CIOs should step into the IoT oversight void

The internet of things opens your business to significant security risks, but most boards don't understand the importance of IoT oversight, particularly third-party implementations. That's an opportunity for CIOs to take the lead.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

If you think your organization is taking oversight of third-party IoT implementations seriously, think again. According to a recent study by security research firm the Ponemon Institute, in conjunction with the Shared Assessments Program, few organizational boards require IoT risk assurances from third parties, providing CIOs a great opportunity to take a leadership position on IoT.

"From our research findings, it appears only 25 percent of respondents say that their boards require assurances that IoT risks are being assessed, managed and monitored appropriately," says Catherine Allen, chairman and CEO of The Santa Fe Group, which manages the Shared Assessments Program, an industry-standard body focused on third-party risk assurance. "This leaves opportunity and need for board education and oversight best practices."

The study, The Internet of Things (IoT): A New Era of Third Party Risk found that 94 percent of respondents believed a security incident related to unsecured IoT devices or applications could be catastrophic to the business — a significant disconnect given that only a quarter of boards require updates on oversight of IoT risks.

[ Learn how to develop an internet of things strategy and the 10 principles of a successful IoT strategy. | Get the latest insights by signing up for our CIO daily newsletter. ]

Charlie Miller, senior vice president with the Shared Assessments Program, believes those two findings represent a gap in understanding between professionals on the ground and the executive management and board level of organizations.

"We recognize there's risk at the mid- to lower-levels of management," Miller says. "But the messaging is really not getting moved up the chain, so to speak. There's potential for a catastrophic event, but the risks are not dealt with at the board and executive levels of management. That's a big challenge for CIOs to get that messaging presented and articulated at the right levels of management so it can be resourced effectively."

The study, based on a survey of 553 CIOs, CISOs, chief risk officers and others that have a role in risk management processes (in a range of industries) found that:

  • 76 percent of respondents believe a distributed denial of service attack involving an unsecured IoT device is likely to occur within the next two years.
  • 69 percent of respondents do not keep their CEO and board informed about the effectiveness of the third-party risk management program.
  • Only 44 percent say their organization has the ability to protect their network or enterprise systems from risky IoT devices.
  • 77 percent are not considering IoT-related risks in their third-party due diligence.
  • 67 percent are not evaluating IoT security and privacy practices before engaging in a business relationship.

"More and more enterprises are turning to IoT to improve business outcomes and this growth is creating a breeding ground for cyberattacks," says Larry Ponemon, chairman and founder of the Ponemon Institute. "What's shocking about these findings is the complete disconnect between understanding the severity of what a third-party security breach could mean for businesses, and the lack of preparedness and communication between departments."

Part of the issue, Ponemon says, is that IoT is increasingly affecting the enterprise in a very broad way, leaving responsibility for oversight to fall through the cracks.

"The issue of IoT is very broad," he says. "Obviously, there's a role for CIOs, and CISOs as well, but it may not be based on the way an organization wants to govern the risk. It may fall more with the line of business. It might be more of a business function than a compliance or risk management function."

And the business may conclude that it's the third-party partner's job to secure IoT devices, while third parties believe the responsibility lies with the company making use of those devices.

To continue reading this article register now