New FTC Office to “Keep an Eye On” IoT

The Federal Trade Commission (FTC) announced Monday that it would be converting its “mobility technology unit” into a newly created division it’s calling the Office of Technology Research and Investigation (OTRI).

“The FTC says the new unit will work to ensure that companies protect consumer privacy in the post-digital age, as well as the security of their personal data as credit card breaches at large companies become increasingly common. The agency says the OTRI also will keep an eye on every facet of technology, including connected cars, smart homes, big data and “emerging payment methods” like the iPhone’s new payment feature, Apple Pay.” (Source: International Business Times, March 23, 2015, The Internet Of Things: Government Gets Ready For A More Connected World With New FTC Division, emphasis added).

FTC new office 1
The International Business Times reported on the newly created FTC agency, which will “regulate the Internet of Things.” March 23, 2015

 

According to news reports, the mobile technology unit (out of which the OTRI is emerging) already has about 15 lawyers and technologists “who are expected to shift over to the new office. The commission also plans to hire two new staff members and a handful of technology interns,” said Ashkan Soltani, the FTC’s chief technologist. (Source: Nextgov.com, March 23, 2015, FTC Launches Investigative Arm to Tackle Internet of Things, Big Data, emphasis added).

FTC new office 2
FTC’s blog post on Monday, March 23, discussing the new OTRI and attendant new job postings.

 

“The public should expect an uptick in the amount of new research coming from the new office, Soltani said. These will probably be similar to the mobile unit’s reports, he said, citing a series of reports issued by the agency beginning in 2012 examining privacy concerns surrounding mobile apps targeted to children. Soltani also said the agency will blog more about its findings. Among the areas the new office will take up are the Internet of Things and so-called smart home technology.” (Source: Id., emphasis added).

The FTC has been active and vocal in its engagement in IoT so far, but with this announcement and the creation of the OTRI, the agency has left little doubt of its intention to act as the IoT regulatory body in the U.S., at least with consumer-facing products and services. Enterprises in all industries will do well to pay close attention to the research reports and blog posts to follow, as those materials will no doubt provide insight into, as well as the foundation for the enforcement and regulatory actions that will soon follow.

Forget Tech – Your People are the Key to Information Security

How about one for the people…?

When you write a blog focused on technology, you tend to feature items that fit the bill like drones, driverless vehicles and the like. But an article published last week in Forbes by Paul Proctor and Tom Scholtz of Gartner got me to thinking about the truly important and perhaps underemphasized role people play in information and cybersecurity. Their piece entitled, “How To Put People At The Center Of Enterprise Security,” really begs an important question: are your people (and not your technology) the key to your information security?

people at work
Are people our greatest cybersecurity asset? Image courtesy of Pixshark.com

According to Proctor and Scholtz, organizations should be embracing a people-centric security (or “PCS”) approach to securing enterprise and customer information, which “emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.” The PCS approach focuses on motivating safe behavior and boosting education of employees, with the intent of driving the following attributes to “improve [and organization’s] overall risk posture:

  • The PCS agreement of rights and responsibilities creates a collective co-dependency among employees, exploiting existing social capital within the enterprise.
  • PCS principles presume an emphasis on detective and reactive controls, along with transparent preventive controls, over the use of intrusive preventive controls.
  • PCS works best in a culture where individual autonomy and initiative are encouraged.
  • PCS presupposes an open, trust-based corporate culture, and associated executive awareness and support.
  • PCS principles presume that individuals have the appropriate knowledge to understand their rights, responsibilities and associated decisions.

Source: How to Put People at the Center of Enterprise Security, Paul Proctor and Tom Scholtz; Forbes March 5, 2015.

Gartner Forbes article on PCS
“How much of the real risk for security in today’s connected world rests on each individual?”

Proctor and Scholtz are quick to point out that PCS is not “a replacement for common-sense defense-in-depth security, nor is it a relaxation of security requirements or behavioral standards,” and on this point I whole heartedly agree. But their vision for an increased emphasis on people, the role employees can play in cybersecurity and how organizations can motivate and hold those folks accountable for what should be a shared goal of enterprise information security is an important one worthy of consideration and examination in any organization.