‍The following is an interview we recently had with Prisi Marcel, Security Expert at Kudelski IoT Security. Marcel has over 20 years of professional experience in product development, cloud, and security management. In this interview, he touched on IoT security and what the future holds for IoT security. Enjoy and check back on our Security Expert Interview Series page each week for the next interview in the series.

1. How did you get involved in the information security industry?

I came to security as a necessity, as I was managing a growing infrastructure close to 25 years ago in my own company. At that time, hackers were already extremely active, and security was a quite new notion, there was no professionals or established services. I had a background in the demo scene, where many hackers came from, which helped me keeping informed & building some efficient tools. So, I started by managing the security of my own infrastructure.

2. What soft skills do you think are most important for information security specialists?

To me, the biggest core skill of any security specialist is keeping an open, curious & creative mind. The people on the other side of the fence are incredibly ingenious and ready to invest unlimited time, and in some cases, large amount of money in a single goal. They know the security tools we are using, so we need to be creative and go the “extra mile” in order to have any chance of sustaining some of these attacks.

3. As we can see you are working for a company that provides end-to-end IoT solutions and IoT product design. What is the biggest security challenge facing the growing IoT?

Quite strangely I’d say market maturity. We also do “device discoveries” where we analyze the security of “Off the shelf” already marketed products. Some even supposed to be secured. You cannot imagine the current state of security in the IoT space … There is still lots of education to be done.

4. What change would you like to see when it comes to implementing IoT security?

For now, security seems to be a “nice to have” feature in most developments. This has to change, security needs to be integrated from the start into any new project, even more in the IoT space where limited devices are connected to the wild internet. You cannot get reasonable results when trying to add security later in the process, even worse when having to react after discovering a security issue following the launch of a product.

5. What do you think the future holds for IoT security?

I think that the future is bright for IoT security, as time will go market will understand the logical need of integrated security in all steps of projects, tools and processes will get more mature and lots of jobs will be created leading to an extremely positive dynamic.

6. Could you please tell us what was the most important information security lesson you learned in 2020?

Never take basic things for granted. Even in 2020, security as a concept is still absolutely not obvious to many major stakeholders.

7. Home working is attractive to many employees to attain greater work life balance, however it appears to be inherently riskier from an information security standpoint. Is this so? And if so, what can companies do to protect corporate critical information from theft or misuse?

I do not see home working as inherently riskier. We know from different statistics that still today, most critical data breaches come from inside company leaks. We have loads of tools to secure remote work, every device is monitored, controlled and well maintained since they are seen as obvious entry points. The standard security hygiene has to be enforced, and it mainly comes down to companywide quality security trainings and active “trust but control” mantra.

Today, statistics show that an employee has direct access to millions of files in his corporate network, in which about 1000 contain sensitive information. About every network has stale user accounts … It “simply” comes down to implementing and enforcing basic security hygiene as I call it.

8. Any friendly advice to all young information security enthusiasts?

You are embracing a quite uncommon career, get ready to work hard, be surprised, challenged in every way, every day. You’ll never stop learning new things everybody told you were impossible the week before. If you are looking for a nine-to-five, pass your way, if you are looking for challenge, excitement, long days … welcome!!

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.