Curtis Simpson, CISO at Armis. PHOTO: Cybercrime Magazine.

Fortune 100 CISO Joins Armis To Fight Internet of Things Cybercrime

Curtis Simpson on changing mindsets and approaches to securing IoT in the enterprise

– Casey Crane

St. Petersburg, Fla. – Jan. 17, 2020

Whether it’s a vending machine, Bluetooth headphones, or a CCTV — the Internet of Things (IoT) can be seen everywhere. With connected devices so commonplace in consumer, enterprise, healthcare, manufacturing, and retail environments, they’re easy to integrate into the flow of things. But something that’s not as easy is remembering that, at their core, IoT devices are still computers that have security vulnerabilities.

That forgetful mindset is something that Curtis Simpson hopes to help businesses and organizations change. He views this goal as being paramount considering that his company’s report with Forrester on unmanaged and unsecured IoT indicates that 67 percent of CISOs (chief information security officers) and practitioners report that their companies’ environments have been compromised through such connected devices.

Cybercrime Magazine sat down with Simpson, the newly minted CISO at Armis, a leader in enterprise IoT security, and an agentless device security solution provider who helps protect networks by automatically blocking malicious devices from accessing them. The company recently announced its agreement to be acquired by Insight Partners, a global software investment firm, for a cash valuation of $1.1 billion.

Simpson is the picture of calm, competence, and confidence — everything any corporate executive would want to see in their CISO — as he centers on what CISOs and their security teams should know about IoT security across multiple industries and the challenges they face in this new frontier.

Before joining Armis, Simpson — a self-taught tech and cyber expert — made his way up the ranks to vice president and global CISO at Sysco, a Fortune 54 multinational sales, marketing, and distribution organization for food products with more than 69,000 employees at approximately 320 locations globally — first in Canada and then in the U.S. He helped the company’s Canadian division establish its first Information Security program.

Referring to his time at Sysco, Simpson says that acquisitions often involve small to medium-sized businesses, which he says, in some ways, aren’t that different from dentist offices because they’re notorious for not investing into much IT security.

“Many SMBs are exactly the same,” Simpson says. “They grew up by bootstrapping themselves and really focusing a lot of attention on building out that business. But the IT function existed just to make sure the business could get as far as they needed to — not a lot of security capabilities. So we had to really focus on ensuring that we could deliver security capabilities to these new acquisitions rapidly to manage that risk as quickly as we could before they started being ingested into the larger organization.” 

Technology and cybersecurity, regardless of industry, are two major areas of concern that Simpson says largely go ignored or neglected. This is particularly the case concerning IoT devices. The security concerns surrounding IoT frequently relate to:

  • insecure and unmanaged devices,
  • new or unidentified attack vectors, and
  • a lack of network visibility.

One of the biggest cyber risks for organizations concerning IoT, Simpson says, is that people tend to forget that they’re still computers at their core.

“We forget that a printer has an operating system, it has software that has vulnerabilities running on it.” Simpson points out that while CCTV cameras, VoIP phones and other connected devices exist in business environments, we tend to not focus attention on understanding what they are, what they’re supposed to be doing, or identifying whether they may be compromised.

“We have to realize and recognize that this is just the new form of computer in our landscape, and we manage the same type of risks that we always have,” he says. However, the way we go about managing those risks needs to be different to match the needs of each specific situation.

But, as a whole, what he’s seen is that, by and large, organizations have turned a blind eye to the needs of those devices — and have done so for a long time. What makes this a bigger issue is that security controls aren’t baked into IoT devices because they’re purpose-built solutions that exist to do one thing and do it well.

This is a growing concern considering that approximately 40 percent of enterprise landscapes are now IoT and OT. Simpson says he expects this number to grow to upwards of 90 percent in some industries — which is both incredible and problematic.

“It’s problematic because we’re not getting our hands around these things. We’re not managing the risk around these things, and they’re moving and growing quickly,” he says. Something he’s talked about with his own team is viewing IoT and OT like how they view laptops. He encourages them to ask themselves: Would we be comfortable with such a large percentage of laptops being insecure? Of course not. So, why do we allow ourselves to have this mindset about IoT and OT?

This faulty mindset isn’t specific to any one business or industry, either. It’s true of healthcare, manufacturing, and retail as well. In healthcare, for example, the use of old and outdated IoT devices is prevalent — they’re used to deliver services while connected to a network. They were never built with security in mind, yet they’re still relied upon to deliver services and monitor patients.

“So when you think about things like an infusion pump or a patient monitor, if that thing’s been monitoring a patient effectively and delivering infusion to patients as it’s supposed to … the reality is that you’re not going to replace the device. It’s doing exactly what it was meant to do within an industry that’s focused on servicing patients,” he says. “Well, now that you fast forward to today, hackers are fundamentally realizing that these are the devices that we’re not watching. They’re vulnerable just like any other computer is.”

No matter the industry, virtually every modern company has IoT in their environment. From point-of-sale solutions to Smart TVs, hackers can exploit security vulnerabilities and gain access to critical infrastructure and sensitive information. And all of these things — as well as many other reasons and examples he shares throughout the interview — are why Simpson says CISOs can’t manage risk the way they always have against traditional devices.

“We all have IoT in our environment. So combine the fact that every single one of us has IoT components in our environment and 67 percent of enterprises that worked with Forrester identified that attacks are occurring through those devices, it’s time to act,” he says.

This is where Armis comes in and excels. As a NAC, their goal is to help companies discover and identify every networkable device — IT, IoT and OT alike — in and around their environments. Through virtual appliances they drop into enterprises that integrate with both wired and wireless networks, they’re able to help businesses achieve full visibility of every device — down to each one’s specific make, model, version, and software, as well as who it’s communicating with and who the likely owner is. 

“The beautiful thing about Armis, when you compare that to a traditional NAC solution, is we’re not just a gatekeeper that determines whether a device can or cannot get on the network,” Simpson says. “We’re actually going to allow you to continually assess that device to build policies around the device and what it should and shouldn’t be able to do, and then trigger action if that device starts going sideways, looks like it’s been compromised, is acting maliciously, etc.”

Regardless of the solution SMBs or enterprises choose to go with, Simpson says it’s just important that they’re having conversations about these devices and technologies, and are taking steps to address their vulnerabilities in some way.

“Armis is the solution I stand behind, but the reality is that we’ve got to do something,” he stresses. “We can’t continue to just assume that this isn’t as bad as it is — because it’s bad.”

You can listen to the full interview with Simpson here.

Casey Crane Archives

– Casey Crane is a freelance writer.

About Armis

Today’s digital workplace depends on connected devices to drive higher productivity, greater efficiency, and better organizational results. Armis is the first agentless, completely passive enterprise cyber security platform to address the new threat landscape of connected devices. Its unique technology continuously discovers and profiles devices in your environment, analyzes their behavior to identify risks and attacks, and automatically protects you from suspicious or malicious activity.