"The vendors of these IoT devices are not actively managing the threats, and even if a vulnerability is announced and a patch provided" The business has to base it on risk with that statement alone. Any insert (CSO, CISO, CIO, or other alphabet soup) that knows how to count to potato needs to understand that, again with the statement above, these devices pose a high risk to the business if used. "and even if a vulnerability is announced and a patch provided, most users don’t know what to do with this information," This needs to say most users who don't have an infosec mindset along with some I.T. related knowledge outside of how to setup a twitter account. And other side of the coin if they do actually have a dedicated I.T. role they are so busy with other things doing this kind of patching is lower on the priority list. Companies need a dedicated and talented people who concentrate on keeping the business secure with this IOT crap. "The first step towards minimizing risk is to segment networks to reduce their exposure to the bad guys." And “Companies should select vendors that care about security to ensure the life-cycle of exploits and patches can be closed, similar to how PCs and Macs are managed,” This pretty much means don't buy the stuff from any vendor. Thoughts? Anyone?