As IoT devices evolve, risk management needs improvement
There’s an acute need for IoT risk management improvement, as most organizations do not know what tracking and safeguards their third parties have in place, according to the Shared Assessments Program and the Ponemon Institute.
“While the proliferation and consumerization of embedded technology, including IoT devices, continues to evolve at a rampant pace, new security vulnerabilities and exposures are introduced.
“This is especially true when the use of IoT devices is extended to third parties, fourth parties, or even more concerning, when it’s unknown where the use of IoT devices are being extended, or those extensions are unmanaged,” observes Rocco Grillo, Managing Director, Global Cyber Risk Services, Alvarez & Marsal.
Current IoT risk management programs are not keeping pace with the dramatic increase in IoT-related risks; a shortcoming that represents a clear and expanding threat to most organizations.
Key findings
- The problem is fueled by the steep expansion in IoT devices, the lack of a centralized IoT risk management program, and the lack of senior-most authority’s involvement.
- Approximately one quarter of respondents self-report as higher performing organizations that are significantly more likely to implement leading risk management practices and apply them to IoT use. However, even these organizations need to enhance many aspects of their risk management capabilities.
“Clearly, the gap between understanding and practice must be closed, and quickly,” notes Charlie Miller, Senior Advisor, The Santa Fe Group, Shared Assessments Program.
“The study underscores a major disconnect between the authority and involvement that survey respondents say is needed from their Boards of Directors, and the actual governance exhibited today. It’s increasingly imperative that organizations get ahead of the problem and address IoT risks before a major disruptive event, not after one.”
As this study makes plain, swift and step function improvements are needed throughout most IoT risk management programs and third-party risk management in general. Areas ripe for action include governance, risk and asset management practices, and resource allocation.