Press Releases

Press Releases


Shared Assessments’ and Ponemon’s Fourth Annual IoT Risk Study: A New Roadmap for Third Party IoT Risk Management

The Critical Need to Elevate Awareness, Authority and Engagement


Santa Fe, NM, June 10, 2020 – The Shared Assessments Program, authorities in risk management, today released results of the Fourth Annual Ponemon Institute’s Third Party Internet of Things (IoT) Risk Management study. This year’s report underscores the acute need for IoT risk management improvement, as most organizations do not know what tracking and safeguards their third parties have in place. New insights in this year’s study crystallize a set of leading practices for reducing IoT-related risks, which represent an important feature of this report.


“While the proliferation and consumerization of embedded technology, including IoT devices, continues to evolve at a rampant pace, new security vulnerabilities and exposures are introduced. This is especially true when the use of IoT devices is extended to third parties, fourth parties, or even more concerning, when it’s unknown where the use of IoT devices are being extended, or those extensions are unmanaged,” observes Rocco Grillo, Managing Director, Global Cyber Risk Services, Alvarez & Marsal.


In “A New Roadmap for Third Party IoT Risk Management – the Critical Need to Elevate Awareness, Authority and Engagement,” Ponemon reports that current IoT risk management programs are not keeping pace with the dramatic increase in IoT-related risks; a shortcoming that represents a clear and expanding threat to most organizations.


Among the key findings:

  • The problem is fueled by the steep expansion in IoT devices, the lack of a centralized IoT risk management program, and the lack of senior-most authority’s involvement.
  • Approximately one quarter of respondents self-report as higher performing organizations that are significantly more likely to implement leading risk management practices and apply them to IoT use. However, even these organizations need to enhance many aspects of their IoT risk management capabilities.


“Clearly, the gap between understanding and practice must be closed, and quickly,” notes Charlie Miller, Senior Advisor, The Santa Fe Group, Shared Assessments Program. “The study underscores a major disconnect between the authority and involvement that survey respondents say is needed from their Boards of Directors, and the actual governance exhibited today. It’s increasingly imperative that organizations get ahead of the problem and address IoT risks before a major disruptive event, not after one.”


As this study makes plain, swift and step function improvements are needed throughout most IoT risk management programs and third party risk management (TPRM) in general. Areas ripe for action include governance, risk and asset management practices, and resource allocation.


A complete copy of the study can be downloaded here (


About the Ponemon Institute

Founded in 2002 by Dr. Larry Ponemon and Susan Jayson, Ponemon Institute conducts independent research on data protection and emerging information technologies. Our goal is to enable organizations in both the private and public sectors to have a clearer understanding of the trends in regulations and the threat landscape that will affect the collection, management and safeguarding of information assets. 


About the Shared Assessments Program

As the only organization that has uniquely positioned and developed standardized resources to bring efficiencies to the market for more than a decade, the Shared Assessments Program has become the trusted source in third party risk assurance. Shared Assessments offers opportunities for members to address global risk management challenges through committees, awareness groups, interest groups and special projects.

Media Requests

Media Relations
(505) 466-6434

Media Kit to request a media kit.