Technology including IoT and Security at the Board Level

The criticality of emerging technology to businesses of all sizes and across all industry segments has never been more important. The rapid rate of advancement in multiple technologies is challenging the ability of all organizations to identify, exploit and adapt to the issues and opportunities created.

There is right now no better example than the development of the Internet of Things (IoT). After all, multiple leading financial publications, including Forbes, have published articles projecting the growth of the IoT will hit 50 billion connected devices and create a $19 trillion (yes, trillion) opportunity. A close look at the IoT space clearly shows the challenges that organizations face in coming to terms with the issues and opportunities presented by the emerging IoT market.

Current discussion indicates that many if not most of those 50 billion connected devices do not and will not have security firewalls or antivirus software—the basics of cyber security. While that is a huge issue to be sure, there is another cyber security issue that needs to be addressed: the massive amount of data that will be collected, processed, interpreted and stored. As one cyber security professional put it, “IoT is substantially increasing the cyberattack surface area, and doing so without proper protection is insane.”

This is a critical issue and one that is now on the radar of federal regulators. In December 2015, the Senate Banking, Housing, and Urban Affairs Committee introduced S.2412, The Cybersecurity Disclosure Act. This bill would require all publicly traded companies to disclose to the Securities and Exchange Commission (SEC) whether any member of the Board has expertise or experience in cybersecurity.

There are more than 100,000 publically traded companies in the world. Many of them are rarely traded. Within the United States, fewer than 4,000 companies are actively traded in NYSE or Nasdaq and there are 15,000 additional companies traded over the counter (not in a major exchange). The proposed regulation states that if the Board does not have a member with cybersecurity expertise or experience, the company must describe what has led them to determine that cybersecurity expertise or experience is not required at the board level. The proposed legislation goes on to say, “The SEC shall also, in coordination with the National Institute of Standards and Technology, define what constitutes expertise or experience in cybersecurity, such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats.”

Included in the “Statements on Introduced Bills and Joint Resolutions” of S.2412 is a reference to a 2013 discussion by the National Association of Corporate Directors roundtable. That discussion uncovered that “the lack of adequate knowledge of information technology risk has made it challenging for them [Board members] to effectively oversee management’s cybersecurity activities.”

Also included was a clear message that this issue should also be considered by other committees including Armed Services. According to separate study by ISACA and RSA, 82 percent of boards are concerned or very concerned about cybersecurity. These studies seem to indicate the concern expressed in the proposed bill is in alignment with concerns of board members.

IoT companies would be well advised to get ahead of this issue. Yes, you need to take a proactive approach. Understanding cyber security issues requires a basic understanding of the underlying technology, therefore the technology and cyber security advisor must have a working knowledge of all components. It would be in the interest of all emerging technology companies to address this need within their organizations and to act as advisors to other companies, especially those that are publically traded.

About the author: Kevin Coleman is a speaker, author and advisor to some of the world’s most progressive organizations, including multiple Fortune 500 businesses, the United Nations, the Congress of the United States and U.S. Strategic Command. Kevin has more than 20 years of experience in the development and implementation of cutting-edge technology strategies and was the Chief Strategist at Netscape.