The term “disruptive technology” has been in use for ten years now, since Clayton Christensen popularized the term in his book, The Innovator’s Dilemma. At the time, disruptive trends and technologies applied mainly to risk-taking early adopters and seemed fairly slow moving and far removed from the priorities of most companies. That has changed now, as companies see the opportunities those technologies offer. Along with opportunity comes risk, and forward-looking CISOs will be anticipating those disruptive technology risks and how they impact their businesses.
However, there is a gap in awareness of the prevalence of disruptive technologies, according to the Excellence in Risk Management XIV report, published by The Risk Management Society (RIMS) and Marsh. For example, just over half of risk professionals say their organization doesn’t use or plan to use the Internet of Things (IoT). The reality, according to some estimates, is that 90% of companies will be using IoT within two or more years. This gap between perception and reality has contributed to more than half of organizations not conducting risk assessments for disruptive technologies.
How do you close that gap and identify the disruptive technologies that will change how risk is addressed? Regardless of the framework that you have in place, good security practices still apply (though disruptive technologies add complexity). Keeping pace with those technologies involves four steps:
- Keep up with disruptive technology trends.
- Be involved with decisions about using disruptive technologies.
- When disruptive technologies are chosen, understand how they change your risk profile.
- Update your security program based on your new risk profile.
Keep up with trends
Every week, it seems as though another expert publishes an article about the top disruptive technology trends – chatbots, IoT, artificial intelligence, mixed and virtual reality, implantables, blockchain, and more. How do you sort out what matters to you? As technologist Clay Shirky has said: the problem is not information overload, it’s filter failure. Prioritize and personalize. Some good sources include:
- Industry publications and events
- Content about disruptive tech being used in other industries (logistics and freight companies were implementing IoT technologies early on)
- News aggregation sites and curation sites, especially if personalized
- Relevant hashtags on social media (#iot, for example)
- Relevant experts, technophiles, passionate early adopters – inside and outside of your company
- The consumer space, which often evolves into enterprise adoption
As you take in information, consider how the technologies will change your business and what threats and vulnerabilities they introduce. (Will blockchain-based validation replace or change PKI for IoT? How? And when?)
Be involved with decisions
Who is making decisions about what disruptive technologies to adopt and how? Is part of the awareness gap contributing to decisions being made without you? Being involved with those decisions early on is key. It’s better to design security in to solutions than to bolt it on afterwards. There are two main challenges:
- Lack of awareness: Two thirds of respondents to the Marsh New Reality of Risk online poll (6/7/17) said that they were “not aware of their organization having processes and procedures in place to trigger a risk assessment of a new technology before it is actually used.”
- Deliberate avoidance: Risk management can be perceived as opposed to innovation. As Melissa Gale from Risk Solutions at Lyft points out, innovators “fear that [seeking guidance] may only lead to a lecture on why a new venture, process, or technology is a hindrance and shouldn’t be pursued.”
To address these challenges, do the following:
- Be accessible and available – be the resource people come to for guidance.
- Create cross-functional risk management groups, or if they exist, consider whether the composition of the group needs to change based on disruptive technologies.
- Be aware of adoption roadmaps – seek them out.
- Offer training, consulting, and coaching as a resource.
Understand how disruptive technologies change your risk profile
According to the Excellence in Risk Management XIV report, traditionally, industry risk studies and third-party analyses have been used to assess risk, but for disruptive technologies, other techniques such as scenario planning and better use of data and analytics may be more effective. To get a better view of how a disruptive technology changes your risk profile, consider the following:
- What are the components and who are the experts (internal or external)? For IoT, we need to consider the device layer as well as the edge tier and related interfaces. Who are the edge computing experts who can help identify those threats and vulnerabilities?
- Beyond the components themselves, where in the chain (value or supply) do threats and vulnerabilities pose a risk? Where can we prevent incidents? Where can we detect and address them?
- What data and analytics are available and relevant?
- How does this disruptive technology affect:
- Regulatory, compliance, and audit requirements
- Data and information classification
- Liability considerations, including insurance (IoT interconnectedness, for example, raises liability questions)
- Our assessments of third parties, suppliers, and customers themselves
Update your security program
With this knowledge, revisit and adjust your security program, and budget, as appropriate.
Disruptive technologies bring different risks, but also bring great opportunities for companies to improve the way they do business and for CISOs to lead the way.
Gale, M. (n.d.). Technology Innovation is Disrupting Risk Management. Retrieved September 07, 2017, from https://www.brinknews.com/technology-innovation-is-disrupting-risk-management/
Marsh and RIMS, the risk management society. Ready Or Not, Disruption Is Here: How risk professionals are addressing the challenges of disruptive technology. https://www.marsh.com/content/dam/marsh/Documents/PDF/US-en/Excellence%20in%20Risk%20Management%20XIV-04-2017.pdf
Marsh New Reality of Risk poll (6/7/17)
- What You Can’t See: Visualizing and Addressing MITRE ATT&CK Coverage Gaps with Threat Navigator - April 11, 2023
- “I’m a New Security Leader and My Business Has Been Breached. What Next?” An Eight-Step Guide to Managing a Cyber-Attack for the First Time. - February 7, 2023
- Our top cybersecurity predictions for 2023 - January 10, 2023