The Internet of Things (IoT) will face pains to grow - this is the diagnosis of some experts. The so-called growing pains, often cited in pediatric clinics, are not restricted to the puerile and adolescent universes, but also affect the new IoT underlying technologies and environments. It is true that IoT opens up a new field of opportunities, but it also imposes new challenges related to the huge volume of data it is generating. For Stefan Vucicevic, a tech writer for Jatheon Technologies, there are several questions to be answered and, clearly, there is no single answer for all cases. Even so, strategies can help IoT solution providers to face an increasingly complex regulatory scenario and lay the groundwork to ensure operational compliance. Collection and disclosure of data extracted from various sources are seen as one of the most challenging compliance issues for IoT solutions. Imagine, for example, a fleet of trucks or a hospital, both with a wide variety of smart IoT devices. How many regulatory aspects would need to be managed? Data handled by IoT devices and services needs to be stored for a certain period of time. They need to be available for e-discovery or litigation. In general, IoT works with highly confidential data, such as biometric and location data and, consequently, is subject to lawsuits and very high fines. Therefore, it is important to preserve data and guarantee privacy and authenticity. For Vucicevic, a good practice is strategically addressing these issues from the very beginning of any IoT project. Such a strategy doesn´t have to be immutable, as the IoT landscape and its regulations are evolving, but it is expected to take into account how the IoT solution is created and handles the data and define basic guidelines to help maintain compliance, such as: Type of data generated (format, metadata, data sources, and storage media)Who can access the data and how the access will be managedHow data will be used and for what purposesWho will be responsible for data protection and what will be the scope of responsibilitiesData collection, storage and disclosure tools and costsHow to deal with customer requests and potential lawsuits For example, in this last aspect - legal proceedings -, what to do when a justice order reaches the IoT solution provider or the user company, requesting specific sets of data? The legal areas will need to locate them - in general, they are stored on the cloud -, place a legal hold on accounts or records in order to guarantee the data in question cannot be modified and start preparing them for submitting to the court. This can be very time consuming if there is no pre-established e-discovery method. A well-defined and frequently updated strategy will help to manage the data generated by IoT solutions and save the reputation of companies providing or using them. Risk analysis for IoT initiatives Compliance issues are just one of the risk variables in IoT projects. Cybersecurity is another key issue for IoT developers and providers. What would happen if an IoT device leaks the data it collects? Or what if it suffered a cyber attack and this device works with human lives, such as those used to monitor vital signs? What would be the consequences for people and entire businesses? To address these issues, the path pointed out by some experts is applying a risk analysis methodology to IoT projects. By using this method, you can properly assess each source of risk, without overestimating or underestimating it, and sharing the results among everyone involved in the IoT project. Each one will be able to make their own assessment, measure the potential impacts and recommend control measures. Experts at Wavestone and Sigfox suggest starting with ISO 27005 to learn more about risk analysis methodologies. Also, they point out that IoT projects have specific features to be considered during the risk analysis. In general, IoT projects include a decentralized network of devices, spread over a large geographical area, and, by the IoT project's nature, these devices are not expected to require local maintenance. Due to this profile, guaranteeing security becomes more difficult - if a single point in the IoT solution is vulnerable, the entire chain can be at risk. And the wider the physical coverage, the higher the risks. Also, updating hardware or firmware or installing patches on-site is virtually unviable, in case of flaws or vulnerabilities. Most of the time, IoT projects include many technologies and different providers. This is another challenge - do the security measures followed by each one adequately address exposure to cyber risks? For example, many sensors work with 8-bit microcontroller technology and therefore cannot execute complex encryption algorithms, according to Wavestone and Sigfox experts. They recommend that IoT providers have a specific security policy for their products and services, covering applicable regulations, acceptable risks, and tools used to ensure the implementation and efficiency of the established measures. Such procedures are expected to cover the entire life cycle of solutions, technologies used, and the ecosystem involved in the IoT project: - Device Security: Think about all phases, from manufacturing to distribution, including recycling and disposal. - Technology Stack Security: Consider every element, from hardware to the cloud, including embedded software, connectivity features, and applications. Perform frequent assessments - technologies may not have changed, but new threats and vulnerabilities may have emerged. - Partner Ecosystem Security: Certify about the partner maturity in cybersecurity. Finally, define an incident response plan, with definitions for notification of threats, vulnerabilities, or invasions and technical and communication measures to mitigate damage and recover quickly.