The term “disruptive technology” has been in use for ten years now, since Clayton Christensen popularized the term in his book, The Innovator’s Dilemma. At the time, disruptive trends and technologies applied mainly to risk-taking early adopters and seemed fairly slow moving and far removed from the priorities of most companies. That has changed now, as companies see the opportunities those technologies offer. Along with opportunity comes risk, and forward-looking CISOs will be anticipating those disruptive technology risks and how they impact their businesses.

However, there is a gap in awareness of the prevalence of disruptive technologies, according to the Excellence in Risk Management XIV report, published by The Risk Management Society (RIMS) and Marsh. For example, just over half of risk professionals say their organization doesn’t use or plan to use the Internet of Things (IoT). The reality, according to some estimates, is that 90% of companies will be using IoT within two or more years. This gap between perception and reality has contributed to more than half of organizations not conducting risk assessments for disruptive technologies.

How do you close that gap and identify the disruptive technologies that will change how risk is addressed? Regardless of the framework that you have in place, good security practices still apply (though disruptive technologies add complexity). Keeping pace with those technologies involves four steps:

  1. Keep up with disruptive technology trends.
  2. Be involved with decisions about using disruptive technologies.
  3. When disruptive technologies are chosen, understand how they change your risk profile.
  4. Update your security program based on your new risk profile.

Disruptive Technology

 

Keep up with trends

Every week, it seems as though another expert publishes an article about the top disruptive technology trends – chatbots, IoT, artificial intelligence, mixed and virtual reality, implantables, blockchain, and more. How do you sort out what matters to you? As technologist Clay Shirky has said: the problem is not information overload, it’s filter failure. Prioritize and personalize. Some good sources include:

  • Industry publications and events
  • Content about disruptive tech being used in other industries (logistics and freight companies were implementing IoT technologies early on)
  • News aggregation sites and curation sites, especially if personalized
  • Relevant hashtags on social media (#iot, for example)
  • Relevant experts, technophiles, passionate early adopters – inside and outside of your company
  • The consumer space, which often evolves into enterprise adoption

As you take in information, consider how the technologies will change your business and what threats and vulnerabilities they introduce. (Will blockchain-based validation replace or change PKI for IoT? How? And when?)

Be involved with decisions

Who is making decisions about what disruptive technologies to adopt and how?  Is part of the awareness gap contributing to decisions being made without you? Being involved with those decisions early on is key. It’s better to design security in to solutions than to bolt it on afterwards. There are two main challenges:

  • Lack of awareness: Two thirds of respondents to the Marsh New Reality of Risk online poll (6/7/17) said that they were “not aware of their organization having processes and procedures in place to trigger a risk assessment of a new technology before it is actually used.”
  • Deliberate avoidance: Risk management can be perceived as opposed to innovation. As Melissa Gale from Risk Solutions at Lyft points out, innovators “fear that [seeking guidance] may only lead to a lecture on why a new venture, process, or technology is a hindrance and shouldn’t be pursued.”

To address these challenges, do the following:

  • Be accessible and available – be the resource people come to for guidance.
  • Create cross-functional risk management groups, or if they exist, consider whether the composition of the group needs to change based on disruptive technologies.
  • Be aware of adoption roadmaps – seek them out.
  • Offer training, consulting, and coaching as a resource.

Understand how disruptive technologies change your risk profile

According to the Excellence in Risk Management XIV report, traditionally, industry risk studies and third-party analyses have been used to assess risk, but for disruptive technologies, other techniques such as scenario planning and better use of data and analytics may be more effective. To get a better view of how a disruptive technology changes your risk profile, consider the following:

  1. What are the components and who are the experts (internal or external)? For IoT, we need to consider the device layer as well as the edge tier and related interfaces. Who are the edge computing experts who can help identify those threats and vulnerabilities?
  2. Beyond the components themselves, where in the chain (value or supply) do threats and vulnerabilities pose a risk? Where can we prevent incidents? Where can we detect and address them?
  3. What data and analytics are available and relevant?
  4. How does this disruptive technology affect:
  • Regulatory, compliance, and audit requirements
  • Data and information classification
  • Liability considerations, including insurance (IoT interconnectedness, for example, raises liability questions)
  • Our assessments of third parties, suppliers, and customers themselves
  • Acquisitions

Update your security program

With this knowledge, revisit and adjust your security program, and budget, as appropriate.

Disruptive technologies bring different risks, but also bring great opportunities for companies to improve the way they do business and for CISOs to lead the way.

Citations

Gale, M. (n.d.). Technology Innovation is Disrupting Risk Management. Retrieved September 07, 2017, from https://www.brinknews.com/technology-innovation-is-disrupting-risk-management/

Marsh and RIMS, the risk management society. Ready Or Not, Disruption Is Here: How risk professionals are addressing the challenges of disruptive technology. https://www.marsh.com/content/dam/marsh/Documents/PDF/US-en/Excellence%20in%20Risk%20Management%20XIV-04-2017.pdf

Marsh New Reality of Risk poll (6/7/17)

Alexia Idoura

Alexia Idoura

Senior Program Manager at Kudelski Security
Alexia Idoura is Senior Program Manager for Global Research and Development at Kudelski Security. She is responsible for coordinating program management activities across CTO engineering/innovation projects. Prior to joining Kudelski Security, Alexia coached and consulted primarily around change management, including working with companies to get full value out of software investments. She also worked for Symantec (and previously Veritas and Seagate Software), for almost 20 years as a senior principal program manager in DevOps and in other roles, implementing and rolling out systems to help organizations run more effectively.
Alexia Idoura