Cybersecurity is an ongoing concern in the realm of home automation and security systems. Joe Albaugh brought a unique perspective to the subject in July when he became Chief Security Officer (CSO) of Vivint, the second largest residential security and home automation provider in the United States. Albaugh’s approach to the cybersecurity aspects of home automation is based on his 20 years of experience including past positions as chief information security officer for three large, critical infrastructure agencies of the U.S. government.
“I preached in the federal government that there is a convergence between automation, operations and administration, all using the same technology and relying on the same operating systems,” Albaugh says. Challenges in the home automation market are “very similar” given the emergence of the “Internet of Things” and the resulting capabilities that will evolve, he adds.
Albaugh says home automation, like government and enterprise systems, can benefit from a holistic awareness of risk mitigation that encompasses considerations from logical access control to secure software to authentication and encryption. Albaugh says there is an expectation that home automation systems are secure, but information gleaned from conferences and threat intelligence suggests that isn’t true. “You can look at each piece independently and dedicate resources to each, but a holistic approach gives a better outcome,” he says.
"I preached in the federal
“I think having cyber-security expertise and understanding its operational impacts [points to] smart ways to securely enable business,” says Albaugh. “It’s a great time to pair my expertise with the capability and vision of this company.”
Albaugh was chief information security officers for the U.S. Department of Transportation and formerly with the Federal Aviation Administration (FAA); before that, he was chief information security officer and acting chief information officer for the U.S. Food and Drug Administration.
Headquartered in Provo, Utah, Vivint traces its founding back to 1995; the new company took the name APX Alarm Security Solutions in 1999 and was later rebranded as Vivint in 2010. The Blackstone Group purchased Vivint for more than $2 billion in 2012. With 7,000 employees including 3,000 seasonal sales reps and technicians, Vivint serves more than 850,000 customers in the United States, Canada and New Zealand. Revenue in 2013 was $500.9 million.
Albaugh says he was drawn to Vivint because of the company’s mission to combine cohesive, intelligent home automation systems with good customer service. “Coming to Vivint was a way to move up in my career path personally and to be part of something that is evolving to the next level,” he says.
In the home automation market, Albaugh sees the need to balance system functional with the degree of needed security. If a system is “too secure,” it would likely not function effectively; while a “wide open” system would be prone to attack. “I try not to be Chicken Little saying the sky is falling. It’s about risk and risk tolerance. There are different opinions about how secure systems need to be, and a polarity about how they need to be managed,” he says.
“I focus on polarity management – is it all privacy or no privacy? – but the answer is somewhere in between. Home systems can use information to make the home experience better, but the issues revolve around transparency and due diligence and education, beginning and ending with awareness by the end user.”
Many consumers today are willing to exchange a level of privacy if they get benefits in return; the popularity of social networks are one example. Albaugh points to another example: How credit card companies use private information to avoid unauthorised charges, for example by analysing spending patterns and notifying the consumer if a charge request doesn’t match the patterns.
"With market estimates of the
Albaugh says it’s much easier to make cost-focused risk decisions when an industry is in its infancy – as the home automation sector is now – than later when usage is more widespread. It’s also much more effective (and less expensive) to “build security into” a system than to “bolt security onto” a system later on. “There also is a cost consideration – you don’t want to spend $500,000 to get $5,000 worth of value,” he says. “You want to have all the risks and potential possibilities before you. We have a great opportunity now to build in security pragmatically rather than add it on later. There are many lessons of cybersecurity that are about being proactive.”
“I wouldn’t want to speculate too much on the maturity of home automation in 5-10 years, but with market estimates of the industry reaching $100 billion in total revenue by 2018, there’s a lot of opportunity ahead of us,” says Albaugh. Given projections, it’s not surprising that a lot of players are getting involved, including large companies like Google and Apple.
“I can guarantee that as we continue to interlace our homes with Internet-accessible technologies – and extend our reliance on automation for everything from convenience and efficiency, to life safety – we will increasingly expose ourselves to cyber-risks,” Albaugh adds. “We should have already learned some valuable lessons from mistakes made in the past, such as bolting on security after the fact, or worse, leaving it off completely.”
”I believe that the automation companies that build pragmatic security capabilities into their offerings and their organisations, and that recognise the interdependencies of each, will be better positioned for success in this industry,” Albaugh says. “That’s why I came to Vivint.”