How can/should organizations justify the investment in trustworthiness?

Cheryl RocheleauCheryl Rocheleau Director, Marketing Programs
edited February 3 in Security
  • Question posed in the Jan 28, 2020 Webinar:
  • A1: For the minimum requirements, the objective is to be compliant is the shortest and most cost efficient manner – that investment does not have an ROI per se
  • A2: For the target requirements, this additional investment must be cost-justified by the corporate sponsor of the trustworthiness program
  • A3 Why go beyond the minimum prescribed by laws and regulations?



  • Bassam ZarkoutBassam Zarkout IGnPower admin

    For [A1], failure to meet the Minimum requirements or at least to have an established plan and road map to establish compliance can have serious regulatory, liability and actual legal implications.

    For [A2], the Target requirements may be mandated by the corporate vision (example a Quality initiative). The level of investment needed to achieve that level may require a cost-justification and ROI analysis.

    For [A3], the main reason to establish a Target requirement (which is higher than the Minimum requirement) is to satisfy an internal mandate that is driven by the corporate vision (example a Quality initiative).

  • Bassam ZarkoutBassam Zarkout IGnPower admin
    edited February 5

    This diagram illustrates an example of the "IoT Trustworthiness Journey" and is helpful in responding to this question.

    The blue line represents the mandatory MINIMUM (legal, regulatory) requirements imposed on the organization and its IoT-enabled systems. The upward jumps in that line represent introductions of new laws or regulations (example GDPR).

    The green line represents a higher of level of TARGET requirements which may be mandated by the organization's corporate leadership (example a Quality Program).

    The red line represents the progression of the levels of trustworthiness throughout the lifecycle of the IoT-enabled system.

    Following an initial assessment, the organization may determine that it falls short of the minimum requirements. It must at that stage invest in efforts to become compliant. The decision to invest in this initial segment of the journey should not be based on an ROI. The work must of course be done in a cost effective manner, Once the IoT-enabled system is out of the "risky" zone, the organization may decide to further invest in increasing trustworthiness (for example to meet the target requirements). These additional investments may require cost justification and ROI analysis.

    For further detail, please refer to the Managing and Assessing Trustworthiness in IIoT in Practice IIC whitepaper (Section 3.5)

Sign In or Register to comment.