Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Rick Holland
Rick Holland
Connect Directly
E-Mail vvv

Stop Mocking & Start Enabling Emerging Technologies

Mocking new technology isn't productive and can lead to career disadvantage.

As security leaders, do we spend as much time trying to understand our businesses as we do trying to understand the threats we face? It seems that we focus intently on emerging threats, but what about emerging technology?

Successful adoption of emerging technology can lead to a competitive advantage. Yet we CISOs have a history of lambasting emerging technologies — cloud, mobile, machine learning, and now blockchain — discounting the value as "pure hype." This practice of mocking new technology isn't productive and can lead to career disadvantage.

Think about this scenario. A web application that is integral to a major new marketing campaign is about to launch and the security team is asked to assess it at the last minute. Sound familiar? As frustrating as this is, this scenario happens on a larger scale as a matter of course when it comes to emerging technology. Why?

A Digital Disconnect
As companies consider the role of emerging technology in their digital transformation journeys, security teams are often sitting on the sidelines. A lack of engagement with the business is a major contributing factor. Many security leaders still haven't made the time to understand how the company operates, how it generates revenue, and how it plans to continue to grow. Also to blame is the security community's kneejerk response is to bash and discredit emerging technologies. Blockchain is just the latest example. There are legitimate use cases for blockchain; supply chain management is just one.

One of the primary roles of security leaders is to understand and effectively communicate risk. Scoffing when another new technology emerges, prevents us from doing this. Instead, we need to better understand the benefits so that our revenue-generating business partners can safely utilize them.

Brace for Impact
Autonomous vehicles, consumer Internet of Things devices, 5G, 3-D printing, and drones are just a few of the new technologies highlighted at this year's Consumer Electronics Show. They're on the verge of going mainstream now and should already be on your radar if your business can take advantage of them in any way. For some technologies in earlier stages of development, check out Soonish: Ten Emerging Technologies That'll Improve and/or Ruin Everything by Kelly and Zach Weinersmith. Think about the security implications associated with bioprinting or, even further out, brain computer interfaces.

In this "The World Is Flat" global environment, security leaders must understand that emerging technology can lead to first-mover and competitive advantage. How can CISOs prepare for the risks that new technologies can introduce to the organization? Here are five lessons I've learned that can help:

  1. Don't just focus on the adversary; focus on your business. Spend time talking to business leaders to truly understand how your company operates. Review marketing plans, technology road maps, financial reports, forecasts, and business development plans. Build a relationship with a board member to understand longer-term goals and pressures on the business. If you don't understand your business model, you have little chance of building an effective threat model for your program.
  2. Do more "homework" by talking to internal resources. Meet with the CTO and line-of-business CTOs periodically because those teams assess new technologies. If your business has an enterprise architecture team, try to get one of your resources regularly engaged with team members. Those teams are at the forefront of digital transformation initiatives, and security and privacy should be key components of those efforts. Many organizations start their annual planning in late summer, so use budget season to your advantage. Work with business leaders to understand the emerging technology they want to deploy and are including in their upcoming budgets.
  3. Make a concerted effort to track emerging technology. Get on the road and start attending conferences focused on your industry and the new technologies and services that are becoming available to address challenges and create opportunities. Reading what industry analysts have to say about top emerging technologies to watch is a good way to know if you've covered your bases. You should also monitor early adopters in your space by looking at their Securities and Exchange Commission filings, annual reports, and press releases. You can use Google alerts to track them. Of course, if you're learning from your competitors then chances are you're already late to the game — but it's better to know than not.
  4. Start understanding the risks of emerging technology. Actually using a new technology is the best way to see how it may introduce risk to your organization. Get it into one of your labs or talk to the business engineers who already have it in their labs to leverage their knowledge and expertise. If you don't have the skill set, resources, or time, then work with consultancies or security researchers to take advantage of their capabilities so you can get up to speed faster.
  5. Finally, don't believe the hype. Just because #INFOSEC Twitter makes fun of something doesn't mean you should discount it. Don't blindly buy into the negative hype around emerging technology. Ubiquitous vendor marketing also does us no favors as it predisposes us to cynicism. Skepticism is OK, just be objective as you evaluate the emerging technology.

Remember it is our job to understand and communicate the risk of emerging technologies. An approach like Gandalf the Gray screaming "you shall not pass to emerging technology" is not advisable. Your organization, and your career, are better served with something like, "you can pass; however, we need to make sure that you understand the risks associated with taking this path."

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Rick Holland has more than 14 years experience working in information security. Prior to joining Digital Shadows, he was a vice president and principal analyst at Forrester Research, providing strategic guidance on security architecture, operations, and data privacy. Rick ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...