The Internet of Things, or IoT, is a set of technologies that allow sensors and devices to connect to a network and share information. With the rise of low-cost “system on a chip” devices, cloud computing, and nearly ubiquitous high-speed wireless networks, the dream of “sensoring up” devices has quickly become a reality.
For companies, this might mean equipping sensors in everything from manufacturing equipment and finished goods to employee badges, allowing the flow of goods through a factory to be tracked, analyzed, and optimized. IoT has also allowed companies to predict when devices will fail, streamlining maintenance and replacement.
For consumers, everything from our household thermostat to our sunglasses now has a WiFi or Bluetooth radio and can exchange data with a cloud-based service or another device.
This growing sea of interconnected devices has created a variety of challenges. Some of the more obvious are the security risks presented by dozens or even hundreds of what are effectively tiny computers connected to corporate or home networks. To maintain low costs, many IoT devices have shortchanged security.
Infamous examples include connected baby monitors being “hijacked” and alarmed parents finding their device harassing a child, or security cameras with default and easily guessable administrator passwords. The challenges of a nearly ubiquitous network of interconnected devices are that it creates an unlimited opportunity for bad actors to gain a foothold in private networks.
The Challenges of IoT Data
More subtle concerns about IoT center around data. Data from connected devices have been used for and against defendants in criminal trials, and more rudimentary concerns exist, such as who has access to IoT data and how they use it.
Seemingly simple devices like connected fitness trackers have access to an individual’s location, activity level, sleep, and in some cases, deeply personal data like menstrual cycles and whether that person might be ill or hungover. Should health insurers or government bodies have access to this data? Should they be allowed to reward or punish individuals based on that data?
In a work context, might data from IoT devices be used to fire employees who work more slowly than their peers? Could sensors on an employee badge result in punitive action for taking coffee breaks that are too long? What happens if sensor data is lost or exposed?
Your company may also be offered access to IoT data sets that raise legal and ethical concerns. It might be interesting to know who visits your retail locations by tracking mobile phone signals and mapping them back to email addresses using embedded sensors. Would your customers agree if they knew it was occurring? Would this tracking be legal in the various jurisdictions where your company operates?
Defining Your Company’s IoT Governance Practices
Like any policy, IoT governance addresses some of these concerns in advance and creates “rules of the road” for how your company designs, procures, uses, and manages IoT systems. Beyond the considerations of which types of devices and preferred vendors, tech leaders should consider how they’ll address the challenges above of security, privacy, and data governance.
For a far-reaching area like IoT, tech leaders need to acknowledge that policy development must be a team sport. There are undoubtedly myriad technical and security elements of IoT governance. Still, there are also legal, ethical, and public relations-related concerns that will require input from other leaders that cover those areas. You may find that a significant portion of your role in developing an IoT governance policy is explaining how many of the concerns of IoT extend far beyond the technology and into complex questions of what your company should be doing with complex and deeply personal data.
The more of these concerns you can address in your policy, the more you can reduce the risks of bad decisions later. Suppose someone is faced with a dilemma on how to use IoT data. In that case, an effective policy will provide easily understandable guidelines and decision-making help rather than reams of “lawyer speak” that end up being unhelpful.
IoT governance is the set of policies and procedures meant to address these areas of concern and generally address at least three areas related to IoT:
- Technical architecture
- Data management
- Information security
Technical architecture is the area that is likely most familiar to most tech leaders, and you should use your existing technical architecture standards as the basis for your IoT architecture. You’ll need to modify existing policies based on the sheer volume of devices IoT will add and the limited management and technical capabilities of the individual devices. In most cases, IoT hardware should be considered “untrusted” nodes on the network and managed appropriately.
Data management will be the most conceptually challenging element of your IoT governance policy to get right since there are technical, legal, and ethical elements to what data is captured, how and where it’s stored, and how the data is used and retained. This is where you should likely engage colleagues from outside technology for guidance.
Another element to consider as part of your data management policies are whether you’ll attempt to sell IoT data. One of the often-touted benefits of IoT is that it gathers “monetizable” data. While new revenue streams are always interesting, approach this option with full awareness of the potential ramifications of selling data about your employees or customers, even if it’s aggregated and anonymized.
Information security should also be relatively familiar to tech leaders, with the additional elements of the volume of information gathered from IoT sensors and the potential for personally identifiable information (PII) that may be collected from employees either as a stated objective or unwittingly.
As a technology that’s successfully made it out of the hype cycle and into practical application, IoT is likely already making inroads in your organization. Taking the time to build appropriate governance around the acquisition, application, and use of IoT data will create effective guardrails and preemptively answer the challenges of this promising technology.