels of confidence, security, privacy and trust. What will it take to force us to change direction?


Brent Hutfless is an experienced CISO and technology leader. He is currently the founder of Cannon Reef, an IT and IT security consulting company focused on providing business leaders with insight and recommendations for technology and security challenges, projects and solution implementations.

Brent led the information security programs in his last three roles at a Top 100 U.S. Federal contractor and two U.S. Navy headquarters-level commands. A U.S. Navy veteran with more than two decades in manufacturing, healthcare, defense, aviation and training industries, his knowledge and leadership experiences have provided him an uncommon level of insight into technology and cyber-security in particular. He has successfully implemented security initiatives that align to NIST, ISO and HIPAA compliance frameworks, and advises organizations and industry groups on these and other GRC frameworks and regulatory requirements. He is comfortable presenting business, technical and security-relevant risk topics to executive leadership and board-level directors, and has a successful record of completing challenging security, technology, and core business projects and programs.

Most recently the IT Director at Austal, an Australian-headquartered shipbuilder and Top 100 U.S. Federal contractor, employing over 4000 US personnel in support of the Independence class Littoral Combat Ship (LCS) and Expeditionary Fast Transport (EPF) ship programs. Austal recruited Brent during a period of rapid growth to establish and manage a cybersecurity program that could meet strict DOD requirements as well as the tough restrictions imposed by the U.S. government due to foreign ownership. He later assumed the role of IT Director and the responsibilities for the network, system and asset teams in addition to the security personnel. The Austal security program has received six consecutive superior ratings by Defense Security Services, the highest score a company can achieve.

Brent holds a BS in computer science from Troy University, a MS in software engineering as well as a certificate in medical informatics from the University of West Florida, and is a Certified Information Systems Security Professional (CISSP). His publications include contributing to three editions of a Health Informatics textbook, a peer-reviewed study published by AHIMA, and numerous online articles. He has served as president, board member and cyber chair for the Gulf Coast Industrial Security Awareness Council, as a CIO panelist, presenter, and planning committee member for ITEN Wired, and held positions within the Gulf Coast Technology Council, the (ISC)2 Florida Panhandle Chapter, as well as maintaining membership in other industry organizations.

The opinions expressed in this blog are those of Brent Hutfless and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.