RV Raghu, international director of ISACA, says the Internet of Things (IoT) is the next big thing.
Market research agency Gartner has predicted that there will be 26 billion devices connected to each other by 2020. Investment in the IoT is not as simple as it seems and the C-suite is in a quandary on the direction to take.
According to a new global IoT decision maker survey from International Data Corporation (IDC), 73 percent of respondents have already deployed IoT solutions or plan to deploy in the next 12 months. IDC research also shows IoT awareness is gaining traction in the retail and manufacturing industries with 56 percent and 53 percent of respondents, respectively, showing high awareness of the IoT.
In addition, 58 percent consider the IoT a strategic initiative, with a further 24 percent viewing it as transformative. The healthcare industry leads the field with 72 percent identifying IoT as strategic, followed by transportation and manufacturing at 67 percent and 66 percent, respectively. Government lags behind in overall awareness and often needs clarification around the IoT basics.
However, challenges remain. A new survey from global IT and cyber security association ISACA suggests a major confidence gap between the average consumer and cyber security and information technology professionals over the security of connected devices. In other words, consumers are perhaps overconfident about IoT security.
ISACA’s 2015 IT Risk/Reward Barometer, a survey of global IT and cyber security professionals, depicts an IoT that flies below the radar of many IT organizations—an invisible risk that survey respondents believe is underestimated and under-secured:
Nearly half believe their IT department is not aware of all of their organization’s connected devices (e.g., connected thermostats, TVs, fire alarms, cars).
73 percent estimate the likelihood of an organization being hacked through an IoT device is medium or high.
63 percent think that the increasing use of IoT devices in the workplace has decreased employee privacy.
Ways for Enterprises to Maintain a Cyber-Secure Workplace
# Safely embrace IoT devices in the workplace to keep a competitive advantage.
# Ensure all workplace devices owned by the organization receive regular security upgrades.
# Require all devices are wirelessly connected through a workplace guest network, rather than internal network.
# Provide cybersecurity training for all employees to improve awareness of cyber security best practices and the types of cyber attacks
# Best Practices for Manufacturers of IoT Devices
# Require all software developers have appropriate performance-based cyber security certification, to ensure safe coding practices are being followed.
# Insist all social media sharing be opt-in.
# Encrypt all sensitive information, especially when connecting to Bluetooth-enabled devices.
# Build IoT devices that can be automatically updated with new security upgrades.
Some of the issues to be confronted and taken head-on before investing in IoT include the following:
Understand If Your Business Needs IoT and What the Benefits are: This is probably the first question you need to answer. While investing in IoT may be the tech savvy thing to do and would probably put your organization in the spotlight, it can also have its downsides. A clear articulation of the strategic and tactical benefits of the IoT initiative would be a good starting point.
Understand Stakeholder Needs
Will your customers accept the fact that with IoT the potential for invasion of privacy, loss of control of personal / business data collected will become increasingly real. As an organization are you prepared for the operational implications of handling information, which may be potentially private and purely personal, in a secure manner? Are you prepared for the risk of misuse and the associated consequences from such misuse? Do different levels of the organizational hierarchy, including your Board, understand the business implications of IoT? Are they prepared to authorize investing in it and take responsibility for investing in it?
Understand IoT Security Implications
As an organization, a key question in the decision to invest in IoT includes mapping out the implications of IoT on the organization and its business, especially in terms of security, data privacy etc. This is closely linked to the question of what the organization wishes to achieve by investing in IoT. Are you aiming at new markets? Is the intent to reach a new demographic? Would it disrupt the supply chain? Enable better customer service? Enable better understanding your customer better?
Understand IoT Statutory/Regulatory Implications
IoT by its very nature is closely linked to the access, analysis, review, storage and/or usage of data, which belong to customers and is related to your customers in some way. Such data is more often than not under the purview of various data protection laws across the world. IoT also brings with it several issues relating to how both data and the IoT devices are being used/deployed.
Liabilities may accrue due to issues in the manufacture of IoT devices, apart from how, when, where and to whom they are sold and how the data collected is used. Case in points are the widespread real and potential threats to wearables and the initial issues that surrounded smart TV’s listening in to your drawing room conversations 24/7.
Determine IT Infrastructure Capability
Look into your existing IT infrastructure to see if your current IT infrastructure and processes can handle IoT. This is critical as existing infrastructure may have its own security loopholes that, coupled with IoT, may throw the door open to catastrophe.
Invest in Data Analytics, Cloud and Supporting Technologies
IoT devices and machines have sensors that collect various data including user information such as name, password, user location, device status, performance, and a host of other data depending on the application of IoT, the industry, etc. The vast amount of data (read Big Data) may need to be crunched in real time – bringing in data analytics. This will require vast amounts of processing power, storage capacity, near 100 percent availability, which means a traditional server set-up will not do. This may mean your organization will have to move into the Cloud. So be prepared to manage Big Data, invest in data analytics, Cloud, etc.
Evaluate Governance, Risk and Compliance Process Maturity
Governance, risk and compliance (GRC) maturity will be key to the success of your IoT investments. Your governance processes must enable oversight of your IoT program. Your risk management processes must be capable of modeling and predicting potential risks. Your compliance management must foresee issues and ensure necessary compliance.
By its very nature IoT is so vast that no single organization can span the gamut of the IoT eco-system alone; this means that several organizations will need to collaborate both vertically and horizontally for effective IoT to deliver business results. Especially with consumer oriented IoT, such as wearables or connected things (refrigerators, cars, security devices, etc.). So be prepared to collaborate, collaborate and collaborate
Invest in Your People
People will be the linchpin for a successful IoT initiative and investment. After all, over time technology will be accessible to all organizations across the board and success will depend on the people who drive IoT in your organization. A not-so-startling revelation has been that competencies and skills needed for the IoT world, especially from a cybersecurity point of view, are in severe short supply.
An ISACA Cybersecurity Snapshot survey found 45 percent of organizations planning to hire cybersecurity personnel in 2016 expected to have a difficult time finding skilled candidates. So a successful IoT investment will mean an investment in your people, including upskilling, certifications, training and other competency building activities so your investment in IoT delivers results.
Be Prepared for the Downside
While IoT opens up possibilities and the growth cycle can be enormous, the downside can have devastating implications. There are instances of IoT devices failing or becoming prey to hackers and cyber attacks. The implications can lead to legal suits, not to mention the impact on your brand, market value and the very existence of your organization.
Successful IoT investment decisions are best made with long-term implications and a clear commitment to a strategic and tactical path.
By RV Raghu, international director of ISACA