Emerging Technologies

This is the twelfth in our series sharing thought pieces and the second from the CISO Desk Reference Guide: A Practical Guide for CISOs, Volume 2. In the following excerpt from a combined essay for Chapter 11, we make the case that teamwork is critical to understanding the risk posed by emerging technologies and ensuring the organization is prepared to manage that risk. Please enjoy.

The $64,000 question, “Which technology trends will impact my organization most and why?” requires that the CISO remain vigilant to changing technologies. This question should be used across the security organization and with their colleagues within infrastructure and operations, as well as research and development (assuming that department exists within the firm). Invite respondents to think expansively about technology changes and look beyond traditional IT advancements for input. As a case in point, quantum computing is a fascinating topic involving computer science, physics, and quantum mechanics. Give your security team an exercise to consider the good and bad implications concerning quantum computing. We know certain cryptographic services will likely not survive in a post-quantum world. How, then, should our organization prepare? What is controllable today, and what will require ongoing diligence? Ensure your organization documents these more significant trends and devotes time to considering the implications.

It’s important to understand that we’re not only focused on technologies but also on trends that impact technology. Here are some non-technological examples:

Data Sprawl

The explosive data growth generated by new technologies, businesses, and the world’s connected citizens. There is an impending crisis concerning how aggregators and companies use this data. There will be regulations coming to enforce privacy, enforce the tracking of fake data, and enforce ownership of and access rights to data. We see it as an ongoing issue that is more complicated when organizations and governments try to control it and enforce rules on something that flows easily across borders.

Regulations, Laws, and Right to Privacy

As we examine data sprawl, we still believe we can legislate some level of privacy for personal data. We expect these efforts to continue, along with the impact on the business of meeting these new regulatory requirements or facing substantial penalties and legal actions.

Growing Partnership between Public and Private Industry

Driven by threats significantly impacting business and citizens’ lives, we expect more laws and regulations will drive businesses and governments to work together. We are already seeing multiple countries develop different approaches to offering services, sharing threat intelligence, and possibly even providing cyber insurance to organizations. We expect these approaches will impact international companies, and some may withdraw from some locations due to these new requirements and the impact on operations.

We can apply this question to other technology trends, including generative AI. You and your team should ask how this technology will change business models, adversarial behavior, risk factors, and other dynamics. Your goal is to have the team exercise their curiosity about technology trends and use both formal and informal review sessions to analyze the implications and risks of these technologies. Ideally, these sessions are not just about opinions on technology but also informed by actual research. You and your team should back up your perspectives on how new technologies present new opportunities and new risks through some basic research and the appropriate citing of multiple resources.

Preparation for these sessions should be approached with discipline to ensure the right level of intellectual curiosity, rigor, and skepticism. Announce the topics to be covered in advance and, if possible, assign preparatory tasks to prospective attendees. These tasks could include conducting basic research about the topic, developing a business case for each relevant technology, and perhaps performing high-level threat modeling to initiate discussions about pilot programs or deployments involving that technology.

Building business cases and performing threat modeling are competencies we already possess. But this kind of research might be new to us. So how do we start? There are the usual suspects, of course. We’ve often alluded to the value of your human network. Start with your firm’s CTO, CIO, VP of Research, and other CISOs, CTOs, and CIOs you know. Chatting about these topics, formally or informally, can undoubtedly identify candidates, especially those that are more front-and-center. Next, check in with the Big 4 firms: Deloitte, PWC, Ernst and Young, and KPMG. They all publish material on emerging trends for their executive audience. In addition, research firms such as Gartner, Forrester, and McKinsey are referenced heavily in both CISO Desk Reference Guide volumes. Gartner, for example, sometimes includes very new technology in their reports and includes companies in those spaces in their Gartner? Magic Quadrants.

We’ve also referred to the larger security conferences, such as Black Hat and RSA in the U.S. While most lectures you might attend address mainstream concerns, there are always some cutting-edge sessions. Those hunting for the exciting topics of tomorrow might have seen early-stage technologies such as generative AI and quantum computing show up several years before viable products emerged. Another source we have not yet touched on is our university system. In addition to using colleges and universities as a source of candidates, they are our premier research institutes. NIST and CISA, also heavily referenced by us, are open about new areas they are exploring. Research grant awards are often very publicly disclosed. Similarly, calls for research proposals by militaries are often public, as are patent awards.

Most of us have interacted with all or most of these organizations for different reasons, so we likely already have developed contacts or curated readily available news feeds. In many cases, it’s just a question of opening the funnel a little wider.

To see how the CISO Desk Reference Guide, Volume 2 fits into your reading journey, reference our reader's guide on our LinkedIn Company page:

https://www.dhirubhai.net/feed/update/urn:li:activity:7216934015398813697/