Final Layer of Security: Governance, Risk Management, and Compliance
To top off your IoT security strategy, in addition to proactive responses to security threats, designing for security, and securing user identities, you should be incorporating governance, risk management, and compliance. They represent the components of process control within an organization that can play an important role in IoT security.
Process should dictate the activities of workers within an organization, and workers should have governance to ensure compliance with company and regulatory processes. Processes specific to IoT security must be developed and applied within an organization according to the level of risk associated with the connected product and the process itself.
For example, issuing permissions for the control of important assets should have higher governance than issuing permissions for access to view data. A well-defined process, that undergoes constant improvement and users are trained adequately on, gives people the best opportunity to perform tasks successfully and securely with the intended outcome.
Organizations implementing IoT should focus on process for all security-critical functionality within the organization. The quality assurance process, the reviewing of security, and the hiring process should all be subject to constant scrutiny. The review of and improvement of processes leads to better outcomes overall. As such, process control and improvement should be a central focus.