alphaspirit - Fotolia
Mitigating security risks posed by emerging tech: Expert advice
Companies are in hot pursuit of the benefits offered by cutting-edge technologies, but mitigating security risks often gets scant attention. CIOs need to change that. Here's how.
Emerging technologies such as the internet of things, robotic process automation, blockchain, 3D and 4D printing, and cognitive computing offer tremendous competitive advantages for companies bold enough to implement them in their enterprises.
However, they also introduce new security risks -- both known and yet unknown. That leaves executives with a difficult choice: Utilize new technologies to get that competitive edge while adding new security risks, or wait on adoption until the emerging technology risks are better understood and lose out in the marketplace.
Such factors add more complexities to the already challenging job of securing IT infrastructure and organizational data against cyberthreats.
"New technologies have unique and new challenges, and not all of [these new] solutions are robust and enterprise-ready," said Frank Ford, leader of the cybersecurity practice at Bain & Co.
Ford said he hears executives asking whether their cybersecurity measures are up to those emerging technology challenges. Many enterprises are not. But there are practices they can adopt to improve their position, he said.
He outlined three best practices that he sees as vital for mitigating security risks posed by from emerging technology:
- First, executives must ensure that their existing information risk management strategy is robust. "If you're not robust today, the strain is just going to increase with more and more new technology coming into the environment," he said.
- Second, organizations must embed security staff members who are skilled in identifying and mitigating security risks in the emerging tech initiatives, rather than treating security as an afterthought. "One problem enterprises have is that new initiatives get started and funded out of the business; they get going and then they go to security to get a sign-off," he said. It's much more difficult for security to do their jobs [in that scenario]."
- Third, organizations should fully expect security weaknesses in emerging technologies. "IT departments tend to be risk-adverse, and their caution is well-advised when it comes to new technologies," Ford said.
IT and security teams should invest in understanding the new technologies' architecture, have a healthy skepticism about the vendors' sales pitches and test out new technologies on their own. "It's applying existing understanding to this new environment in a thorough way. You need to probe and make sure it's robust enough," he added.
Mitigating security risks: A layered approach
Patty Patria, vice president of IT at Becker College, is well-versed in the protocols for mitigating the security risks associated with emerging technology risks. The institution, based in Worcester, Mass., has seen a surge in new technologies -- and is prepared to handle the influx.
"If something brand new came to market tomorrow that could substantially improve the business, we have policies and protocols in place to evaluate it so we can set it up right away. We can move quickly to assess and determine whether it would work well with a minimal security risk or maximum security risk, and we can make recommendations based on that to move forward," Patria said.
For Patria, it's about having layers of protection that can be used to counter the known security risks of an emerging tech as well as any potential threats that haven't yet been identified.
Take, for example, the college's approach to the security risks associated with the internet of things (IoT), as it adds more and more devices to the school's IT infrastructure. Patria requires several security features before any device is connected: They include a secure boot, so it's not hijacked during the startup process; secure remote firmware updates, so the vendor can do a security update of the device's software; and secure communication protocols. Moreover, if a device stores sensitive data, the device must encrypt that data. It must also have strong user authentication and administrator protocols, she said.
These requirements for IoT are in addition to the college's other existing security measures, such as keeping the student network segregated from the employee network where sensitive data is stored, Patria said.
She explained that her approach to identifying and mitigating security risks in emerging tech doesn't focus on investigating every potential threat that a new technology could introduce, but rather focuses on guarding against as many threats as possible overall.
"If you have the right polices and processes and technologies in place for your security posture, that should help you evaluate any new technology and determine how to securely integrate it into your environment," she said.
Weighing risks vs. benefits
While IT leaders like Patria have developed a strategy for mitigating security risks posed by emerging tech, many executive teams still struggle with assessing how well they're doing on their cybersecurity efforts, said Bain & Co.'s Ford -- in part, because few comprehensive benchmarks exist.
Ford said Bain offers a methodology for assessing cybersecurity across four broad categories -- governance, process, technology and organization -- with subcategories under each one adding up to 100-plus elements to consider.
Frank Fordleader of the cybersecurity practice, Bain & Co.
The reward for approaching cybersecurity in such a holistic way, though, is the ability to develop targeted investments that best address the organization's risks and ultimately to achieve a better security posture -- even when adopting new and untested technologies, Ford said.
"Organizations that do these things very well will succeed much better than those who don't," he added. "It might not sound like rocket science, but doing this properly is a challenge for organizations."
Mansur Hasib, program chair of the Graduate Cybersecurity Technology program in The Graduate School at University of Maryland University College, agreed that organizations need to think holistically about cybersecurity and not just consider an emerging technology -- or, really, any technology -- in isolation. Hasib, a former CIO, said he advises organizations to instead to think of it as a digital strategy.
In that light, he said executives need to consider the gains and risks associated with new technologies and weigh them against each other.
Hasib compared implementing technology to driving a car: both offer advantages, yet carry risks, with built-in safety features and a secure environment (i.e., roads and laws for the car) mitigating the dangers.
Continuing with that analogy, Hasib noted that no one would consider the possible risks of driving a car without considering the advantages of driving or the efforts from people, policies and procedures that encourage safe driving.
Similarly, he said executives should not consider emerging technology risks in a siloed way either.
Organizations where security, technology and the business are aligned and working on strategy together are better able to assess the emerging technology risks, weigh those risks against the potential benefits and make the appropriate investments in the right security measures.
I am human; therefore, I stink at cybersecurity
Machine learning in cybersecurity a partial solution
Threat hunter: A new security role emerges