I recently warned business executives and board members of the three myths of the Internet of Things, why aligning cybersecurity with those myths can be detrimental to your organization, and how to avoid being distracted by shiny objects when looking to take advantage of IoT business opportunities.
Now, I want to warn you about another myth–specifically, the myth of IoT strategy. Let me put it to you as plainly as I can: There is no such thing as an IoT strategy.
In fact, you can’t have an IoT strategy in the same way you can’t have a global economic strategy. IoT, like economics, or education, or any other set of processes, is different in every geography, in every industry, in every organization, in every use case. No one implements IoT the same way across an entire industry; hey, it’s not even implemented the same way across different applications in the same organization.
IoT is what I like to call a business enhancer–a really powerful one, in fact. But as a process, it doesn’t stand alone. It has to work in concert with different software, digital infrastructure, physical infrastructure, workflows, and people.
How IoT Works in the Real World
Let’s take one specific example: automobile manufacturing. The organization is likely deploying IoT in robotics-based manufacturing lines, physical supply chains, in-car braking and safety features, building management, identity management and access control, parts inventory, asset tracking, and data center power and cooling. IoT applies to all of those use cases, but not in the same way at all. You can’t throw a blanket over that automobile manufacturer’s IoT applications and say they have a single, comprehensive IoT strategy.
For business executives, CISOs, board members and anyone else involved in planning and delivering cybersecurity for IoT use cases, this is incredibly important. Your IoT cybersecurity plan has to be specific to each use case, because the applications, deployment process, and management protocols are so different.
Instead, when it comes to cybersecurity, it’s smart to think of IoT as a core element of an organization’s overall digital strategy. Otherwise, you’re just setting up more silos, like we did in the 1990s with enterprise applications like CRM, ERP, supply chain management, and business intelligence. Rather than understanding how they needed to share data sets, IT organizations and their business-unit clients set up a stove-piped architecture that was inefficient, difficult to manage, and financially wasteful.
We can’t let the same thing happen with cybersecurity. IoT has to be part of the business as a whole, rather than part of IT.
Tips for Business Leaders on IoT and Cybersecurity
So, what can and should business leaders do instead of embarking down the rabbit hole of “IoT strategy?”
- First, remember that IoT requires a partnership at levels that are unique, uncommon in the way organizations traditionally have operated. Businesses, IT, and security functions have to come together from the start to talk about the business goals and challenges, and build solutions with a clear understanding of what “success” means. Maybe it’s taking touch points out of the supply chain, or improving physical plant safety, or filling orders faster. And you can’t accomplish those or any other business goals if cybersecurity isn’t at the table from inception point.
- Second, since many of your sophisticated IoT applications are going to be built and managed by third-party integrators, your cybersecurity team has to be part of all operational meetings and project management updates. And you have to give your cybersecurity team the authority to raise concerns all the way to the top of the organization if necessary, regardless of whose feathers they are going to ruffle.
- Third, you have to make sure your CISO and their cyber team can properly quantify risk and weigh it against potential business upsides. Being a good cybersecurity professional no longer is only about waving red flags about vulnerabilities; the best cybersecurity people are the ones who analyze, understand, and make recommendations based on risks and rewards.
Keeping it (IoT) Real
Lately, I’ve seen more business cards with a title something like “Director, IoT Strategy” on them. More times than not, the first words out of my mouth when I meet something with that kind of title on my card is to say something snarky like, “What do you actually do?”
While the answers vary, it reminds me a little bit about the way people would ask the same kind of question of the new breed of Chief Information Security Officers about 15 years ago. It was something new, and while the title gave you a hint of what they might do, it didn’t always mean the same thing to everyone. In some cases, the CISO was an IT security technologist, while in others they might be an outgrowth from physical security and investigations.
The point here is that, while every organization sees the benefits of IoT differently, and implements IoT use cases in unique ways, looking at IoT as a strategy misses a real opportunity to truly integrate IoT processes into operational technology and in digitally enabled business opportunities.
So when you think of the role IoT will play for your organization, be sure to put it into its proper context–as a business enabler, not an end-all to itself.
And don’t forget the cybersecurity angle. No one wants your loading dock sensors downloading customer information to someone else’s private cloud.