A lesson from the story of 3 Blind Men and an Elephant

December 12, 2017

Posted by: Zenobia Hegde

Yiru Zhong of Beecham Research

When I was very young, I remember a picture story of 3 blind men and an elephant, says Yiru Zhong, principal analyst at Beecham Research. My reaction at the time was “Oh how can they not know?” when the 3 men in the story were asked to describe the elephant, an animal they have not encountered before. 

Now that I have lived and worked in 2 different cultural environments, I observe that people’s first instinct towards new experiences is to tie it back to their own, rather than be open in their approach to understand something new. This leads to a blinkered approach which can cause more confusion than clarity. In the same way as enterprises address the challenges in IoT security, I have learnt that without a widely accepted idea of the end goal, the solution cannot be judged as optimal. 

I am reminded of this very important lesson after attending several events in the last two months; society needs to converge towards a more widely-accepted point of reference on the outcomes of a secure IoT system. It is, therefore, very welcoming at IoT Security Foundation (IoTSF)’s annual conference last Tuesday when it announced its 2017 achievements to date, including an update to its IoT Security Compliance Framework that now extends to advice on how to build consumer products.

The main theme of this conference was to discuss best practices to shift the conversation of security in IoT as a fear factor towards the business opportunities of investing in a secure and safe IoT system. Staying true to its newly revised tagline of “Build Secure, Buy Secure, Be Secure”, IoTSF organised this event focused on the business value of security investment and behaviours. 

The speaking and panel sessions spanned from industry veterans and enterprises sharing their best practices to technical workshops on “how to” sessions to academics sharing the results of their research.


I picked up three developing takeaway points that will shape our research in the new year: 

  1. The creation and maintenance of a company’s brand needs to account for the positive and negative consequences of building trusted IoT systems. Almost all the panellists and speakers directly or indirectly suggested that the burden of deploying, buying, and using secure IoT systems lies with each link on the IoT value chain, enterprise user and the end-consumer. 
  2. Big technology companies and industry alliances have an important social and market development role to lead standardisation efforts, in defining the much-needed common understanding of what a secure IoT system should be. IoT Security Foundation leads one of many efforts to provide that push. I am also interested in the expected impact of ARM’s security manifesto that aims to democratise efforts for everyone to build secure IoT systems at scale. 
  3. The concept of a social contract between an enterprise and customer must be re-examined in an IoT or hyperconnected intelligent society. Speakers and panellists implied that the incentive equation is not fit for purpose given how the traditional economics of security solution skew the business case for enterprises at the start of their IoT deployments. For the end-consumer, they want a complete but also easy to understand information set to make the right decisions. For enterprises, they should aspire to be clear about responsibility and accountability of their actions. 

The “same but different” treatments of security and privacy has great implications on the approach to “build secure, buy secure and be secure”. Our sector, of IoT and of the security community, is somewhat more focused on the security angle than on privacy implications. Allowing consumers to trust that their privacy is maintained goes a long way to address #1 and #3. 

More importantly, as Hugo Fiennes, co-founder of Electric Imp, says, “ownership of data is a less interesting question than the value of data”. I wish to add that the value of data increases if the consumer is confident that its privacy wishes are being respected. In 2018, I look forward to examining privacy management to support security spending as a business value investment. 

Lastly, Beecham Research is conducting a survey to track IoT adopters’ attitudes towards security and privacy in their IoT systems, particularly to uncover perception of business value in security investments. We would love it if you would participate in this survey. In return, we would be happy to share with you the results of the findings. https://surveys.beechamresearch.com/s/IOBUHE3Y/

The author of this blog is Yiru Zhong, principal analyst, Beecham Research

Comment on this article below or via Twitter @IoTGN