The most effective cybersecurity decisions come from industry leaders. ExtraMile by SecureITWorld features these brilliant minds through our leading interview series. We aim to simplify complex cybersecurity concepts into easy and actionable insights that are crucial in today's threat landscape.
For today’s Q&A session, we have the privilege of being joined by Shankar Somasundaram, CEO of Asimily. The firm is a cyber asset and exposure management platform built for IT, IoT, OT, and IoMT environments. Asimily gives organizations full visibility into their connected assets, ranks vulnerabilities by business impact and compliance risk.
Our guest, Shankar, brings extensive experience in connected device security. As he accompanies us, we’re excited to explore insights around IoT cybersecurity risk management, vulnerability prioritization, and Segmentation Orchestration.
We will also dive into his perspectives on unclear ownership as a real obstacle, asset inventory, improving security posture, and the landscape of connected device defense.
Welcome, Shankar. It’s a pleasure to have you here!
1. Between Symantec and Asimily, you’ve spent much of your career working on security for connected and embedded systems. What’s actually shifted in the past few years for teams trying to defend IT, IoT, OT, and IoMT environments?
Shankar. Attackers got faster, and the stakes got higher. AI is pushing up both the volume and the sophistication of the attacks targeting vulnerable connected devices. A lot of teams are finding out that the tools they bought for device visibility just can’t keep up with what’s actually moving on the network.
The gap I worry about is between what an organization can see and what its network will actually enforce. Most teams can now build a mostly accurate inventory, but that’s only step one. Far fewer are taking that inventory and turning it into network policies that hold up as devices come and go, and that’s where the vulnerability lies.
If you’re a hospital, a manufacturing plant, or a utility, you know the devices are there, and you know they carry risk. The very critical next step is closing the loop between knowing and mitigating risk across thousands of devices – without compromising the functionality of a patient monitor or a production line in the process.
2. Many organizations are still building their security program around IT and leaving connected devices loosely monitored. Why has that blind spot stuck around, and how much risk does it carry now?
Shankar. It sticks around because these devices often sit outside the tooling that security programs were built on top of. These devices don’t take agents, they never show up in a standard vulnerability scanner, and they pass compliance on paper for that exact reason, because the usual tools can’t see them.
In a recent survey we did with hospital CISOs (to give one industry example), complete device visibility came out on top of what security leaders most want fixed. If a device isn’t in your assessment, then it isn’t in your risk model (and then it certainly isn’t in your remediation plan). You end up with a posture that looks clean and has almost nothing to do with what an attacker can actually reach. Attackers know this and go hunting for exactly that. They want something hard to patch and invisible to the tools you trust to tell you you’re fine. One forgotten device on a flat network is usually all it takes to get in.
3. Your research puts the share of connected-device vulnerabilities that carry real exploit risk at roughly 1 to 2 percent. With device counts still climbing, how should teams think about prioritization rather than trying to patch everything?
Shankar. A patch-everything strategy was never realistic, and at today’s device counts, it’s impossible. There are, on average, 25,000 to 30,000 new vulnerabilities a year, and only a small share of what lands on connected devices is actually exploitable in a given environment. The thing to understand is that everything is vulnerable. A far better question is which ones can actually be taken advantage of, on that device, in that environment. That’s why CVSS is the wrong thing to organize around. A high base score tells you a flaw is bad in the abstract, not whether anyone can reach it on your network.
The questions I’d run through are different. Is there a genuine attack path to the device? Is it being exploited in the wild (which is where something like CISA’s KEV catalog earns its keep)? What does the device actually do, and what does it cost you to pull it offline to patch? When you can’t patch safely, segmentation is often the most effective compensating control available. It limits exposure and starts closing the gap between what you know and what your network actually enforces. We map vulnerabilities to real attack paths with ATT&CK rather than trusting a generic score, we provide actual exploitability on a specific device in that specific network topology. So a team spends its limited hours on the handful of devices that move their risk, and segmentation is the lever they reach for when patching isn’t the answer.
4. A lot of connected devices run legacy firmware and depend on the manufacturer to issue an update, if one ever arrives. What does a workable response strategy look like in that environment?
Shankar. You start by accepting that a big share of these devices will never get patched, and you build around that instead of pretending otherwise. The patch queue and the risk-reduction queue are two different lists.
Some devices you can update on the vendor’s schedule, while others run firmware that won’t take a patch at all, or they sit in an operational or production setting where taking them down has real consequences. In those cases, the response has to come from controls that don’t need the device to cooperate. Segmentation is the strongest one, and it’s also the foundation of a credible zero-trust posture on a mixed device network. The problem is that doing it across thousands of IT, IoT, OT, and IoMT devices has always meant a mountain of manual work and a fear of breaking something. Micro-segmenting every device by hand would take years and burn every resource you have.
The important work is doing it in a way that’s fast, scalable and targeted. Targeted segmentation blocks the specific communication paths through which a vulnerability can be exploited, and device configuration recommendations close the exposure at the device level — both work without a patch and without taking the device offline. You’re trying to lower the odds that a flaw you can’t remove ever gets reached. Do that well, and a team takes most of its real risk off the table by touching a small fraction of its devices, which is the only thing that holds up as the fleet keeps growing.
5. One of your survey findings pointed to unclear ownership as a real obstacle, where no single team is clearly responsible for a given device. How should organizations close that gap?
Shankar. Ownership sounds like an org chart issue, but often turns out to be a security one. In our research, internal process gaps (the classic one being a device nobody clearly owns while responsibility floats between teams) came out as one of the biggest barriers to managing device risk, with one-third of CISOs pointing to it.
Think about a manufacturing plant, where a CNC machine or an industrial controller gets touched by operations one week and IT the next, with no one actually on the hook for its security. These devices run for 10-15 years, so the ambiguity just sits there. Closing it starts with an inventory that the security team and the operational teams both trust, because you can’t hand someone ownership of devices you can’t even agree exist. After that, it’s naming an owner for each class of device and being clear on who acts when something gets flagged. Asimily establishes a single source of truth that security and operational teams both work from, including the same priority list, but the ownership itself is a human call.
Or to put it more bluntly: when nobody owns the device, the attacker effectively does.
6. You just launched Segmentation Orchestration. What were customers running into that led you to build it, and how does it change a security team’s day-to-day?
Shankar. Stopping an attacker from moving sideways once they’re in is one of the most effective things you can do, and segmentation is how you do it. But everybody knows that part, and segmentation projects don’t stall because teams can’t write policy. They do stall, however, because doing it across thousands of mixed IoT, OT, IoMT, and IT devices has always meant a mountain of manual work and a real fear of breaking something. Somebody writes a rule based on what they assume a device does, pushes it out, and a patient monitor or a line goes down because the assumption was wrong. What we built takes over the translation that used to happen by hand.
Before a single policy gets written, the platform builds a communication profile for each device based on observed traffic, the ports and protocols, the services it depends on, what is normal and what falls outside that baseline. From there, Policy Auto-Recommendation generates conflict-free policies derived directly from that observed behavior, ranked by the risk reduction each delivers. Then Policy Simulation shows the team exactly which traffic flows would be blocked against real observed device traffic, not test traffic, before any rule touches the production network.
Then Continuous Segmentation adapts policies automatically as devices onboard, firmware changes, or the risk profile shifts. Early on, all anyone in this space wanted was visibility. Visibility matters, but visibility you can’t act on is just a dashboard. This is the piece that turns what you can see into what your network actually enforces, and keeps it that way.
7. Switching gears a bit, the recent Armis acquisition by ServiceNow drew a lot of attention in the category. What do you read into that kind of consolidation about where enterprise security platforms are going?
Shankar. When a security product gets pulled into a much bigger software company, it drifts toward whatever that company is already good at. That serves the acquirer’s strategy more than it serves any one customer’s security. The customers are the ones left holding the uncertainty while the roadmap gets re-pointed and the product calls move further from the people who used to make them. My read is that buyers should watch who’s still building in this space versus who’s heads-down on an integration. The winners in this category won’t be decided in a two- or three-year window. They get decided over five, seven, ten years, as the products that keep maturing pull ahead of the ones that stall. A richer inventory bolted into a bigger suite isn’t the same as cutting the risk on your network, even if the two keep getting sold as if they were.
8. You’ve drawn a hard line between holding an asset inventory and actually improving security posture. As the market shifts, what should buyers be demanding from their vendors?
Shankar. Inventory tells you what you’ve got, while posture tells you how much risk you’ve actually taken off the table. The whole ask in this space used to be visibility, visibility, visibility. That mattered, and it still does, but it was always the starting point, not the destination. A vendor who hands you a longer list of devices with no way to act on it has just given you a sharper picture of a problem you still haven’t touched.
What I’d push buyers to ask for is the whole path, from discovery through prioritization, remediation, segmentation, and configuration control. That’s the chain that actually breaks risk down, but most platforms stop at information. They’ll deliver dashboards and alerts, but then leave the hard work to you. The better question to ask a vendor is whether you can actually mitigate risk directly from the platform, or whether you’re just reading about it. Can it show your risk going down, or does it just give you a perimeter view of why it’s still there? And while you’re at it, ask who’s making the product decisions now, and is this category still a real commitment or getting folded into something else?
Discover More In-depth Interviews:
