Enterprises Must be Prepared to Capitalize on Drone Technology
By Albert J. Marcella Jr., Ph.D., CISA, CISM, ISACA expert on sUAS Risk Management
While the commercial use of drone technology has become increasingly mainstream, enterprises intending to launch a drone program still must contend with a range of regulatory and security considerations before implementing this technology.
Commercial uses for drones, referred to as small unmanned aircraft systems (sUAS), are being discovered daily, fulfilling such uses as power/pipeline security and maintenance management, package delivery, real estate sales, and safety inspections, as outlined in global business technology association ISACA's new white paper, "Rise of the Drones: Is Your Enterprise Prepared?"
But how do enterprises know whether they are equipped to successfully launch a sUAS program? Here are 10 questions senior management should ask first:
- Is the organization prepared to operate and manage an internal aviation department?
- Is running an aviation operation in line with the organization's mission? Core business? Capabilities?
- Are uses of the organization's sUAS consistent with the organization's ethics policy?
- Has the organization secured a Certificate of Authorization (COA) prior to any launch of a corporate sUAS?
- Is the organization ready to assume the responsibilities of flight operations?
- Has the organization identified all of the complexities and challenges of operating an internal, certified flight operations function?
- Does sUAS technology pose a risk to the organization? If so, what type? How is this risk expected to be mitigated?
- Will the organization be able to immediately comply with federal legislation, and local regulations, for the safe and proper operation of its sUAS "fleet?"
- What added risks and liabilities will the organization be faced with once the organization has established an aviation function/department and is responsible for the compliance requirements associated with this function?
- Does the organization possess the knowledge and skill set necessary to perform an audit of the aviation department?
Let's drill deeper.
First and foremost, organizations must ensure compliance with current FAA regulations for commercial sUAS usage.
Keeping current with eventual changes to these regulations as the utilization breadth and scope of commercial sUAS broadens will become increasingly important. Expanding usage, business needs and sUAS application will drive eventual changes, waivers and polices that will affect sUAS implementation and adoption within an organization. Beyond remaining vigilant and cognizant of the federal laws governing sUAS usage, organizations will need to be acutely aware of the various state and municipal laws that may be in place that will affect the implementation, deployment and use of sUAS as part of the organization's strategic plans.
Staffing considerations also must be taken into account. Organizations serious about developing a sUAS program need to have the ability to hire trained, certified pilots, and comply with the substantial record-keeping necessary to meet safety, training and FAA reporting requirements.
Security threats resulting from sUAS also demand serious attention. Consider the possibility of a breach of an organization's perimeter, buildings, offices, storage facilities and meeting spaces, resulting in the unauthorized monitoring or recording of corporate activities. A sUAS stationed outside a 30th floor board room, outfitted with a laser microphone, is capable of relaying confidential information to an external competitor or third party.
Other potential security threats also loom, such as unauthorized physical or electronic access to the sUAS's onboard technology, programming or recording equipment that may result in the alteration of a flight path, data collection objective or the purposeful downing and destruction of the sUAS.
All of this is to say that organizations must not rush into implementing sUAS programs without being properly prepared. For the majority of organizations, incorporating sUAS capabilities into their strategic business plans will take, on average, a minimum of two years to fully identify, develop, implement, test and audit the policies, procedures and internal controls required to operate in compliance with current FAA regulations.
While that time frame might frustrate some business leaders who are eager to tap into this exciting technology, they must bear in mind that an uncontrolled sUAS program may cause significant damage to the organization's reputation in the form of legal, financial and ethical risks and exposures.
Proceeding with caution - and diligence - is the best way forward. Only with the right controls, policies and procedures in place can a sUAS program offer enterprises the significant technical and competitive advantages that they seek.