There is a litany of challenges in making the IoT secure, and each idea seems to lead to a new set of concerns, dilemmas and choices to be made, the speakers said.
On the technical side, how can so many connected devices by protected? The idea of issuing standards and requirements on systems and their components was raised, but what may be acceptable in the United States may not be acceptable in Europe or Asia, Sturniolo said. It could be costly for businesses to develop a range of SKUs for various regions.
Greer said that he believes a key problem are the billions of embedded systems that are deployed and run for years with little, if any, human intervention. As these systems become more intelligent and connected, the industry and businesses need to decide whether they should come with management interfaces that enable IT professionals to communicate with them—but which also would increase their exposure to attacks—or whether there should be no connected management capabilities, making it impossible to detect an issue with them until something goes wrong. Maybe such embedded systems should be designed with self-destruct capabilities after a certain amount of time, he said.
To Mark Stanislav, security evangelist at Duo Security, the question of IoT security is really about traditional IT security.
"Unless we can solve embedded software and network security, we solve IoT security," Stanislav said. "These [parts] of IoT are what make IoT a thing."
Businesses also have choices to make. They tend to operate on cost-benefit models, where spending decisions often are made based on how much of a financial return can be made. Stacy Cannady of Cisco and the Trusted Computing Group said security professionals need to be able to make their cases in similar fashion if they're going to influence business decisions.
"If we want a seat at the table, we need to speak the same language everyone else is speaking," Cannady said.
Businesses are going to have to decide whether they will spend the money to make their infrastructures more secure or risk being attacked, the speakers said. Cisco's Blackmer said too many businesses are being complacent about the dangers, figuring that since they haven't been compromised, they're safe.
Consumers also have decisions to make, according to some of the speakers. Sturniolo said that the industry will not be able to secure every device all the time, so consumers and businesses need to decide what needs to be secured, and how much are they will to pay to have that security.
"We need a paradigm shift in how we think about this," he said. "It's not, 'What is secure?' It's, 'How secure does it need to be?'"
Cannady said consumers and enterprise buyers need to be more active in pushing system vendors about security. He likened it to buying a car. If a buyer tells the car dealer what make, size and color he wants the car to be, the dealer will talk to him in those terms.
"If they don't ask about cyber-security, they won't get cyber-security," he said.
Cannady also said a problem is that devices now don't have much security, so the industry is in a difficult position when talking about trying to secure the billions of new devices that will come in the next few years.
"We have a very basic set of problems to solve on a very large scale," he said.