Building a Framework to Sustain the Coming IoT Tsunami – An Interview with Priya Keshav of Meru Data
Ninth in a series of in-depth interviews with innovators and leaders in the fields of Risk, Compliance and Information Governance across the globe.
Priya Keshav is the founder and CEO of Meru Data LLC, a software company focused on building solutions that simplify and achieve corporate information governance goals. Prior to Meru, she was the leader of KPMG’s Forensic Technology Services Practice in the Southwest United States. She received her MBA from University of Florida’s Warrington College of Business Administration. I had the chance to sit down with her this January and discuss IG, the Internet of Things, consulting, and software development.
Priya, you’ve written extensively, often in collaboration with thought leaders in IG including Jason Baron, about the enormous ethical questions emerging from IoT. Do you think there is yet a universal, cross-industry awareness of these challenges or are business drivers in this area primarily the result of European or US regulatory pressures?
I think there is universal recognition that the use of IoT will bring unique challenges and ethical questions. However, I would not call this universal awareness or understanding at this point. The use of IoT is rapidly increasing, the solutions being developed are integrating multiple industries and we are just scratching the surface of what is possible with IoT. I think today, we are at a point where we recognize that some unique challenges are going to arise. I do not believe we have fully understood the nature of these challenges, especially as the uses and applications for IoT are rapidly evolving.
Both industry and regulators are at the same point – thinking about appropriate frameworks for discussing and addressing these challenges. I don’t believe regulatory pressures from either Europe or the US are the primary drivers for the growing awareness. It does seem regulators have more of a focus on the challenges while the industry focus is more around creating newer solutions. There are multiple efforts underway to understand challenges with IoT, driven by both industry and regulatory interest. However, I do not think this is primarily due to regulatory pressure. There is regulatory interest that has industry taking notice but even the industry is realizing the need to manage the unique challenges from the use of IoT. Existing regulations like the GDPR, COPA etc. obviously would apply to IoT. There is increased scrutiny and regulations around data privacy and security in general and that might look like there is increased regulation around IoT. However, there are very few IoT specific regulations like the California SB327.
Regulatory efforts around IoT to date have been more guidelines focused and have tried to not slow down the uptake of IoT. Examples include the recently issued NIST draft report on IoT cyber security standards that provides a great discussion of how risks from IoT are unique and how organizations could adapt their policies to handle this. There have also been integrated efforts with working groups to review existing IoT security standards and initiatives in the US (by the National Telecommunication and Information Administration) and in Europe (Working Group 3 formed by Alliance for Internet of Things Innovation). Other agencies like the the Consumer Products Safety Commission and the FTC have also been gathering comments on their roles in regulating IoT.
With the Meru Data platform, you’ve strived to develop a functional and reporting tool that simplifies and sustains data governance programs for your customers. Is most software today built around policy frameworks, such as FINRA compliance or privacy-by-design, and are these types of approaches even feasible amidst shifting customer wants and seemingly prescriptive laws like GDPR?
Yes at Meru, we have focused on developing tools that will simplify and sustain data governance programs. We have taken a more fundamental approach than developing tools and workflows that are solely focused on regulatory initiatives. It would be harder to sustain tools that are focused on just addressing a specific regulation. We believe it makes sense to instead transform an organization’s approach to information and privacy while ensuring the organization is able to harness data as an asset more effectively. We believe with effective governance in place, complying with regulations should not impose additional burdens to organizations
As IoT devices get ubiquitous and used in more and more aspects of consumers lives, the current problems with data will almost seem trivial by comparison.
We focus on helping the organization understand the information it has, how the information gets used within the organization, how it needs to be managed, the importance of the data to the organization’s operations and how it needs to be protected. Understanding these will help an organization prepare and respond to the different regulations in a more effective manner over the long term. Our solutions help to develop and maintain an evergreen data map within the organization. We also help our customers to ensure a longer-term plan for managing data remains in their focus even as various shorter-term efforts (for example around data clean-up etc) are being worked on.
In preparing for the coming “data tsunami,” which you called out in your latest Bloomberg piece, what do you advise companies to plan for with respect to existing compliance frameworks? Do organizations need to rethink their entire strategy as a result of IoT or do they simply need to tweak existing guidelines and protocols?
The data tsunami is already here – about 2.5 quintillion bytes of data are being created everyday (https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read). This includes many types of information that come under the purview of consumer data privacy regulations that are present today. However, this tsunami is going to pale in comparison with the types of information and volumes of data that will get generated by IoT devices. As IoT devices get ubiquitous and used in more and more aspects of consumers lives, the current problems with data will almost seem trivial by comparison. Companies need to recognize that we are at an inflexion point in terms of data and begin to reframe their data strategies. Companies that do not do this will be at a competitive disadvantage from not being able use their data as an asset and also be in a constant struggle to keep with regulatory pressures on how consumer data is safe guarded.
How and whether organizations need to rethink their existing guidelines and protocols depends on where organizations are today. At the current stage, there is a broad spectrum of IG program maturity across different organizations. While some companies understand the importance of IG and are well on their way to building a comprehensive IG program, many are in initial stages of building an IG program. While most of companies are doing “something” – they are barely scratching the surface when it comes to implementing a true information governance program. Almost all organizations are targeting some of the immediately achievable targets around reducing storage burdens. Most have also realized it is important to build stake holder support for their programs to make these sustainable. However, there are still many opportunities for companies to position their governance efforts to sustain and succeed in an IoT driven future. IoT perhaps will provide organizations the impetus to build their IG programs with a view towards the future.
Establishing a sound IG program with a foundational approach to how the data is created, used and stored within an organization is critical. With such a strong foundation, it will not be necessary to completely rethink the framework to incorporate IoT. The fundamental principles of IG will hold true even in an IoT driven world.
However, it also important to understand the unique nature of IoT data, the value they can add to a company and the challenges they can pose if companies are unprepared for them. Some of these aspects are being discussed in the guidelines and standards being framed around how to handle IoT data. It is important for IG professionals and companies to be keeping up with the evolution of these guidelines. For instance, the draft discussion of cyber security standards around IoT from the NIST highlights that companies might have to prepare for situations where IoT devices:
- Might not be accessed or monitored like conventional IT assets.
- Can make changes to physical world and thus can potentially affect human safety or cause damage to equipment and facilities. This is very different from other IT assets.
- Have differing lifespan expectations and possibly unserviceable hardware
- Have heterogeneous ownership. Companies might not be able to maintain a complete inventory of all devices and might also have restricted access to the devices.
These will make it difficult to have universal recommendations or best practices that can work for all IoT devices. Organizations will need to understand risks based on specific uses of devices and adjust their policies and processes accordingly. Another thing to keep in mind is that managing security and privacy risks of some of these devices might potentially affect other types or risk or might introduce a new risk in another area. Risks need to be understood and handled in a holistic manner.
You spent almost a decade leading one of the best Forensic Technologies Services groups at KPMG. What insights did you learn in that position that you believe have proven helpful in guiding and informing your entrepreneurial ventures?
I have seen companies derive significant benefits from being able to steward their data as an asset. If this is properly done, companies gain tremendous competitive advantages and improve consumer confidence and loyalty. I have also seen how significant the costs of having to react to regulatory or legal needs for data can be when companies are going through a crisis. Being prepared in a proactive manner with better managed IG programs makes a big difference.
I have also seen how IG programs stall if they are manually intensive, or, if it is hard to track progress, or, if they do not have stakeholder buy-in. For programs to sustain, it is critical there is a clear view of progress and a continuous way to build on successes without ever increasing efforts. Culturally I think it is worse to have an IG effort stall than to have no effort at all.
I have seen companies derive significant benefits from being able to steward their data as an asset. If this is properly done, companies gain tremendous competitive advantages and improve consumer confidence and loyalty.
We have tried to build on these experiences to provide our customers a sustainable model for Information Governance. This approach has a lot of resonance with companies and has helped us to gain traction with our customers. Enabling companies to position themselves for succeeding in a tomorrow with even more data has been the other critical underpinning of our solutions. In a nutshell, we are trying to make IG sustainable and enable companies to develop frameworks that will work today and in the future.
Are there any pearls of wisdom you’d be willing to share that might help a young person or individual thinking about a career in IG, consulting, or the Internet of things? Is it too late to get in on the ground floor on some of these evolving disciplines?
No, it is not too late to get involved in some of these evolving disciplines. It is critical for IG professionals to be aware and involved in them. There are some great opportunities to build very successful and satisfying careers in this space. We are at the cusp of massive data driven changes in most industries. Very soon in the future IG professionals are going to be actively managing new types of data, in larger volumes and under evolving regulatory scenarios.
I think it is important for us to realize how our own lives are being altered by IoT every day. Our houses, cars, work and lives are many times more wired and internet connected than even one or two years ago. Locks, doorbell cameras, voice activated assistants, drones, auto pilot cars, smart devices – you name it, it is already happening today. As end-users we are uniquely positioned to appreciate why this data needs to be managed securely. It is critical for us to understand the volumes of data being generated and the regulatory drivers for managing the privacy and security of IoT data.
To be enable companies to have successful and sustainable IG programs, you need to understand the technology generating the data, how companies can derive value from the data and the need to protecting and securing the data.