Emerging technologies have a habit of sneaking up on corporate ethics and compliance functions, so anticipating their consequences is always a worthwhile pursuit. One emerging technology that isn’t brand new but is still an enormous challenge is the Internet of Things.
“IoT” typically refers to the technology of putting wifi-enabled processors onto equipment — cars, medical devices, building sensors, electrical systems, heavy machinery, and so on — so the equipment can transmit data back and forth to a control node back in the main office.
The technology works. We’ve had internet-enabled phones in our pockets for a decade now. As the cost of the technology keeps falling, the IoT will bring that same potential functionality to everything else.
The implications for corporate compliance, audit, and risk functions are equally vast.
Cybersecurity risk will increase in the IoT world, but that doesn’t paint the full picture. The more challenging question is how the IoT will transform cybersecurity risk, and what role the compliance officer will need to play while your organization responds to that.
For example, IT security teams will need to devise new security protocols to keep IoT-enabled devices (and the data they create) secure. In the modern supply chain world, those standards will also need to be enforced on vendors that supply components. So there’s a vendor risk management issue.
Software coders in the engineering division might use open-source code in the device. They will need to test that code for security, and update it as newly discovered flaws are patched by the open-source community. That’s a policy management issue.
Wifi-enabled medical devices designed for patients to use in their bodies create a point of security risk. The corporate data center collecting data from the device is another security risk, and the network transmitting the data is a security risk. How many third parties are involved in the chain of data transmission? What sort of assurance of security is available from them? What happens if any link in the supply chain fails?
Conceptually, these questions are not new. Banks, for example, have been struggling with them for years. Their customers quickly learned to depend on banking apps for wifi-enabled phones.
Clearly, the IoT will allow for the digital transformation of many business processes. That means more organizations will confront the accompanying challenges of their security and compliance transformations.
What points should compliance professionals focus on when thinking about the IoT?
Here are three (among many):
Risk assessments will be more complicated. There are many more points of failure. That complexity will spill into legal and regulatory compliance risk. Consider medical devices. If they are secure but the network transmitting the data is not, who is responsible for possible breaches? Who discloses what to whom?
Design of controls becomes more important. Compliance, IT security, IT audit, and operations leaders will need to identify what type of control addresses each risk most effectively. For example, a policy enforced on vendors might address some security issues. Extra password protections inserted into the code might work better on others.
Anticipating the strategic shifts that the IoT will allow is crucial. The Internet of Things will let objects generate data. The data can then be analyzed, and business processes improved. That’s when a board starts thinking about strategic shifts, such as a move from selling products (say, IoT-enabled farm equipment) to selling services (“data-driven agricultural optimization”). New technologies allow new business processes, and new business processes allow new business models.
It’s important (and exciting) to identify the implications of the Internet of Things — for compliance and otherwise. That’s the only way to begin planning for what comes next.
Eric Lochner @ELochner1 is the President and CEO of global intelligence and software firm Steele Compliance Solutions, Inc. | @SteeleGlobal. Steele provides comprehensive third-party due diligence, software-as-a-service (SaaS) solutions that help organizations comply with regulatory third-party compliance requirements, and engaging compliance training. Eric has more than two decades of experience building successful global technology companies.
Download Steele’s most recent whitepaper, “Is Effective Third-Party Due Diligence Possible Under GDPR?”