Closing the Security Gap For IoT Devices

Intro  0:01 

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22 

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, and I provide practical privacy advice to overwhelmed companies.

Justin Daniels  0:38 

Hi, Justin Daniels. Here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:54 

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce, media agencies, and professional and financial services. In short, we use data privacy, to transform the way companies do business together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. Now, we’re gathered here today to have a podcast I we were just talking about a Genesis concert. So I just want to make sure you’re not going to break into song.

Justin Daniels  1:40 

I cannot confirm or deny as to whether or not that will happen. Mm hmm.

Jodi Daniels  1:45 

Well, don’t go and get ready. You might be hearing some Phil Collins students. Justin, do you want to kick us off and say who is with us today?

Justin Daniels  1:56 

I’d be happy to do that. So today, as we talk about cyber technology, we’re going to be talking to Roy Dagan, who is the CEO and co-founder of SecuriThings, the provider of the first IoTOps solution designed to help organizations maximize their devices’ operational efficiency and security. He started the company after many years of building cybersecurity risk management and intelligence systems. Prior to SecuriThings, Roy held multiple roles leading product and management teams at a range of companies including RSA, the division of the Security Division of EMC, and NICE Systems.

Roy Dagan  2:41 

How are you guys good morning? How’s it going?

Jodi Daniels  2:47 

It is good. We’re so glad that you are here with us today. And we hear that you also might like Genesis. So if you want to, you know, have a fun tune. You are welcome to do

Roy Dagan  2:58 

Yeah, I’m not sure I’ll be joining in thing today.

Jodi Daniels  3:01 

Now. So instead, all right, let’s dive in to the fun of IoTOps. So right, tell us a little bit we always like to start these conversations with how you got to where you are. Sure thing.

Roy Dagan  3:16 

So I’ve been in tech industry for for quite a while, a few years, almost 20. I guess at this point, I started in one of the intelligence units in the Israeli Defense Forces, obviously, like every other Israeli travelled a bit after that for a few months, then came back to Tel Aviv, study computer science. But I always worked as a product manager. So I held multiple product management roles. And again, as he said, mostly in companies focused on cyber risk detection analytics companies such as RSA, yes, they used to be the security division of EMC. But now it’s part of Dell, and it’s even bigger now. But also NICE Systems and other companies. And I think it was always kind of clear to me that I want to start my own thing, right, the main question like many, I guess, founders, the main question was when, and I believe I was, you know, working for a while just trying to get to that level of experience and confidence and different corporates. I’m learning a lot. And companies again, RSA was it was just great. It was amazing experience over there. And I wanted to learn more before strategy, starting something from scratch. Then I called Ron. So Ron is our CTO, my co founder. We work together at RSA. And I told him about this idea of starting something where initially we started in IoT, cybersecurity, and I told him about, about the concept and about the idea got him excited, but he liked the space of it. He had some experience in that. Obviously, he liked, you know, the area of cybersecurity where he had experience also from RSA, and, you know, he was delighted to join the ride and then we just, you know, started working on this thing

Jodi Daniels  4:55 

together. Well, can you share a little bit about how you formulated this, this particular niche, we were talking about how there’s so many different flavors in the cybersecurity field, what have you narrow in here?

Roy Dagan   5:11  

So, initially, we was trying to focus really on IoT cybersecurity, which is kind of a big topic, right? It’s almost like saying it security, what does that mean? That means so many things. And then we will join, starting to investigate all kinds of barriers, you know, initially around the smart home and manufacturing, and different types of organizations. And then what happened is that we decided to focus initially trying to focus on manufacturers, we decided to focus on where that man really is, which is then prices, large organizations. And we saw there was just a huge demand there. And today, we’re serving some of the largest, you know, tech companies in the world and financial institutions and universities and municipalities and healthcare organizations, but pretty much across the board. So that’s one thing that happened. The second thing is that we saw that the cybersecurity was definitely a big concern. But the people within the organization that we were working with, have, which are responsible for the operations of these devices, and making sure that they’re always up running and healthy. They were concerned about cybersecurity, as well as their counterparts from it. But they also had the, you know, more of the compliance concern, which became a big thing in the last few years, but then also the operational management aspects of these devices. And then we saw, okay, so it’s actually bigger than, you know, just IoT, cybersecurity, when it comes to the enterprise, they actually includes also compliance and operation management. So we decided to kind of pull all the multiple kind of it categories together into one solution, and coined the term IoT ops as kind of an umbrella term for this category that we’ve been working on creating and putting in the hands of our customers and partners.

Justin Daniels  6:49 

Oh, Roy, I’d actually like to ask you a follow up question, having been to Israel and visited the country, could you share a little bit with our audience about how working in Israeli intelligence and your time in the military defense forces for Israel has such an impact not only on you, but why Israel has been so successful creating so many great companies in the field of cybersecurity.

Roy Dagan  7:17 

So I think you just get a lot of experience. So it’s, it’s combination, probably, of experience and stuff that you learn, but also kind of, kind of the attitude of getting things done. Right, you get into kind of that mindset, and that everything is possible. So people come out of the army after you know, doing some pretty amazing things. And then they start to start a company and they have that just a lot kind of that attitude of okay, we can help solve big problems in you know, in many of these companies are huge now, right, solving cybersecurity and other challenges. So I think it’s really a combination of experience, but also kind of the, the attitude

Jodi Daniels  7:54 

that comes with that. Yeah, from this side of the world, it is truly fascinating to be able to watch and think other parts of the world could benefit from from that mindset for sure.

Justin Daniels  8:07 

But why don’t we change gears a little bit and talk a little bit about is, what is the biggest misconception around IoT security, at least from my standpoint? Is there any IoT security?

Roy Dagan  8:18  

That’s a good question. Really good question. So I think one of the main misconception is, think about RSA Security as one thing as whole. You know, and I think also, at the same time, there’s probably not one solution that can solve it security, right? It’s again, it’s almost like saying it security, there’s so many different categories, which are solving different it, security challenges, so So it’s clear today that there are also many solutions that need to be available in this space. And if we think about IoT security, I believe, we need to ask ourselves, what are we talking about? Are we talking about enterprises? Are we talking about consumers? Are we talking about maybe wearables? Are we talking about automotive, then what type of devices are we talking about? And there’s more and more questions that we really need to kind of ask ourselves to kind of focus on what the challenges is at hand, and how we want to solve the challenge. Because if you know, each one of these different areas that I just mentioned, just having a unique set of challenges, which are very different from each other. So I think that the main misconception is kind of that term IoT security. It’s just there’s multiple categories in that thing that is called IoT security, in my opinion.

Jodi Daniels  9:32 

People are thinking about I have multiple different devices, I need to manage all of those devices. How do you link the idea of managing multiple devices with security? So I

Roy Dagan  9:46

think it actually has a lot to do with with security, as you see organizations just you know, they’re deploying all these devices at present time and they’re really lacking any visibility and control when it comes to them. So it’s very hard to know which vendors you have It’s very hard to know which firmware versions they’re running, whether they have any vulnerabilities when a passwords been rotated on these devices, or even how to rotate passwords, and there’s just a huge gap. And that huge gap is impacting, obviously, the security of these devices. So a lot of those questions I just went through are really related to also the cybersecurity aspect, but the devices. So that’s also by the way, so that’s when we, as a company decided that we need this new type of solution. And sometimes I like to say that this is actually an equivalent of an IoT solution, but which is really tailored variety devices. And that’s exactly what we do. And you know, when we speak with our customers, and then also with the IT counterparts, that’s exactly how they say, and they say, okay, Ma, it’s an equivalent IT solution, we’re really catered for IoT devices. And that’s also when we going back to where we started, kind of decided to coined that term IoT ops, because it’s a new category, the people, the customers are different, the different teams within your organization. It kind of they’re kind of underserved. Nobody has ever built the solution, which is really for them. They’re basically basically been tasked to deal with all these devices, huge amounts of devices, but without a solution. So what you’re seeing is that they’re doing a lot of things manually, and reactively. And that’s a big pain for them. And obviously, that then has an impact on the security of the devices, because they can’t deal with the security of doses without the right tools in place.

Jodi Daniels  11:28 

I think it would be helpful for everyone to hear when we’re talking about devices, what kind of devices are we talking about in this context? Sure. So

Roy Dagan  11:41   

a lot of the devices are focusing today around around physical security, but then also like building management devices. So a lot of devices, we deal with our video surveillance, so cameras and the systems to manage the cameras, access control panels, and everything, which has to do with physical security. But then there’s also other devices that are part of their operation, because to know if a physical security device is working, and to tell that team over there, which is responsible for the devices and needs to make sure the device is always up and running. There’s also the switches and PD use and UPS and other things, other types of devices. So the focus is making sure the physical security, then building management devices are working, but with all the other devices which are out there. So it’s kind of broader than

Justin Daniels  12:26 

that. Thank you, I think that’s really helpful. So how do you go about specifically addressing and disrupting IoT, device management and security? So

Roy Dagan  12:41  

I wouldn’t say we are exactly disrupting IoT device management that I’d actually say we identify teams again, but those teams within the organization that nobody ever built, they’re the solution for them. And in present time, what’s also interesting is that there’s kind of a new generation there, which actually know that things can be better. Right? They know that the where they’re doing things, and no, it’s not. It’s suboptimal. And they’re craving for a solution for that for that, because that’s their day to day job, right, making sure that device is always operational. And we went ahead and we build that solution for them. It’s interesting to see that in the market, they already know that things at the moment are very reactive. And when it comes to managing these devices just is becoming very, very costly. So it’s you’re putting more manpower, your integrator system integrators are rolling out more trucks, just because there’s no better way of dealing with these kinds of situations today. And they just want to move from that kind of reactive mode to practice mode. And at the end of the day, with the way we see it, we’re really helping these teams achieve five business outcomes. So first, will be improving system availability, obviously, because that’s what they’re charted. And that’s what their main focus is making sure that that camera, when there’s an issue, when there’s an incident and accident, it’s always up and recording and working properly, or the access control panel will always lead that person, or the truck or whatever is needed to enter the premises. So that’s improving system availability, then reducing costs, because what you’re seeing there, it’s it’s really costly, not just because of the truck rollouts, and a lot of the costs around that, but also roll back and forth between teams, because they don’t when there’s an issue with the device, it’s very hard to know where the issue is, is it actually device or maybe it maybe it’s actually the network. So it’s also a lot has to do with cost reduction around that. Then ensuring compliance or giving them a picture. Okay, this is what you have. This is the versions. This is when passwords have been rotated, and more information around that, obviously, protection from cyber threats and identifying vulnerabilities in real time, and also what we call the concept of visibility for future planning. So telling them as an example, Hey, guys, this set of devices is about to be end of life. You should think about replacing them now and not kind of last minute when they’re already our support and they’re not functioning properly anymore. And then obviously that has an impact and ces Some availability on cost and everything else that I just mentioned.

Jodi Daniels  15:06 

You mentioned the idea of reactive. And I’m curious, when do people tend to implement these solutions and kind of connected to that as what do you think is the biggest objection that companies have when they’re implementing an IoT solution?

Roy Dagan  15:26 

So I’d say that typically, if you, if you’re managing a dozen, a couple of dozen devices, if you’re a very, very small organization, you’re probably fine. You’ll do some things manually, you’ll do some things reactively, but you’ll probably be okay. Once you get to certain thresholds, and it can be in the hundreds of devices, or 1000s, or 10s, of 1000 devices or more, and we haven’t got organization customers across different sizes and types, then it becomes a challenge. And then you really need to start implementing such a solution, because you know, it’s no longer scalable, and then it just becomes liability. In terms of objection, I’d say, it’s not really an objection that we’re seeing. But what typically happens when we walk customers through, you know, the presentation and the deck, and then they demo. Typically what happens is, it’s interesting, they ask, How much time did it take to deploy? Oh, how many months does it take to deploy to? And how much time does it take to have it really in action and production? Because it’s interesting, they’re used to deploying things which take months and sometimes years, right, you go for this big project, you have a new build a building, and you need to put all the devices around and takes a lot of time. And typically, our reaction day takes them, Hey, guys, it takes less than a day. And it’s up and running and fully production. And it’s a you know, it’s good, a good surprise for them. The second thing is, because these are different departments within the organization, sometimes there isn’t concerned that it may try to block such initiatives. And we actually, as a company, what we learned is that we always insist that we want it and part of the as part of the discussion, because we know that the it counterparts once they’re in a pro process, and once we show them the solution, they’re actually delighted about whether the solution and we can provide so to them on a personal level, it can provide also all the cyber insights, right and additional insights around that area. And for their counterparts, which are may our main end users, it provides all the compliance, the operational management and all the rest of the capabilities. So I’d say those are kind of the two types of objections we came, we run into. But typically, again, involving it, and just telling him how simple is deployed, typically solves that.

Jodi Daniels  17:40 

Or some companies very may not be aware of the risks of not implementing. So in this space in these types of devices, what are the common incidents that you see take place when they don’t have one of these kinds of solutions? So

Roy Dagan  17:57 

from obviously, cyber incidents, and having devices which have been deployed there for years, without with known vulnerabilities, that the vendors already notified that there are they have they know that their vulnerabilities, but it’s so hard to upgrade the devices, they just leave them as is because they’re working to rather not start deal with the firmware versions, same time also passwords which have never been rotated on these devices, then it goes through a system, verifying the status of the devices. So you bought you paid hundreds of 1000s or millions of dollars to deploy these devices. Now, are they actually working properly or not? And the last thing you want is to pay all that, you know, good money, but to deploy these devices, find out that there’s an incident you were trying to look for, you know, for the footage or something because you know, there were cameras around in that area to find out, Oh, they weren’t recording, or they weren’t working for months, because you didn’t know, then incident handling. So how much time does it take to handle incidents? And because there are so many kind of people involved in these in understanding where the issue is? Is it a device? Is it something that work, it takes a lot of time to handle the incident and many times what we’re seeing is that they just kind of automatically roll out a truck. Just because again, there’s no system today to do that in a better way. Then also the ongoing maintenance. So just going through routinely rotating passwords and upgrading firmware pretty much impossible today. And just the last thing I would say is knowing what the compliance status is, is really, really hard. So it’s a project and sometimes it’s actually a project. So they will say okay, let’s go through this project. Let’s understand what we have out there. But then the interesting thing is that the next day is no longer relevant. Because these environments are alive, they change all the time. So you no longer know what you have out there. And you need something really which is really real time and constantly updating to solve all these challenges.

Jodi Daniels  19:52 

Well, thanks for sharing. I think people are always aware of what they’re used to thinking of a digital challenge. But when you actually move it to device, people are thinking, well, that’s like a physical device. And they kind of forget that they’re all interconnected. And tied to my question earlier, which devices are we talking about? What are the threats, we have to really extend? It’s not just the digital world, but the physical world meeting digital world? Exactly.

Justin Daniels  20:21 

What is your best security tip for these physical security teams?

Roy Dagan  20:27 

So I think it’s similar to how it is in the IT world, right? It’s all about visibility, and then control. Okay, so you need to see how you get to that level of visibility in which you know, what you have, how it’s working, which vulnerabilities you have, then the next thing, once you have that visibility, you have a clearer picture of the entire working environment. Now you need to get to that level of control. And control also means the ability to automate actions, such as again, rotating password automatically upgrading firmware version and restarting devices, all these, you know, for us coming from the it, it sounds okay, that’s simple, right? But in some spaces you find out it’s It’s not trivial. And it’s non trivial, because it is actually hard to do, you need to make sure that when you try to go through those operations, you need to make sure that you’re doing it in a proper way. Otherwise, again, we talked about it, this is a physical device, and it’s out there, it’s on the next office, if I make a mistake, I have something which is out there in the terminal on the other side of the world, and I now I really need to roll out the truck to make sure that it’s working properly again. So again, I think getting to that level of visibility and control, which has been around in the IoT space for years is really key

Jodi Daniels  21:44 

for this industry. When you’re not growing a company and trying to protect physical devices around the world, what do you like to do for fun? Gaming.

Roy Dagan  21:57 

So I’ve been climbing goal has been climbing rock climbing since I was a kid. I think climbing it kind of becomes part of what you are, who you are. After doing it for a while. It’s also kind of the place where I can no put everything aside, I put the phone aside the laptop, everything, and kind of you know, being the zone and just focus on you know, having fun or getting another route. Done. Yeah, I’ve been doing it for years, and it still still gets me excited every single time.

Jodi Daniels  22:27 

So do you travel and have any special places where you’ve climbed.

Roy Dagan  22:31 

So actually, every time typically when I’m traveling when I’m not injured, because of climbing, I travel with a pair of shoes and a chalk bag. And when I have some time off, you know sometimes in the evening I would go to a local gym or somewhere depends where I am. Sometimes I would do a weekend and go out there you know the nature to get some climbing done. But yeah, but typically I will travel with with a climbing shoes and that chalk bag which is essential as downtime.

Justin Daniels  23:01 

How have stuff ready? The mountain out?

Jodi Daniels  23:05 

Always prepared for all things at all. Yeah, that’s Justin’s favorite comment he has his gym bag looks like a piece of luggage. And people will say why are you bringing luggage to the gym? And it’s because he has to be prepared for every sport that you could possibly want to do. Right? That makes sense.

Jodi Daniels  23:24 

Um, but I’m glad I found you a kindred spirit here. Well, Roy, it’s been such a delight talking to you. If people want to learn more, where is the best place for them to do so and connect with you? So they can either

Roy Dagan  23:37 

go to the websites or www.securithings.com or obviously send an email or so to info@securithings.com and we’ll be happy to answer any questions.

Jodi Daniels  23:47 

Wonderful. Well, thank you again for enlightening us and helping the audience understand more the world of IoTOps. It’s been a really fascinating discussion.

Roy Dagan  23:58 

Likewise, thanks a lot. I appreciate it. Thanks for inviting me.

Outro 24:05 

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.