Some Leadership Considerations for IoT in the Enterprise
Internet of Things (IoT) systems have the potential to offer substantial value, both societal and commercial, to cities, institutions, and corporations. However, if these systems are not thoughtfully selected, procured, implemented, managed, and ultimately retired, they bring substantial risks to the same cities, institutions, and corporations in many overlapping and reinforcing ways. These include cyber, financial, operational, and reputational risks.
There are many aspects to consider in planning for and managing IoT Systems in institutions, cities, and corporations. For this article, we’ll look at four:
• Differences between IoT Systems and traditional IT
• IoT System vendor relationships and management
• IT and OT (Operational Technology) integration issues and organizational cultures
• Criteria for successful IoT Systems implementation and operation
An IoT device – the T in IoT –is a device that computes, is networked, and interacts with the environment in some way, e.g. by sensing something or moving something. An IoT System, by contrast, includes all of these devices and all of the other, typically larger, components that support and add value to the outputs of those devices.
As an example, consider an IoT System put in place to monitor and manage energy use across campus. That system will have hundreds, thousands, or more networked meters that communicate over a network with a server or service that consumes and aggregates this data. That data will then be stored, managed, access-controlled, iteratively treated and curated, analyzed, and then made available in many different ways, e.g. exports, web services, reports, and dashboards. There are also many different uses of the data to include operational, regulatory and compliance, research, public information, and others.
IoT Systems differ from traditional IT systems in a variety of ways. Here are a few:
• The raw magnitude of the number of devices and the rate of growth of the same. Device count growth appears to be exponential over the next few years.
• High variability of types of IoT systems such as energy management, FitBits, building automation, video surveillance, and many others make it hard to categorize and manage in a traditional ‘risk bucket’ sort of way.
• Organizational spanning. These systems span many organizations or departments within an institution or city. For example, an IoT System in a city or large research institution will likely involve central IT, facilities management, end users, finance, distributed/local IT, CISO, risk office, capital development and construction management (for new buildings), and many, many vendors and subcontractors.
• Deployed IoT devices are often embedded in the environments around us and tend to be out of sight and out of mind. That is, we often don’t think of them as networked computers that need service, support, and management.
• Lack of precedence. As cities, institutions, and corporations, we’re simply not that good at selecting, implementing, and managing these systems yet. We don’t have much experience ourselves and, for similar reasons, it’s difficult to learn from colleagues and competitors.
Vendor relationships and vendor management are critical to successful implementation of IoT Systems. While these aspects have always been important issues, they are particularly important in IoT Systems because of the newness, novelty, and complexity stemming from the integration of the physical world and IT world.
As institutional customers, we must raise the bar with IoT Systems vendors and redefine what a deliverable looks like. Consider a networked video surveillance system. It is not enough to be simply operational. To lay the ground work for long term system support and operation as well as cybersecurity, the deliverable needs to include for every single device/camera: default username and password changed, the IP address, the MAC address, the model number, the physical location of the installation (with photo of the installation), the installed firmware version, the most current firmware version available (i.e. was old firmware installed), and a patch plan (how will it be done, who will do it, who will pay for it, and other).
This is not anti-vendor sentiment -- we don’t want to build these systems ourselves for a variety of reasons. However, we want our institutions and cities to have:
• Good IoT Systems vendors
• Good relationships with good vendors
• The ability to detect and reject bad IoT Systems vendors quickly
Another consideration regarding IoT Systems in the enterprise is the substantial issues around the integration of traditional IT and Operational Technology (OT). OT is the technology of the device deployed in the field. The groups that deploy and install these devices in the field, such as facilities management organizations, have very different cultures, professional histories, and experiences from that of traditional IT.
One example of the cultural difference stems from differences in system life cycle time spans. For example, facilities management professionals tend to think in terms of the decades of the lifetime of a building while IT professionals often think of the months, days, hours timelines of software implementation, patching, and updates. Neither is right or wrong, but rather different, and they both have to identify ways to work together. Complicating the matter is that there is a dearth of skill sets nationally that can address this need. (In fact, I identified this skillset shortage as an issue that impacts national security during my testimony before the US-China Economic and Security Review Commission on IoT in 2018).
These IT and OT integration challenges are not insurmountable, but they will require focus, intention, and some investment from scarce time and resources. At my organization, the University of Washington, the VP of IT and the VP of Facilities have come together to create and support a role (that I occupy) and program that looks at the organizational boundary spanning issues, with a particular focus on impacts on cybersecurity and risk.
Finally, what does success look like for an IoT System deployment? I define success with two overarching criteria – Return on Investment (ROI) and impacts to the city or institution’s cyber risk profile.
ROI is easy to say, less easy to do. Data is often the primary source of value of an IoT System. The challenge is that data can mean many things to many different constituencies or populations. For example, system operators, regulators, public, end users from varying demographics, and others likely all have different views of the data and, as such, have different views of the value of the system.
Similarly, determining actual costs incurred and the total investment is challenging as well. The costs of deploying and maintaining these systems are distributed across many organizations that do very different things and possibly have very different accounting practices. This can be difficult to collect, much less roll up into one common aggregate.
In practice, we may not be able to get to a numerically satisfying, detailed analysis of a deployed IoT System, but we still need to develop some mechanisms to at least estimate ROI. Otherwise, we’re swinging in the dark and not enhancing our institutional capacity and capability for making good choices about selecting, deploying, and operating future systems.
Regarding the institution’s or city’s cyber risk profile, we want to know if an IoT System deployment actually made the institution/city worse off. And, if so, by how much and where? Or, while evaluating systems for future acquisition, we want to consider if the addition of a particular IoT System will negatively impact the organization’s cybersecurity.
These have been just a few considerations around IoT Systems in cities, institutions, and corporations. Other considerations, but not mentioned here, include device supply chain risk (related to the device component variation issue mentioned above), impacts of 5G and, importantly, the rate and location of its deployment, increased systems interdependency and possibilities of emergent behavior, and others. However, if we can start with the areas mentioned above as talking and planning points within our respective organizations, we can move forward. And by doing so, we can optimize our investments and make the best cybersecurity and cyber risk decisions that we can.
See Also: Top IoT Companies