Today’s faster-paced business requirements for all things automated, surveilled and customer-centric have focused C-level executives squarely on the ability to innovate using enterprise-level IoT. Everyone is looking for the next big disruptor. The complexity of an IoT strategic effort faces the most demanding requirements of compliance and security. Layered onto and around this are the extended requirements for partner compliance, converged cyber and physical protections, and other cloud automated incident response of the extended modern-day supply chain.
The implications to these IoT demands are for organizations to build modular functionality, establish pull marketing and demonstrate platform management that is cost-effective and low-risk. Operationalizing these business and functional requirements translates into managing interconnected personalized and partner information in a dynamic compliance environment.
As “surveillance capitalism” extends its reach, more and more organizations face the dilemmas of customized platforms and partnering to share, sell or gain information and data. C-level executives and their boards face the dilemmas of dynamically evolving issues related to data liability and privacy generated autonomously.
Expanding guidance and standards
In 2018, federal contractors and global companies are straddling the two big hurdles of the European Union’s (EU) General Data Protection Regulation (GDPR) and Controlled Unclassified Information (CUI) and the associated Defense Federal Acquisition Requirement Supplement (DFARS) requirements for doing business with the government. IoT and associated AI capabilities face the same compliance requirements as well as other NIST guidance and guidelines from the Federal Trade Commission (FTC).
The complexity of these compliance standards tends to focus on technical issues without regard to the organizational impacts such as privacy liabilities and data management issues. The Draft guidance of NIST SP 800-53, Rev. 5 establishes these liabilities on the near-term horizon with wording that addresses systems, not just information systems, as well as the new security control families related to individual consent and privacy. Most IoT technologies rely on the cloud to operationalize capabilities and transform massive amounts of data into intelligence and predictive sales and solutions bringing Federal Risk and Authorization Management Program (FedRAMP) compliance into the picture as well.
In the face of growing intelligent things, smart automation and self-regulating devices, CEOs and C-suite leaders should prepare to answer inquiries related to privacy effectiveness and technical information and data protection. As geolocation implications of cookies, IP address mapping and other customized digital marketing transform the public and private marketplace, compliance parameters will require key performance indicators both internally and externally.
Apply top-down, bottom-up risk decisions
Consulting with and adapting the engineered decision trees of new intelligent things after the fact exponentially increases operational costs and may generate repetitive penalties for privacy and consumer fraud infractions. In some instances, the violations could result in the loss of viability for the organization.
To adequately address the cyber, governance and compliance changes introduced by IoT, organizations will need to apply a top-down, bottom-up risk decision capability. Defining shared risks across the IT, financial centers, marketing and supply chain is the next big change in this cyber and compliance space as organizations integrate liabilities between corporate centers for better management and executive decisions. (The top-down governance strategy!)
Utilizing inherent operational security and integrated compliance with IoT begins with incorporating cloud, CUI and DFARS standards such as those incorporated already into FedRAMP templates. As IoT efforts expand, it is predictable that the value of using FedRAMP and 3PAO consulting and testing will expand as SecDevOps benefits from accepted government-wide program lessons learned and processes. For many companies, FedRAMP services to minimize penalties related to compliance — both cyber and privacy.
IoT and digital transformation bring the possibility of the newest risk of all: the inability to physically document — even using automation — the true organizational risks of these new standards. Working with providers who are already certified and can demonstrate their security controls and policies related to data backup, encryption, authentication, data ownership and deletion can give organizations a head-start on the long road to IoT, AI and cloud security.
If you are worried about compliance, here are the steps to take now
IoT compliance will be a challenge. The compliance and cyber challenges are nuanced and may impact each organization differently. Invest in being a leader in risk mitigation by using existing certified components where possible.
The essential steps are:
Understand your obligations: Current requirements — FTC precedence, CUI/DFARS, FedRAMP and UK’s GDPR — offer actionable advice on how to strike the balance of continuing the adoption of IoT, cloud and AI while maintaining proper information protection standards. Although not every organization has to follow all of these standards, it’s important to consider them for future planning and market awareness. In competitive situations, you may end up losing business to companies that check more compliance boxes, so business leaders have to determine their cost-benefit analysis now.
Document your known risks and identify a plan of action: You may not need to solve for every compliance challenge right now, but awareness of your areas of weakness is critical for your long-term success. Essential to this is understanding how data flows and who controls the flow internal to the organization and externally. Data and intelligence handoffs may include direct and indirect customers, as well as your supply and support chains. Looking ahead, regulations and standards are likely going to be tighter and more costly, so having a plan of action is going to help you be proactive and possibly offset some of the costs of compliance.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.