From the Stone Age all the way to the Information Age, tools have come a long way. Today, many modern tools and household appliances are smart and internet-connected – which brings plenty of convenience, but also security risks.
With that in mind, Julie Fitton, vice president of digital product security at Stanley Black & Decker (SBD), was tasked with spearheading the launch and management of an IoT security program designed to integrate cybersecurity into the design, build and operational stages of all products created by the historically non-digital manufacturer.
Fitton currently serves as adviser and thought leader to roughly 400 employees across more than 25 separate IoT development teams, working on products such as its cordless Smart Rivet Tool, which communicates real-time data while in operation to help confirm that a rivet has been correctly set.
For the IoT security program, Fitton developed a systematic process for evaluating and managing risks posed by internet-connected tools, and created a maturity model to help teams execute a step-by-step guide to improving cyber capabilities. To ensure that she was setting achievable objectives, she also ensured that her program took into consideration frameworks and standards such as UL2900, ETSI TS 103 645, NISTIR 8259, SOC 2 and ISO27001.
To establish a security governance model, Fitton also formed and consulted with an IoT Product Security Council, composed of IoT leaders across multiple business units. Meanwhile, Fitton sought third-party validation of SBD’s IoT product security program to ensure its objectives aligns with SB-327, California’s IoT security and privacy law.
According to her official SC Awards nomination, Fitton created a digital product risk assessment methodology that “adapted the industry nomenclature of crown jewels identification – which historically focuses exclusively on the value and confidentiality of information – and expanded the definition to account for additional vectors needed to establish inherent risk prioritization in the world of IoT.” These additional vectors are safety risk, data risk and product sales demography.
Fitton has stressed accountability and ownership among the product development teams, encouraging them to adopt tools and behaviors that resulted in improved cyber risk posture. This includes establishing policy and procedure templates, conducting continuous monitoring and periodic pentesting of products, establishing a coordinated vulnerability disclosure program, implementing key security tools and solutions, and enabling incident discovery and response.
Fitton also serves as an adjunct faculty member at Boston College’s MS in Cybersecurity degree program, developing course curriculum in the areas of cloud security and security in mobile devices, IoT social networking.
“Julie has built a world-class digital product security team with focused and innovative approaches to securing the Stanley Black & Decker product portfolio,” said J.R. Cunningham, senior vice president, professional services, Herjavec Group. “Julie’s approach of deeply understanding the intricacies of digitally enabled or augmented products and applying precise cyber security techniques that foster innovation yet protect what matters is, in my professional opinion, the mark of a professional that has stayed out in front of our industry.”