IoT, Security Program Controls/Technologies

Validating IoT Device Risks vs Business Value

Author: ISACA’s Ed Moyle
Author: ISACA's Ed Moyle

Most practitioners by now are familiar with the concept of the “Internet of Things” (IoT). As it has become more practical and economical to incorporate computing, network, and storage elements into everyday artifacts and objects, there has been a proliferation of devices that have these elements built in. An unintended byproduct of this trend has been the steady incorporation of these devices into the corporate environment.

This incorporation can happen directly, as organizations embrace these devices to better foster business outcomes; for example, an agriculture-based business (such as a vineyard) might incorporate environment sensors to monitor items like humidity, temperature and other growing conditions. It can also happen indirectly and “under the radar” – for example a smart television in a conference room or a network-connected fire alarm or thermostat.

Whether inadvertent or deliberate, incorporation of these technologies into the business landscape has an impact on the risk equation. Some organizations are leveraging these devices to gain competitive advantage. Others are discovering that these technologies can represent a source of potential risk under the wrong circumstances.

As with any technology, there are both potential risks as well as potential business value benefits that use of the technology (intentional or otherwise) can bring about. The equation is complex, though: businesses can gain potential value from their use (enabling competitiveness), there are risks in their use, and there also is a risk of not adopting – for example, should an organization’s competitors gain advantages through their adoption.

The need for evaluation

From an organizational point of view, then, these complicated risk dynamics increase the importance of systematic validation of the devices, including a risk-aware examination of both the potential risks as well as potential business value. This is, of course, part and parcel of a workmanlike and systematic approach to risk management; however, it becomes increasingly important when the technologies being considered are ones that can easily be adopted “under the radar” or without full visibility by assurance and security personnel.

To help practitioners fully and systematically unpack and evaluate these risk elements, ISACA has released Assessing IoT: IoT Upsides, Downsides and Why We Should Care About Them. This publication examines the rise of IoT: its use, how it can assist businesses, potential risk areas that can arise, potential privacy issues that might arise based on usage, and the need for evaluation and validation of IoT by those with a stake in organizational risk and value for organizations.

The upshot is that organizations absolutely need to systematically evaluate these devices the same way that they would evaluate other technology that supports the business. It is important to recognize that this is not always the “default state” for organizations when usage grows organically; meaning, unless there is an active effort – and an internal champion – to ensure this type of analysis is performed, it is not a given that it will occur. This is particularly true in light of shadow adoption and/or direct adoption within business teams.

The document itself provides an objective viewpoint, highlighting potential risk scenarios that organizations may encounter. There are, of course, almost as many ways to perform risk management as there are organizations themselves; however, a systematic approach to evaluating that risk, including a candid and objective discussion of potential risks, value, as well as competitive impact, is warranted and critical.


Ed Moyle is director of thought leadership and research at ISACA. Read more ISACA blogs here.