Overcoming the IoT Security Skills Gap

While the tech industry is currently challenged by an IoT skills gap, there are steps that companies and leaders can take to minimize these issues and drive change.

Guest Commentary, Guest Commentary

July 15, 2020

6 Min Read
Image: zapp2photo - stock.adobe.com

As the Internet of Things continues to evolve, many companies are trying to become part of this growing market to keep up with the latest trends, including developing and selling their own IoT devices. But as a chief information officer or an IT head of a major brand, what happens when the onus falls on you -- and maybe not your chief information security officer -- to introduce, sell and secure a new connected product?

When you’re an expert on unconstrained devices or cloud services, how do you become an authority on a small, constrained, singular smart product enough to effectively ensure that the safety and security of the devices are handled properly? And with nearly half of IoT decision-makers in enterprise organizations saying there aren’t enough available skilled workers -- according to Microsoft’s IoT Signals report -- how can stakeholders directly minimize the current and detrimental skills gap overall?

CIOs and IT leaders must find ways to not only set themselves and their teams up for success, but challenge the industry as a whole to come together to address the IoT and IoT security skills gaps. Whether it’s cultivating the right resources and team internally or bridging to external influences, there’s different opportunities that can help promote change and empower talent to be ready to face the growing demands of connected devices today.

Support your internal resources

IoT security requires its own unique approach. Unlike unconstrained cloud computing systems, the biggest challenge with IoT is that these millions or even billions of devices are scattered, continuously talking to each other, and will live on (just about) forever. These IoT devices operate in a highly constrained environment. While computers measure hard drive and RAM in GB, a typical IoT device only has MBs of program storage while RAM is measured in KB. The sheer volume of data that will be transmitted through the technology is incredible from an innovation perspective and what has set up the world to be the connected ecosystem we now accept, while all being based on devices less powerful than an Apple watch.These constraints present large challenges in managing and securing IoT devices and networks.

It's therefore key for the IT function to recognize these differences upfront before they’re left with chaos down the line. As leaders within the company, constant education and reading the right resources will make it that much easier to keep up-to-date and knowledgeable when it comes to IoT security requirements, regulations, and necessary steps to take. Relevant industry news sources or other industry leaders can help with remaining privy to that information.

It’s also important to tap into smart and knowledgeable talent where possible. Hiring is incredibly difficult today, especially when it comes to IoT. These devices require a strong set of so many different skills and backgrounds, that it's hard to find those who have combined expertise across wireless connectivity, embedded electronics, and big data -- not to mention security. Considering the right candidates that bring at least some level of this can play a huge role though, and looking beyond certain certifications like Cisco or Microsoft -- which are nice-to-haves -- and at some of the overarching characteristics such as being innovative and a problem solver can also introduce the right employees into the company.

Unfortunately, it's clearly not always feasible or possible to hire new talent, and sometimes the only option is to rely on current team members. To do this effectively, companies and their leaders must cultivate an environment of learning. They also need to build in time to train employees and allow them to get the hands-on experience they need to hone in their skills. This can be through  workshops, opportunities to work on proof of concepts for projects before full production, or in free time to learn how things get hacked by actually doing the (ethical) hacking. Introducing activities like "Hacker Fridays," for instance, where a small group of employees can try to hack a designated IoT device and report back is a simple but effective way to do this. Some companies even have "innovation sprints" once a quarter for internal teams to build internal tools and learn new skills. These fun and insightful additions all can help ensure that internal talent is much more capable and prepared than they otherwise might be.

Engage with external organizations

In addition to supporting internal teams, there are many external organizations and industry groups today that can offer the right expertise to better understanding how to properly secure IoT devices along with everything to know about mitigating risks. These organizations have their finger on the pulse of security standards, compliance, and regulations that brands should be aware of and often share invaluable resources to help make sense of this complex world.

Whether it's participating in big conferences or joining small training sessions, each opportunity to listen to experts and hear from fellow peers can provide the right insight IT otherwise wouldn't have access to -- especially around similar challenges organizations have faced, best practices to keep in mind, and even lessons learned from past experience. It's important, too, as a leader in the company to encourage staff to branch out while at the conferences, and instead engage in discussions with peers from other organizations. It's amazing how many common problems each can share, and hearing how others have approached the problem is invaluable.

Encourage learning at the university level

The majority of today's technology workforce begins their journey in higher education. Combining industry with academia has shown to have a positive impact on future talent, and has played a significant role in minimizing skills gaps. The industry should continue to work with and look for new ways to help support universities and generate greater awareness around different and relevant topics -- including across IoT and security. By introducing these concepts and training as part of the designated coursework, that hands-on experience early on can promote positive change down the line.

This can also include mentorship through opportunities like internships, sponsored senior projects, and cybersecurity clubs. Allowing a first-hand view at more niche security processes and overall best practices drives a deeper understanding for young professionals before they enter the workforce that can set themselves, as well as their future employers, up for success. Plus, pairing senior employees with students not only helps grow their knowledge base, but can also re-energize senior employees.

While the industry is currently challenged by an IoT skills gap, there are steps that companies and leaders can take to help minimize these issues and drive change. By adopting these kinds of practices and considering what it takes to be forward-thinking when it comes to IoT and IoT security, they'll be much better positioned to take the connected world by storm, and ensure that the products don't become black clouds looming overhead instead.


Brad Ree is chief technology officer of ioXt. In this role, he leads ioXt’s security products supporting the ioXt Alliance. Ree holds over 25 patents and is the former security advisor chair for Zigbee. He has developed communication systems for AT&T, General Electric, and Arris. Before joining ioXt, Ree was vice president of IoT security at Verimatrix, where he led the development of blockchain solutions for ecosystem operators. He is highly versed in many IoT protocols and their associated security models.

About the Author(s)

Guest Commentary

Guest Commentary

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT professionals in a meaningful way. We publish Guest Commentaries from IT practitioners, industry analysts, technology evangelists, and researchers in the field. We are focusing on four main topics: cloud computing; DevOps; data and analytics; and IT leadership and career development. We aim to offer objective, practical advice to our audience on those topics from people who have deep experience in these topics and know the ropes. Guest Commentaries must be vendor neutral. We don't publish articles that promote the writer's company or product.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights