Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/9/2019
10:30 AM
Rick Holland
Rick Holland
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Stop Mocking & Start Enabling Emerging Technologies

Mocking new technology isn't productive and can lead to career disadvantage.

As security leaders, do we spend as much time trying to understand our businesses as we do trying to understand the threats we face? It seems that we focus intently on emerging threats, but what about emerging technology?

Successful adoption of emerging technology can lead to a competitive advantage. Yet we CISOs have a history of lambasting emerging technologies — cloud, mobile, machine learning, and now blockchain — discounting the value as "pure hype." This practice of mocking new technology isn't productive and can lead to career disadvantage.

Think about this scenario. A web application that is integral to a major new marketing campaign is about to launch and the security team is asked to assess it at the last minute. Sound familiar? As frustrating as this is, this scenario happens on a larger scale as a matter of course when it comes to emerging technology. Why?

A Digital Disconnect
As companies consider the role of emerging technology in their digital transformation journeys, security teams are often sitting on the sidelines. A lack of engagement with the business is a major contributing factor. Many security leaders still haven't made the time to understand how the company operates, how it generates revenue, and how it plans to continue to grow. Also to blame is the security community's kneejerk response is to bash and discredit emerging technologies. Blockchain is just the latest example. There are legitimate use cases for blockchain; supply chain management is just one.

One of the primary roles of security leaders is to understand and effectively communicate risk. Scoffing when another new technology emerges, prevents us from doing this. Instead, we need to better understand the benefits so that our revenue-generating business partners can safely utilize them.

Brace for Impact
Autonomous vehicles, consumer Internet of Things devices, 5G, 3-D printing, and drones are just a few of the new technologies highlighted at this year's Consumer Electronics Show. They're on the verge of going mainstream now and should already be on your radar if your business can take advantage of them in any way. For some technologies in earlier stages of development, check out Soonish: Ten Emerging Technologies That'll Improve and/or Ruin Everything by Kelly and Zach Weinersmith. Think about the security implications associated with bioprinting or, even further out, brain computer interfaces.

In this "The World Is Flat" global environment, security leaders must understand that emerging technology can lead to first-mover and competitive advantage. How can CISOs prepare for the risks that new technologies can introduce to the organization? Here are five lessons I've learned that can help:

  1. Don't just focus on the adversary; focus on your business. Spend time talking to business leaders to truly understand how your company operates. Review marketing plans, technology road maps, financial reports, forecasts, and business development plans. Build a relationship with a board member to understand longer-term goals and pressures on the business. If you don't understand your business model, you have little chance of building an effective threat model for your program.
  2. Do more "homework" by talking to internal resources. Meet with the CTO and line-of-business CTOs periodically because those teams assess new technologies. If your business has an enterprise architecture team, try to get one of your resources regularly engaged with team members. Those teams are at the forefront of digital transformation initiatives, and security and privacy should be key components of those efforts. Many organizations start their annual planning in late summer, so use budget season to your advantage. Work with business leaders to understand the emerging technology they want to deploy and are including in their upcoming budgets.
  3. Make a concerted effort to track emerging technology. Get on the road and start attending conferences focused on your industry and the new technologies and services that are becoming available to address challenges and create opportunities. Reading what industry analysts have to say about top emerging technologies to watch is a good way to know if you've covered your bases. You should also monitor early adopters in your space by looking at their Securities and Exchange Commission filings, annual reports, and press releases. You can use Google alerts to track them. Of course, if you're learning from your competitors then chances are you're already late to the game — but it's better to know than not.
  4. Start understanding the risks of emerging technology. Actually using a new technology is the best way to see how it may introduce risk to your organization. Get it into one of your labs or talk to the business engineers who already have it in their labs to leverage their knowledge and expertise. If you don't have the skill set, resources, or time, then work with consultancies or security researchers to take advantage of their capabilities so you can get up to speed faster.
  5. Finally, don't believe the hype. Just because #INFOSEC Twitter makes fun of something doesn't mean you should discount it. Don't blindly buy into the negative hype around emerging technology. Ubiquitous vendor marketing also does us no favors as it predisposes us to cynicism. Skepticism is OK, just be objective as you evaluate the emerging technology.

Remember it is our job to understand and communicate the risk of emerging technologies. An approach like Gandalf the Gray screaming "you shall not pass to emerging technology" is not advisable. Your organization, and your career, are better served with something like, "you can pass; however, we need to make sure that you understand the risks associated with taking this path."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Rick Holland has more than 14 years experience working in information security. Prior to joining Digital Shadows, he was a vice president and principal analyst at Forrester Research, providing strategic guidance on security architecture, operations, and data privacy. Rick ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...