I already talked about the lack of risk management for IoT devices in organizations, and how, if we don’t step up to the plate, the problem will get worse before it gets better. There was a nearly 10,000 item increase in IoT devices in organizations from last year to this year, according to the Ponemon Institute and Shared Assessments Program report, The Internet of Things (IoT): A New Era of Third Party Risk. This is only the second year this report has been conducted. If we have more than 24,000 IoT devices in the workplace today, can you imagine what the number will be in next year’s report?
There is another issue the report covered that I think we need to look at, as well, because it does come back to the overall risks we’re seeing from IoT. That’s third-party governance, or lack thereof.
Respondents were asked to rank the importance of a positive tone in minimizing IoT-related risks. More than two-thirds, 68 percent, said a positive tone in leadership was necessary to minimize business risks, and 61 percent said it was necessary for decreasing third-party or supply chain risks. But that’s not what’s happening, the report stated:
Many boards of directors are not engaged and do not understand the cybersecurity risks relating to vendors and third parties, [with] only 17 percent of respondents say[ing] their organizations’ board of directors have a high engagement and understanding of cybersecurity risks relating to vendors or third parties.
One solution isn’t surprising: If you want to improve your IoT governance to reduce risk, you have to define what your IoT governance is. And you don’t have to look too far for an example. Experts at IBM suggest using your IT governance strategy as a blueprint, stating:
In effect, IoT governance is an extension to IT governance, where IoT governance is specifically focused on the lifecycle of IoT devices, data managed by the IoT solution, and IoT applications in an organization's IT landscape. IoT governance defines the changes to IT governance to ensure the concepts and principles for its distributed architecture are managed appropriately and are able to deliver on the stated business goals.
That doesn’t address the leadership problem. How do you get boards and C-suites to understand the risks involved with IoT and why there’s a need for better governance of third parties? One approach is to address the risk and governance issue in terms they understand – not as threats and data breaches, but in disruption of business operations and financial losses. Bring in representatives from third-party vendors to provide transparency about their practices, and bring in legal to talk about liability if there is a security breakdown.
IoT is taking over, and everybody has to work together to create effective governance over third-party risks.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba