Since the dawn of time, our inquisitive nature has resulted in new advancements and innovations in technology that have kept pace with the evolution of mankind.
From the primitive tools of the Stone Age that were core to the creation of knives and forks to the evolution of the first message sent via Morse code that eventually became the modern-day smartphone, technology has always had to reinvent itself out of fear of becoming inadequate.
In the cybersecurity industry, we witness first-hand the technological advances that often spread across to other sectors, like digital transformation and the increased adoption rates of cloud and serverless environments. Furthermore, the variations in operational paradigms (i.e. DevOps), or regulatory/compliance developments (i.e. GDPR, CCPA, etc.), also create their own catalysts for change.
Yet, there is already a new wave of technologies knocking on the virtual door that will certainly disrupt and change the business modus operandi. For instance, the arrival of 5G, further advancements in machine learning and artificial intelligence, and the power of quantum computing. Yes, these new technologies will be significant in providing benefits and new opportunities for businesses but there is an alternative perspective for consideration.
With the adoption of many new technologies, the attack surface increases, creating more avenues for hackers to strike. They will also place further demand on an already crippling skills gap within the IT sector as well as place more strain on understaffed security teams who will have to get up to speed with managing the new solutions that embrace these technologies. There is also the risk that newer technology will bypass or undermine the effectiveness of existing physical or logical security controls. And that’s not to mention the gaps that could be exposed in security policies or business continuity plans, which may not already have a precedent established.
Take quantum computing, which is widely touted as the future of computation. Its arrival is expected to usher in a new era of discoveries and possibilities while dramatically improving the efficiency of certain workloads. Nevertheless, its capabilities will weaken the effectiveness of many current encryption solutions that have provided security for our communications and data transactions to date; a concern is that some state-sponsored threat actors may already have access to such technology and could unleash attacks that harness quantum power.
Furthermore, there are compliance concerns which would arise given the risk posed to legacy encryption solutions for data at rest and in transit. Any changes here will likely require updates to security policies and requirements for how data is encrypted, and potentially where encrypted data resides. With data privacy and security regulations requiring strict adherence, with fines for non-compliance potentially rising into the millions, organisations can ill afford such technological developments to drastically impact the technical and operational environments.
However, not all businesses are created equally, and the degree of disruption caused by an innovation in technology, or a combination of innovations, is both industry-dependent and business-specific.
If you examined how cloud solutions are sweeping across various industries, its technology – one could argue – can be suited to a wide variety of businesses. However, the level of disruption caused by adopting the cloud is dependent on specific industries that have strict data security and privacy laws, especially in regard to sensitive or personal data i.e. HIPPA or PCI DSS. And since each business in an industry will have their own combination of operational considerations, security controls and maturity, the resulting impact will be unique to each organisation.
While some teams and businesses get ahead of the curve when adopting new solutions and can quickly sync security controls and policies so that disruption is kept to a minimum, these are often few in number. So, as a wider industry, how can we – given we are at the beginning of the curve of new up and coming trends – create a process to help determine early enough how disruptive a technology could be to business operations and security?
A methodical analysis which provides directional insight into a particular technology and its business and operational use cases can help identify whether it will positively or negatively impact the organisations’ overall attack surface. This analysis can also help determine if strain will be placed on the security workforce, whether it complements or makes redundant current security controls, exposes or closes security policy gaps, and aids the organisation’s desire to meet compliance.
Not all businesses are created equally, and the degree of disruption caused by an innovation in technology, or a combination of innovations, is both industry-dependent and business-specific
It is advisable to dedicate time to identifying disruptive technologies as it requires continuous monitoring. If need be, hold quarterly or monthly meetings with individuals from various business backgrounds to form a functional group to discuss technological developments in sectors that may be applicable to your business.
Take note of analyst reports, research and commentary from within the industry which will help your IT security teams stay on top of new announcements. As always, security should work closely with counterparts in the legal and procurement functions of the organisation so that any near-term technology acquisitions that might have escaped security review can be identified. However, as leaders, we must take this a step further. By working with counterparts in the business and operational areas of the organisation, there is the opportunity to positively impact the organisation.
In following this proactive strategy, businesses will have laid the foundations for the organisation to be at the forefront should a new disruptive technology present itself on the horizon. Even if the resulting ideas are aspirational in nature, the concepts could be signposts to watch for. Perhaps most importantly, when looking to the horizon for possible disruptions, leaders should let go of pre-existing limitations and constraints; after all, this is about the future.
Mike Klepper
National Practice Director for Application Security, Threat & Vulnerability Management, AT&T Cybersecurity Consulting