Blog

Gartner recently published their report “Top Strategic Technology Trends for 2022.”  End-of-year summaries and next year’s forecasts that fill inboxes this time of year are often discounted.  But this report was significant in that the identified trends suggest a significant shift in the tech culture. 

Among the trends identified by Gartner was a shift away from siloed applications where the infrastructure and processes needed to support applications are treated as independent needs toward a networked architecture where data, security, cloud, and privacy needs are managed cohesively across the entire enterprise.  The need for such a shift was echoed by multiple speakers at last month’s IoT World Conference.  The speakers discussed the need to reimagine existing data infrastructures in order to shift to horizontal platforms that better serve the enterprise.  Such a systemic restructuring requires enterprises to adopt a layered structure or a tech stack that compartmentalizes functionality and increases data visibility across the organization.  This leads to a more trusted approach to IT by increasing access to data and tools.  Ultimately, data utilization and collaboration are improved and the organization increases its return on investment.

Another highlighted trend is based on a movement toward a more dynamic applications environment.  The last few years have shown that nimble organizations are better able to adapt to changing business conditions.  Organizational agility can only be achieved if the IT organization is able to deliver in the face of evolving requirements if its toolkit includes composable applications, automation tools, business intelligence systems, and configurable artificial intelligence.  As IT evolves away from the idea of an all-encompassing application that limits adaptability, they are (1) adopting new systems that treat applications as a series of functional modules that can be restructured as needs change, (2) managing data as dynamic data flows that provide the freedom to rebalance data distribution systems as necessary, and (3) deploying rule-driven systems that allow insight advancement based on derived insights. 

Trending data also demonstrate that organizations are moving to embrace technologies that serve to adapt to the desired user experiences.  This trend represents a shift away from systems that might improve operational efficiencies if it comes at the cost of the human experience.  The days of deploying technologies that require organizational changes or significant employee retraining exercises are coming to a close as organizations embrace systems that enhance desired customer and employee experiences.  Technologies are emerging that support the needs of a distributed organizational structure.  Tools that emphasize customer (and employee) experiences are becoming expectations rather than desires.  And active intelligence systems that are able to process data and directly impact operational processes are supplanting systems that first capture data, mining the data for insights, and then recommend management action. 

The trends identified in the report go well beyond references to technology that an organization can purchase and deploy in an effort to achieve incremental process improvement.  They represent a new IT philosophy about how data systems are architected, operationalized, and perceived by the organization as a whole. 

IT function is continuing to evolve away from its roots as a service function to become an important component of any organization’s strategic mission.  Recent events have accelerated this migration in that the strategic objectives of any organization are either enhanced or limited based on the capabilities of the IT organization.  The trends identified by Gartner signify an acceleration of this movement.  Once these technologies are more fully deployed, the IT function further shifts from the role of being a key strategic advisor to the organization to being a much more active member of the management team.   IT is effectively shifting from being a strategic enabler (or inhibitor) of the organization to becoming a primary actor on the stage of future business.

CPRA and CCPA Data Rules

In November 2020, California passed the California Privacy Rights Act (CPRA) which updates the data rules established by the California Consumer Privacy Act (CCPA) that was originally passed in 2018.  There are those that argue that a patchwork of privacy laws makes it difficult for companies to do business, but the reality is that when these companies adhere to the most stringent requirements and apply them across the board, this issue largely goes away.  CPRA has the potential to become one such lighthouse issue that drives action far outside the California borders. 

CPRA properly recognizes that privacy cannot be ensured unless the data has been properly secured.  Data security is a prerequisite that must be considered before an effective data privacy policy can be put in place.  The law requires that companies that store personal information implement reasonable measures to detect security incidents, resist malicious or illegal actions, and to aid in the prosecution of malicious individuals responsible for such actions.  The requirement that companies aid in prosecution of individuals implies the need to keep detailed records about such attacks.  On the surface, this may not seem like an onerous requirement given that most data security systems log detected security events, however, by linking security to privacy, CPRA has created a need for security threats to be correlated to data repositories and then to potentially impacted individuals.  Most organizations do not have a complete (and auditable) directory of the data held within their organization and this issue may be a major obstacle in meeting these new requirements.

CCPA required consent before an organization could begin collecting personal information.  CPRA has made the definition of consent more specific.  For example, consent requests cannot be incorporated into broad and general statements of policy.  Consent agreements have to be explicit, self-standing, so the request and its limitations are clear to the individual.  CPRA also calls for consent agreements to be reasonably specific as to the purpose of the data collection, the type of data collected, and how the data will be used.  In addition, organizations cannot assume any general activity on the part of the user can be construed to imply consent.  For example, by simply putting the consent form on the screen, the organization cannot assume the person would agree based on making the consent information available to them.  

CPRA  expands the definition of what is considered personal information.  Technologies that monitor a person’s behavior through heat maps, mouse tracking, historic use patterns, etc are not prohibited but they are considered personal information.  As such, organizations have to obtain a user’s consent before these technologies can be used.  CPRA also goes as far as to set organizational limits to consent agreements.  For example, if the user consents to allowing Budweiser to collect data about them, it does not mean that they have agreed to allow Corona access to that data even though both companies are part of the InBev group.

CPRA serves to extend the regulatory reach of these agreements into the data supply chain.  If an organization provides data to a third party and the user later asks to be deleted from the data set, that request must be passed on to all third parties who received the data, directly or indirectly, from the source organization.  This implies that any organization who provides data to a third party must also track their data distribution systems.  Further, any third parties that accept data from another source are bound to the conditions that the original organization established when the data was first connected.  This requires that not only must a company track (and presumably audit) the data that is held within the organization, this data directory has to also be capable of tracking third party data as it enters or leaves the organization.  Essentially, the organization has to track the provenance of the all data within and flowing through the organization.  If an organization discovers that a down-stream partner is not using the data in accordance with the established consent agreements, the organization is expected to take reasonable steps needed to remediate use of that data.  

CCPA required organizations to disclose the type of information collected about individuals. CPRA expanded the requirement to allow individuals to request organizations disclose the exact information they hold about them and the retention policy associated with their data.  As a part of this process, people can ask that erroneous information be corrected or deleted.  The law also mandates that retention periods cannot be unreasonably long and should be tied to the use case described when consent was obtained. 

CPRA put additional clarity around the activities that are covered by the law.  As originally written, CCPA rules applied to the sale of data between two entities.  CPRA clarified the point by establishing that other non-commercial transfers of data are included under these regulations.  The consent agreement must also indicate any expected data sales/sharing arrangement that might make use of the collected data.  If, by chance the organization decides to share data with a third party after the data has been collected, the original consent agreement needs to be modified and sent to the individuals in order to affirm their continued consent . 

Despite the fact that the ‘C’ in CCPA stood for Consumers, the CPRA laws also applied to employee data held by the company.  CPRA makes it clearer that these privacy rules apply to any personal information held by the organization, not just ‘customer’ data.

CPRA also created a new state agency, the California Protection Agency, which is tasked with enforcing the CPRA laws.  This agency can levy fines and it also has the authority to audit an organization’s privacy (and security) practices.

CPRA only applies if an organization is a for-profit entity that has either more than $25M in revenue OR if 50% of its revenue comes from its data sharing activities.  While small companies and nonprofits are not covered by the law, these other organizations should consider adopting the CPRA practices as a normal market expectation. 

CPRA won’ be enforceable until 2023 giving organizations some time to get their house in order but once it does become effective, it will cover all data that was collected from January 1, 2022 onward.  These requirements have driven many organizations to name a Chief Security Officer (CSO) or a Chief Data Officer (CDO) that is intended to establish and then oversee the organization’s efforts to secure the data they hold.  These personnel have 2021 to get their strategies defined and in place so they can begin monitoring data systems within their organization at the start of 2022. 

No single entity can install enough IoT devices, systems, and applications to cover everything needed. As a result, entities must collaborate in two areas. The first area is interoperability. You would have never been able to enjoy Wi-Fi, Ethernet, Bluetooth, and many other technologies if equipment, connectivity, and service providers would not have put the effort to establish interoperability among their products and communication protocols. But it is the second area that this article focuses on: TRUST.
Can one provider trust another provider with your data?
The consequences of your data falling to the wrong hands could be devastating, and in some cases, could even pose threat to life and business viability. The level of trust you must have in another entity correlates, and must compensate for your perception of the risk that you might incur if that entity mishandles your data.
My definition of trust helps here: trust is your willingness to accept the potential negative consequences of giving control over something you have to someone (or something) else.
So, how do you know if you can trust another entity with your data?
To answer this question, I would turn to my model of trustworthiness, and the 6 components of it.
First, is the other organization competent in handling your data? Have they shown the ability to maintain data security in the past? Do they have the capability and the skills to continue and do that? If applicable, are they, their products, or their services appropriated certified to maintain data security?
Second, does the other organization share your values? What is their motivation for collaborating and interoperating with you? Are they driven by the same values and motivations as your organization, or are they driven by values that oppose those of your organization? “Marriage of convenience” could blow up in your face, when conflicting motivations rise to the surface. You must assure that your values are aligned with those you wish to trust.
Third, is the relationship symmetrical? Data that flows only in one direction is asymmetrical and may lead to breaches in trust. On the other hand, if data flow between the two organizations is symmetrical, trust will be maintained at a higher level. Keep my information safe and I’ll keep your information safe. Symmetry is a powerful motivator for trustworthiness.
Once you analyzed the other organization through these first three components, you would be able to determine whether you can (or cannot) fundamentally trust them. Don’t share information if the other organization cannot be trusted through the analysis of those three components.
The next three components come to play through the ongoing relationship with the other organization, because trust is dynamic. It increases (or declines) with every interaction and, although not as fast, in between interactions. In fact, it will decline faster with negative interactions than it would increase with positive ones. Just like people are much more inclined to post negative reviews if they had negative experiences than they are to post positive reviews if they had positive experiences. Bad is much stronger than good.
The other organization is made of people, and people are (or are not) trustworthy, which would make their entire organization trustworthy (or not). How they interact with you would allow you to determine their trustworthiness. The three components of every interaction are the positivity of the interaction, the length and frequency of interactions, and the intimacy of those interactions. The more direct, transparent, no-BS your interaction counterpart is, the more you can trust them. The more frequently you meet with them, and the longer you meet with them, the more you can tell if you can trust them or not. In a similar way, the higher the intimacy of your interactions are (more face-to-face, less email), the more you can tell if you can trust them.
While there is almost nothing you can do beyond judging the competence or values of the other organization, or the symmetry of your relationship, there is a lot you can do to determine their trustworthiness and build trust between you and them through interacting with them more frequently, for longer time, and more intimately.
Finally, remember that as much as you may need to trust them with your data, they must trust you with theirs. Building trust does not happen when you demand another person (or organization) to behave in a way that will earn your trust. It happens when you behave in a way that will earn theirs.

The author is the CEO of the Innovation Culture Institute LLC and the author of The Book of Trust and twelve other books and 300 articles. He was named one of the top 20 thought leaders on organizational culture by Thinkers 360. Find out more at www.yoramsolomon.com

The World Economic Forum (WEF) recently released the report “The State of the Connected World.”  In that report, the WEF reflects the growing importance of IoT technologies in a data driven world, a technology that links the digital and physical world into a cohesive fabric.  The cumulative effect of these systems is the creation of a digital twin that reflects current conditions.  Such systems allow data analytics processes to drive operational processes in real-time.  This represents a significant shift from today’s world where analytics are largely used to identify historic trends and forecast future needs.  While the potential benefits of systems are breathtaking in their ability to redefine even the most basic business processes, they also open the door to new scenarios that may arise if these technologies are not provided with proper guide rails.  

The report makes clear that the IoT space is still in its infancy and is expected to grow and even accelerate after the COVID-19 pandemic begins to subside.  The rate of technical evolution in this space is already outpacing our ability to establish laws, policy, and standards.  Despite efforts of marketing professionals to describe products as future-proof, it is impossible to predict how these guiding principles will evolve over time.  Therefore, existing systems must be constructed so that adaptability is a foundational requirement.  Current generation systems should anticipate that upgrades and retrofits are expected operational costs.  This observation can be compounded by the fact that operational costs of such systems are often significantly underestimated. 

Another point raised by the report relates to the potential for IoT systems to worsen the digital divide.  COVID-19 has served to highlight that we live in a world where there are marked differences between the digital-haves and the digital-have nots.  In affluent areas, access to high-quality, high speed internet is primarily a question of choice.  However, in many areas access to the internet is severely limited by speed, choice, and quality.  This creates a digital caste system.  Those in areas where the internet has improved education, economics, information access, and consumer choice while others are being left behind in a digital world.  The introduction of IoT technology could raise the ante even further by making targeted environments ripe for accelerated growth while other areas are left behind.

Privacy and security continue to be noted as key concerns.  Companies struggle to provide sufficient protection for their systems which are facing a growing onslaught of external threats (e.g. hacking) and societal expectations (e.g. CPRA).   At the same time, government authorities struggle to find the proper balance between the protection of personal freedoms without hindering the economic growth that arises from increased collaboration and data sharing.  Tied to such deliberations are issues linked to artificial intelligence and automation, two technologies that while being independent of IoT technologies, depend on the growth of IoT technologies in order to achieve their long-term market potential.

A key point which is outlined in the report but bears further examination, is the fact that a significant portion of the value that IoT systems creates is derived by linking disparate systems together.  For example, a manufacturing company can see immediate productivity gains by deploying IoT technologies to automate a factory floor.  Those base level gains can be exponentially increased when an automated factory is linked to supply chain distribution companies that have also automated their delivery resources.  Similarly, a smart home can make lives easier for individual residents but the composite value of such systems dramatically increases when the data from these systems are linked with the power-grid and other city services.

Despite the fact that IoT systems remain in their infancy, they have already become an indispensable part of the way we live our lives and conduct business.  While we face many challenges with these first generation systems, the benefits are so significant that there are many examples where the technology is being enthusiastically embraced.  As the challenges outlined in the WEF report are addressed, the benefits of IoT technologies will rise and costs will decline.  Together, these factors are poised to accelerate deploymnet of IOT systems, data networks, data analytics, and artificial intelligence.  

The pandemic of 2020 has been difficult to deal with as an immediate crisis and at the same time, it is a learning experience that can be used to make ourselves grow as a society. One of the many lessons that have to be absorbed relates to the nature of information. The COVID-19 virus does not respect geographic or organizational boundaries and that means our efforts to confront the virus have to also transcend organizational boundaries. Unfortunately, historically we have designed our infrastructure systems around organizational hierarchies and made it difficult for information to flow around these hierarchies. For example, when a hospital collects data, it does so in a way that facilitates the operation of that hospital. Electronic Health Record (EHR) systems facilitate data flows between hospitals as but only in prescribed paths that are not easily adapted to meet the needs of a crisis. Information flows have be managed in a more agile fashion if the goal is to allow data to shape our response strategy.
Lacking a coherent information architecture, emergency responders, nursing homes, public safety officials, and other critical workers have been forced to take it upon themselves to manage information flows between organizational entities. While we are thankful for the efforts of these individuals/institutions, it should not have been this difficult to develop a data-drive, coordinated response strategy. We should not be in a situation where different leaders are looking at different data or interpreting the same data differently as they establish policy.
Traditionally when people discuss infrastructure they focus on the highway system, airports, and shipyards. Only recently have been begun to consider the Internet a critical part of our infrastructure – it seems certain that our response to COVID would have been even more stunted had we not embraced this expanded definition. However, this pandemic experience calls into question whether we should push further; maybe the acceptance of data connectivity as infrastructure demonstrates an insufficient appreciation for the true need. Perhaps, information exchanges should be included in our understanding of critical infrastructure. Such information exchanges go beyond linking data producers with data consumers to provide a context to the enabled exchanges. If these information exchanges had been in place prior to the pandemic, data consumers would receive data with an understanding of what that data represents. It is that contextual information that allows simple binary data to become valued information that enables the decision making we need.

The COVID-19 pandemic has disrupted the world. Many refer to the pandemic as an unforeseeable event, a black swan that could not be planned for. We wish to agree and to disagree with such sentiments. While the specifics of the virus could not have been expected, it was clear that many situations such as plagues, wildfires, earthquakes, and more do not respect organizational boundaries yet we continue to build data networks that do.
The siloed nature of our data networks makes it difficult for data to flow across organizational structures and that makes it impossible use data for situational awareness. Our unpreparedness made assessment and communications much more difficult than it should have been and that in turn hindered our ability to respond.
We do not need another application and we do not need a new detection system, we need a new way to think about data networks!