This research note is restricted to the personal use of jafizwaty@celcom.com.

my
G00273558

Address Cybersecurity Challenges Proactively

to Ensure Success With Outsourced IoT
Initiatives
Published: 6 May 2015

Analyst(s): DD Mishra, Earl Perkins

Cybersecurity and privacy concerns are the biggest inhibitor to adopting the
Internet of Things. Sourcing executives must review cybersecurity policies to
accommodate the rapid adoption of the IoT and by working closely with
procurement teams, create an approved list of IoT providers.

Impacts

Existing cybersecurity policies and procedures will undergo changes to support adoption of the
Internet of Things (IoT) introducing new cybersecurity challenges for sourcing executives.

Increased competition will drive enterprises toward rapid adoption of IoT with shorter
procurement and sourcing cycles, leaving less time for sourcing executives to address
cybersecurity.

Due to competitive pressures, mushroom growth of suppliers and faster supply chain
expectations, many IoT products will have vulnerabilities around risk, cybersecurity, privacy and
compliance thereby increasing complexity for sourcing executives.

Recommendations
Sourcing executives should:

Work closely with stakeholders to review architecture and design for cybersecurity. Evaluate
internal policies, processes and quality assurance mechanisms in light of available frameworks
and guidelines before considering the IoT provider market.

Create an approved list of IoT products and service providers, including their capabilities and
track-record on risk, cybersecurity, privacy and compliance, as the key parameters for
shortlisting.

Incorporate a data protection agreement into contracts, which ensures any data generated is
either secured or purged after use or termination of contract.

This research note is restricted to the personal use of jafizwaty@celcom.com.my

This research note is restricted to the personal use of jafizwaty@celcom.com.my

Strategic Planning Assumptions

By 2020, 60% of enterprise information cybersecurity budgets will be allocated for rapid detection
and response approaches, up from less than 10% in 2013.
By 2020, at least one consumer product manufacturer will be held liable by a national government
for cybersecurity vulnerabilities in its product.

Analysis
The Internet of Things (IoT) is becoming increasingly relevant to business. For example, as the
personal world of connected consumer devices such as wearables and health monitoring
collides with the Internet of Things consumer and organizational IT will become indistinguishable
and digital capabilities throughout the enterprise will simply merge. This has generated
unprecedented interest from an IoT strategy perspective among end users. The number of search
1

enquiries related to the IoT has increased substantially since 2012. Resisting this increased interest
are the cybersecurity (see Note 1) and privacy concerns, which remain the biggest inhibitors to the
IoT enablement (as shown in Figure 1). In a recent Gartner survey on the IoT conducted during the
fourth quarter in 2014, most respondents expected to draw on a mix of internal and external
resources to address the requirements of the IoT with respect to cybersecurity and privacy.

Page 2 of 10

Gartner, Inc. | G00273558

This research note is restricted to the personal use of jafizwaty@celcom.com.my

This research note is restricted to the personal use of jafizwaty@celcom.com.my

Figure 1. Top Inhibitors to the Adoption of the Internet of Things

IoT = Internet of Things

n = 396
Source: Gartner (May 2015)

The evidence available (from public domain sources) warns that pacemakers and other connected
3

medical devices could be hacked. Similarly, it has been revealed that smart TVs are also vulnerable
4

to hacking, using simple devices. The IoT brings unprecedented security risks and challenges to
enterprises as it makes further inroads into businesses.
Currently, as revealed in Gartner's Hype Cycle, the IoT has entered the Peak of Inflated
Expectations, it will reach the Plateau of Productivity within five to 10 years, while in the meantime,
continuing to grow at a steady pace (see "Hype Cycle for Enterprise Architecture, 2014"). Gartner
estimates there will be approximately 25 billion connected IoT devices by 2020; others project much

Page 3 of 10

Gartner, Inc. | G00273558

This research note is restricted to the personal use of jafizwaty@celcom.com.my

This research note is restricted to the personal use of jafizwaty@celcom.com.my

5

higher numbers. We discovered from our survey that only 20% of organizations have managed to
establish leadership in IoT. Very few have managed to establish a center of excellence (COE) for IoT.
Of those organizations, 40% believe that there will be a new set of providers supporting IoT
initiatives they do not currently have any dealings with, see "Survey Analysis: The Internet of Things
Is a Revolution Waiting to Happen."
Gartner forecasts a compound annual growth rate (CAGR) of 35.2% between 2013 and 2020 for IoT
devices, which includes both the consumer and the enterprise segment. Sectors such as
automation, energy, information, safety and cybersecurity will grow faster, at a CAGR of 44% from
2013 to 2020. The vertical specific growth in agriculture, banking, education, government,
healthcare, manufacturing, retail, transportation and utilities will grow by 24% during the same
period. During 2015, IoT installed-base growth will be approximately 30% and will continue to
increase at a steady rate and reach almost 40% by 2019 and 2020 as shown in Figure 2 (see also
"Forecast: Internet of Things, Endpoints and Associated Services, Worldwide, 2014").
Figure 2. IoT Devices Installed-Base

IoT = Internet of Things

Source: Gartner (May 2015)

Businesses will see rapid adoption and suppliers will produce devices at a rapid pace. Gartner
advises caution for consumers and service providers. During this rapid adoption phase, clients
should practice restraint when integrating devices and in their provider selection, when it comes to
ensuring that IoT devices are secure.
In addition, since revenue maximization is one of the top objectives of businesses, risk management
needs to be dealt with in a sensible manner so that it does not become an inhibitor. The business
Page 4 of 10

Gartner, Inc. | G00273558

This research note is restricted to the personal use of jafizwaty@celcom.com.my

This research note is restricted to the personal use of jafizwaty@celcom.com.my

must learn how to circumvent the risk as it continues on its journey for rapid adoption, enabling the
business to rapidly implement IoT processes, with partners and people as the main objective for
sourcing executives strategizing for IoT implementation.
Gartner sees the following key impacts for sourcing executives in the correlation of the Internet of
Things and cybersecurity, as depicted in Figure 3.
Figure 3. Impacts and Top Recommendations for Sourcing Executives

FTC = Federal Trade Commission; IoT = Internet of Things

Source: Gartner (May 2015)

Impacts and Recommendations

Existing cybersecurity policies and procedures will undergo changes to support
adoption of the IoT introducing new cybersecurity challenges for sourcing
executives
IoT rapid adoption will result in a lack of built-in or architected cybersecurity and safety features,
which will place some businesses in jeopardy if it is deployed in a mission-critical role. In Gartner's
6

2014 IoT survey, we found 77% of organizations have yet to establish any IoT leadership. This
means that there is no clear strategy or direction during this initial period, heading (in some cases)
to ad hoc adoption. From a sourcing perspective, vendors can exploit this situation by bypassing IT
and directly engaging with the business, which can introduce potential vulnerabilities.

Page 5 of 10

Gartner, Inc. | G00273558

This research note is restricted to the personal use of jafizwaty@celcom.com.my

This research note is restricted to the personal use of jafizwaty@celcom.com.my

Recommendations:
Sourcing executives should:

Collaborate with business and IT leadership to quickly establish IoT leadership and to undertake
a strategy for IoT adoption principles. If possible, a COE should be formed. An effective COE
can then establish a framework for adoption, enabling processes and structures, to provide help
in creating a productive digital business and IoT strategy.

Engage with cybersecurity and compliance teams to ensure new policies and procedures can
manage risks associated with the IoT. Review current guidance, such as the Federal Trade
7

Commission (FTC) rules, to ensure risks are measured, where applicable. Continuously explore
new frameworks, recommendations and government rules to keep the existing policy, process
and procedure in sync.

Evaluate emerging challenges with stakeholders, providers and experts. Engage with external
consultants, as required, to develop an enterprise risk management framework for the evolving
IoT ecosystem.

Increased competition will drive enterprises toward rapid adoption of IoT with
shorter procurement and sourcing cycles, leaving less time for sourcing executives
to address cybersecurity
The fine balance between agility and cybersecurity, risk and compliance needs to be defined.
Sourcing executives working closely with cybersecurity, procurement, finance, IT and business
teams can devise ways that can enable such rapid implementation especially since blocking the
pace of adoption with constraints may be detrimental for the business. The principle of imposing
control through command, constraint and compliance must transform to become engaging;
enabling and empowering the business and its different functions with suitable processes,
frameworks and tools.
Unfortunately, it cannot be ruled out that in some cases, other departments within the business will
circumvent the IT department completely, by directly procuring the necessary IoT components. This
is a significant concern, corroborated by the current and similar situation occurring with cloud
adoption, which we have observed over some time. This can bring additional cybersecurity
challenges. See "Sourcing Governance Prevents Corporate Risks When the Business Bypasses IT."
Recommendations:
Sourcing executives should:

Collaborate with procurement and business teams to explore devices, services, products and
providers to create a preapproved list generated from lessons learned with existing
deployments involving cybersecurity and compliance. This will make cycle times shorter and
enable rapid adoption.

Conduct workshops to understand the IoT roadmap and trigger business awareness about
safety and cybersecurity requirements as necessary.

Page 6 of 10

Gartner, Inc. | G00273558

This research note is restricted to the personal use of jafizwaty@celcom.com.my

This research note is restricted to the personal use of jafizwaty@celcom.com.my

Collaborate with legal, compliance, cybersecurity, consultants and business stakeholders to

produce a threat model for the IoT. Where necessary, conduct a "readiness review" using an
external consultant, to ensure that the organization is prepared from both a business and
technology perspective.

Enable rapid prototyping and proof of concept (POC) mechanisms for adoption and
incorporation of new products and services by developing environments and processes. Secure
risk management and stakeholder involvement, creating environments that include rapid
prototyping and cybersecurity aspects as well. Produce checklists of risk, compliance and
cybersecurity to ensure that they are suitably addressed during rapid POC. This will shorten the
adoption cycle time of the IoT.

Establish a strong demand management framework, which will not allow IT to be bypassed;
however, it should also not restrict business development. Instead, it will guarantee that IT and
IT sourcing is involved when decisions are made at the business level to acquire new IoT related
capabilities.

Due to competitive pressures, mushroom growth of suppliers and faster supply

chain expectations, many IoT products will have vulnerabilities around risk,
cybersecurity, privacy and compliance thereby increasing complexity for sourcing
executives
A recent report published by HP demonstrates six out of 10 devices with user interfaces are
8

vulnerable to a range of cybersecurity issues. Furthermore, 70% use unencrypted data. Something
as basic as corrupted data in a power distribution system can result in substantial risk. A 2012
Computerworld report explained how a heart pacemaker could be hacked to provide deadly 830volt jolt.

The IoT will drive convergence of operational technology with IT which will make things riskier. A
large number of devices do not follow the standards and norms traditional IT equipment is built
with. This introduces new challenges and vulnerabilities from a cybersecurity and compliance
perspective.
The IoT ecosystem is complex and massive. Currently, standardization does not exist and maturity
is evolving. At present, there is insufficient regulation protecting consumer interests. There is hope
that technology alliances and go-to-market partnerships will develop sector experience and
acumen. The ecosystem of IoT is grouped into different types of providers such as:

IT providers and system integrators (such as IBM, HP, CSC, Accenture, Capgemini, Atos,
Oracle, Microsoft, SAP, among others).

Communication providers (like NTT Data, AT&T, T-Mobile, Verizon Communications and so on).

Infrastructure gateway providers (like IBM, Hitachi, Juniper, Cisco Systems, HP, Fujitsu and so
forth).

Page 7 of 10

Gartner, Inc. | G00273558

This research note is restricted to the personal use of jafizwaty@celcom.com.my

This research note is restricted to the personal use of jafizwaty@celcom.com.my

Original equipment manufacturers (such as Johnson & Johnson, GE, General Motors, Ford
Motor, Siemens, Bosch, ABB, Philips and others).

Semiconductor manufacturers (like ARM Holdings, Intel, Qualcomm, STMicroelectronics among

others).

Recommendations:
Sourcing executives should:

Engage intensely with providers; understand the IoT and its digital roadmap to access maturity
in terms of portfolio of IoT offerings, market share, verticals supported, growth of IoT business
and regions served. Revisit sourcing strategy and seek a deeper alignment with adaptive
sourcing (see "Research Presentation for 'Improving IT Agility Through Adaptive Sourcing'").
Organizations that develop maturity in sourcing will be more capable of managing risks and
compliance from the IoT.

Collaborate with legal, IT and compliance teams to establish an integrated contractual

framework for your digital business initiatives, to ensure that that the provider will comply with
your organization's digital ecosystem. Ensure IoT and cloud-related risks are addressed by the
digital business framework. (See "What Securing the Internet of Things Means for CISOs.")

Focus on organizational training and awareness before engaging with providers. Include training
and awareness as a part of provider obligations.

Engage consultants and experts to deal with cybersecurity and integrity of data. IoT initiatives
often bring vast data management challenges since such a huge amount of data is generated.
Therefore the organization will have to analyze what data is useful and how it should be
organized to ensure optimal utilization of resources, such as storage, computing and network,
as well as discarding unnecessary information and using encryption where needed.

Acronym Key and Glossary Terms

CAGR

compound annual growth rate

COE

center of excellence

FTC

Federal Trade Commission

IoT

Internet of Things

POC

proof of concept

OT

operational technology

Page 8 of 10

Gartner, Inc. | G00273558

This research note is restricted to the personal use of jafizwaty@celcom.com.my

This research note is restricted to the personal use of jafizwaty@celcom.com.my

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.
"Prepare for the Internet of Things to Drive Big Change in Sourcing"
"Mitigate Digital Security Risks and Emerging Threats in IT Outsourcing by Solidifying Scope and
Support of Stakeholders"
Evidence
1

Search trend analysis of gartner.com in 4Q14 revealed that "Internet of Things" ranked the second
highest of all search terms for various technologies (after "cloud" and followed by "big data"). The
number of IoT-related Gartner client inquiries rose from over 50 per quarter in 2012 (when it started
to become a meaningful client inquiry issue), to almost 500 per quarter by 3Q14 almost a tenfold
increase. (See "Gartner Analytics Trends: The Internet of Things Really Matters for Communications
Service Providers.")
2

In "Survey Analysis: The Internet of Things Is a Revolution Waiting to Happen," Figure 6 Sourcing
the IoT Skills Over the Next Three Years depicts that a majority of respondents believe that it will be
mix of external and internal resources that will fulfill the key roles for the IoT requirements.
3

T.Wadhwa, "Yes, You Can Hack a Pacemaker (and Other Medical Devices Too)," Forbes, 6
December 2012.
4

J. O'Callaghan, "Could Your Smart TV be Hacked? 'Red Button' Feature Could be Used to Hijack
Web Accounts," Daily Mail, 9 June 2014.
5

T. Danova, "Morgan Stanley: 75 Billion Devices Will Be Connected to the Internet of Things by
2020," Business Insider India, 3 October 2013.

In "Survey Analysis: The Internet of Things Is a Revolution Waiting to Happen," Figure 4. IoT
Leadership (n = 456) shows that 70% of organizations do not have IoT leadership.
7

"FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address
Consumer Privacy and Security Risks," FTC, 27 January 2015.
8

HP's security research, related to IoT, revealed some interesting insights into the IoT security. For
further information, see "Internet of Things Research Study," HP, September 2014.
9

J. Kirk, "Pacemaker Hack Can Deliver Deadly 830-Volt Jolt," Computerworld, 17 October 2012.

Note 1 Cybersecurity
Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those
of information and operational technology security. Cybersecurity is distinctive in its inclusion of the
offensive use of information technology to attack adversaries.

Page 9 of 10

Gartner, Inc. | G00273558

This research note is restricted to the personal use of jafizwaty@celcom.com.my

This research note is restricted to the personal use of jafizwaty@celcom.com.my

GARTNER HEADQUARTERS
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartners prior written permission. If you are authorized to access
this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained
in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This
publication consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,
Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,
and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see Guiding Principles on Independence and Objectivity.

Page 10 of 10

Gartner, Inc. | G00273558

This research note is restricted to the personal use of jafizwaty@celcom.com.my