How can/should organizations justify the investment in trustworthiness?

Cheryl RocheleauCheryl Rocheleau Director, Marketing Programs
edited February 2020 in Security
  • Question posed in the Jan 28, 2020 Webinar:
  • A1: For the minimum requirements, the objective is to be compliant is the shortest and most cost efficient manner – that investment does not have an ROI per se
  • A2: For the target requirements, this additional investment must be cost-justified by the corporate sponsor of the trustworthiness program
  • A3 Why go beyond the minimum prescribed by laws and regulations?



  • Bassam ZarkoutBassam Zarkout IGnPower admin

    For [A1], failure to meet the Minimum requirements or at least to have an established plan and road map to establish compliance can have serious regulatory, liability and actual legal implications.

    For [A2], the Target requirements may be mandated by the corporate vision (example a Quality initiative). The level of investment needed to achieve that level may require a cost-justification and ROI analysis.

    For [A3], the main reason to establish a Target requirement (which is higher than the Minimum requirement) is to satisfy an internal mandate that is driven by the corporate vision (example a Quality initiative).

  • Bassam ZarkoutBassam Zarkout IGnPower admin
    edited February 2020

    This diagram illustrates an example of the "IoT Trustworthiness Journey" and is helpful in responding to this question.

    The blue line represents the mandatory MINIMUM (legal, regulatory) requirements imposed on the organization and its IoT-enabled systems. The upward jumps in that line represent introductions of new laws or regulations (example GDPR).

    The green line represents a higher of level of TARGET requirements which may be mandated by the organization's corporate leadership (example a Quality Program).

    The red line represents the progression of the levels of trustworthiness throughout the lifecycle of the IoT-enabled system.

    Following an initial assessment, the organization may determine that it falls short of the minimum requirements. It must at that stage invest in efforts to become compliant. The decision to invest in this initial segment of the journey should not be based on an ROI. The work must of course be done in a cost effective manner, Once the IoT-enabled system is out of the "risky" zone, the organization may decide to further invest in increasing trustworthiness (for example to meet the target requirements). These additional investments may require cost justification and ROI analysis.

    For further detail, please refer to the Managing and Assessing Trustworthiness in IIoT in Practice IIC whitepaper (Section 3.5)

  • The IoT Security Maturity Model helps organizations compare the required maturity level to meet their business objectives, and thus justify the required investment. Instead of investing blindly, possibly over investing or under investing, organizations can pick the maturity levels in practices related to security management, technology and operations, that meet their business objectives. Once this "target" desired state is defined they can conduct assessments and capture the current state. Comparing these states identifies gaps that need to be addressed and the areas where investment is needed.

Sign In or Register to comment.