As businesses seek internet of things adoption to enhance the information supply chain for customer solutions, many security woes emerge. With increased devices and connections in the IoT and cloud ecosystem, chief officers (CXOs) must contend with internal and external transactions of information. As a result, business IoT networks are vast, interconnected, unplanned and driving many interdependencies for organizations, services and customers.
Investing in organizational security certifications such as ISO/IEC 27001:2012, FedRAMP and Controlled Unclassified Information (CUI) compliance is a good first step to create structure and security around IoT. However, CEOs may need to shift their mindset from focusing on the business insurance perspective to thinking about compliance as an enabler of their competitive advantage positioning.
With the CUI mandate for Federal Contractors looming in December 2017, IoT pilots or integration projects should begin quickly examining how IoT drives the data flow of their entity. IoT information and data will be collected, produced and shared in a variety of internal and third-party transactions including gateway devices, artificial intelligence engines, and other server and human supply chain links.
CXOs building and managing IoT ecosystems must map and address new obligations including all aspects of sensitive data compliance including the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), personally identifiable information (PII) and CUI/CTI data of the federal marketplace and any associated supply chain.
Organizations actively looking to reap the numerous benefits that come with IoT adoption need to incorporate near, mid-term and long-term strategies into their operational security practices today. Suggestions for CXOs and their staff preparing for IoT success include:
- Consider the volume and movement of data — Deploying IoT devices and gateways increases the volume of data that the business collects, stores or destroys. Meshed network and geo-fenced capabilities may have data and services functioning in unanticipated ways. Organizations that use on-premises technologies and data centers may need to address scaling capacity. On the flip side, organizations using cloud to scale efficiently may need to address costs and computational capabilities at the fog edge to be customer responsive. Small and mid-sized businesses are likely to benefit most from an IoT + cloud strategy to establish solution and sales proof points prior to incurring on-site IT storage costs or system overload.
- Know the responsibilities of incident response and data leakage — If you are looking to do business with the government or are currently holding prime contracts or subcontracts, you need to be compliant with Federal Acquisition Requirements (FAR) 52.204.21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012 clauses and NIST 800-171, Revision 1 by the end of December 2017. The mandate outlines an extensive list of basic and derived requirements. Even the usage of traditional devices like security cameras or sensors will require adequate provisioning for authentication, encryption, and labelling and marking for use and dissemination. Hand-in-hand with understanding data leakage, organizations will need to think about their overall risk, responsibility and liability related to compliance with CUI, PII and EU-GPDR.
- Prepare to pivot — As IoT and IoT + cloud strategies are piloted and integrated into the current business practices, leaders and employees should be prepared to pivot security and IoT strategies toward newly learned efficiencies. Prior to adopting new compliance and security operation practices, CXOs should use initial implementations and periodic risk assessments to communicate what best practices bring the right balance of security, liability and opportunities to your organization. Understanding and performing risk-based impact assessments and crisis readiness for data protection and information leakage scenarios will help better prepare your organization to gain value from IoT.
Despite the hype, IoT is still in its infancy as enterprises incorporate cloud, compliance and new technologies like artificial intelligence, blockchain and virtual reality into growing sectors of the economy.
Think big! Begin to identify how you would change or evolve your technology infrastructure to support more external information transactions. Consider how and what information would help you compete and collaborate with your best partners as well as those you envy.
Whatever pilot or strategy you choose, compliance and security operations must drive your capabilities.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.