IoT data security and privacy starts now for CIOs -- and educators

IoT data security and privacy is racing to the forefront of CIO agendas. Just ask employees whose companies have doled out fitness wearables, says Niel Nickolaisen.

I gave a presentation a few days ago at one of our local universities. My topic was the soon-to-be-world in which every job is an IT job. My point was that we now need to adjust our approach to education and training and career preparation so that everyone develops the skills they need to have (and we need them to have) because soon every activity will utilize technology. As examples, I talked about how medicine and treatment change when we are all wearing biosensors that report our vital statistics to someone, and how a plumber's job will be different when the valves and pipes report their health and, in the not-too-distant future, do some level of self-healing.

I covered the mega-trends that are driving us toward a workplace where "all jobs are IT jobs." I mentioned the Internet of Things (IoT), which is driven by smaller, smarter and cheaper compute (i.e., microprocessors on everything), with communication available through ubiquitous wired and wireless broadband.

I explained that in parallel, we continue to make progress with cognitive systems, which, when combined with smaller, smarter and cheaper compute, create a future of what I call "thinking nanotechnology." By the way, in my spare time, I sometimes wish that I had been born 20 years earlier so that I would not have to deal or think about all of this -- my IT leader role is already challenging enough before we get to technology everywhere and in everything.

You might be asking yourself, "Why is Niel talking about all of this when our topic this month is IoT data security and privacy?" To my feverish CTO mind, this matters because as we apply smarter sensors to everything and those sensors report on everything, we have to sort out not only what we can and should do with that data, but also sort out who owns that data.

IoT data security and privacy in the workplace

Let's look at a current example. Suppose, as part of an organizational wellness initiative, my employer gives me a fitness wearable so that I can track my steps and my sleep and my heartrate and whatever data the wearable might collect. Who owns that data? Who has access to that data? Suppose I call in sick one day but my wearable shows me taking a few thousand steps -- with the associated increase in heartrate -- because I decided to blow off work and go for a mountain hike or walk on the beach? Should my employer know that? Should my employer know that -- as reported by the provided wearable -- I am a slug who rarely moves from my recliner? What if my employer decides that slugs like me should pay more for medical insurance than the fit people among our ranks? Now, extrapolate these examples to a near future with more sensors that capture more personal data and report that data to someone. Who owns the data and who has access to the data?

Suppose, as part of an organizational wellness initiative, my employer gives me a fitness wearable so that I can track my steps and my sleep and my heartrate and whatever data the wearable might collect. Who owns that data?

I am sure that there are people with big brains and strong opinions who will sort out IoT data security and privacy -- at least I hope they do -- but what can we do in the meantime?

Let's start with a foundational rule of thumb. That is, no matter what happens with regulations and policy, our rule of thumb should be that a person controls what happens with any data about them. That means a person can opt in or opt out of their data being shared (this is already the basis for the privacy laws in the European Union).

As we design and develop our systems, let's just anticipate that a person's data will belong to them. Let's also anticipate that our processes, policies and practices must keep individual data private and secure. In practice, this means we need to adhere to some framework like ISO 27001 or SSAE 16, so that we know that we have our information security and privacy acts together -- including IoT data security and privacy.

If we anticipate that our customers (and potentially employees) can opt in and opt out of our using their data, that puts pressure on our systems' design to make sure our functionality is so compelling that our customers will let us use their data in our systems. We should expect that our organizations will want to gather and use individual data (otherwise, why deal with the pains associated with having it?), and so, also expect to ensure that our use of that data benefits our customers so strongly they will opt in to our having and using their data.

At our company, we are starting to use individual data to give our clients insight that helps them nurture and develop their employees -- in a unique and compelling way. If we can deliver that, I expect most will be willing to let me consume their data. I have no doubt that the individual data we collect will soon include IoT data. 

Businesses will need all the expertise they can to reap benefits from and ensure IoT data security and privacy.

As I closed my university presentation, I suggested the school revise its curriculum so that every major include an IT minor or at least a core of IT coursework. I am not sure as to the likelihood of such a change, but I do believe that is what our new world needs.

Next Steps

More advice on digital leadership from Nickolaisen:

 A CTO vets hyper-converged infrastructure vendors

Turn an old-school business into a platform business

Use 3D printing to test your ability to leverage emerging tech

Dig Deeper on Internet of things security