Innovations in technology have been a prime agent for disruption throughout much of human history. Advancements in materials science gave English archers, with their superior longbows, the advantage over the French in many conflicts during the Hundred Years War; such as the Battle of Agincourt. In the late 2000’s, the music industry was forced to reinvent itself in the face of changing consumer consumption models as a result of technological advancements or become irrelevant.
As cyber security professionals we are often caught in the wake of disruptive changes as a result of technology adoption (i.e. Cloud), changes in operational paradigms (i.e. DevOps), or regulatory/compliance developments (i.e. GDPR, CCPA, etc.). Recognizing this, how can we proactively identify such changes before they start to impact our operations? While practically any technology or process can potentially upend your security paradigm, currently cited examples of disruptive technologies typically include some, or all, of the following:
- Edge computing
- Disappearing perimeter
- Distributed Ledger solutions
- Machine Learning / AI
- Quantum Computing
- Infrastructure as Code / Software Defined Everything
- 5G
- Cloud / Microservices / Serverless Functions
- IoT
- Digital Transformation
In reviewing these technologies, we can see common themes begin to emerge. Regardless of the benefits or new business opportunities they may bring to the organization, these solutions, either individually or in combination, are also likely to:
- Increase the attack surface of the organization
- Create a skills gap in current IT and security staff
- Become a double-edge sword by increasing the effectiveness of threat actors as well as organizational security staff
- Bypass or undermine the effectiveness of existing physical or logical controls
- Enable data proliferation prior to the availability of platform specific, proven security controls or architectures
- Expose gaps in security policies or business continuity plans which do not have a precedent established
For example, Quantum Computing will dramatically improve the efficiency of computation for certain kinds of workloads. This leap forward in computing capabilities could lead to new discoveries in a number of fields. However, Quantum Computing will also undermine the effectiveness of many of the current encryption solutions that have provided security for our communications and data transactions to date (https://www.businessinsider.com/7-emerging-technologies-that-cybersecurity-experts-are-worried-about-2019-10#quantum-computing-could-easily-crack-encryption-2). State sponsored threat actors will have access to such platforms very early on (and likely already do). However, since broader access to such computing platforms will likely be made available in the cloud, other threat actor groups will be able to utilize these platforms sooner than you might think.
Given an organization’s compliance concerns, the risk posed to legacy encryption solutions for data at rest and in transit will likely require updates to security policies and requirements for how data is encrypted and potentially where encrypted data resides. Even at a high level, this thought exercise illustrates how innovations can impact the technical and operational environments, but in this, not all businesses are created equal.
The degree of disruption caused by a technology innovation, or combination of innovations, is both industry dependent and business specific. Revisiting the music industry example, the rise of compressed digital music formats when combined with high speed Internet access and multi-function mobile devices effectively created an entirely new distribution channel for how music is delivered to consumers. Digital downloads and streaming services undermined the controls inherent in the physical distribution channel. This had devastating impacts on the ability for record companies to protect their intellectual property, but this combination of innovations had comparatively little impact on the construction industry, for example.
Even for solutions such as cloud computing, which one could argue have a more ubiquitous application across industries, the level of disruption will still be felt more acutely in industries that are highly regulated or have strong data privacy or intellectual property concerns. And since each business in an industry will have a unique combination of operational considerations, security controls and maturity, the resulting impact will be unique to each organization.
Innovative teams and organizations that are early adopters of new tools and platforms will often outpace established security controls and policies. How can we as security professionals get out in front of these trends, gauge how disruptive they may be, so that we are not playing catch-up?
One way is to build a model to see how specific use cases for new technologies could impact your business. Such a model could become complicated quickly, however a simple version, such as the example shown below, can provide directional insight without a large time investment. Gauging the potential disruption of technology combinations can be done by summing the impacts of individual technologies across a set of consistent use cases.
|
Technology: |
Technology X |
||
|
Business and Operations Use Cases |
|||
|
Impact |
Use Case 1 |
Use Case 2 |
Use Case 3 |
|
Attack Surface |
+ |
+ |
0 |
|
Skills Gap |
+ |
+ |
- |
|
Offensive Advantage |
0 |
+ |
+ |
|
Defensive Advantage |
0 |
- |
+ |
|
Security Controls |
0 |
- |
+ |
|
Data Proliferation |
+ |
0 |
+ |
|
Security Policy Gaps |
- |
0 |
- |
|
Compliance |
- |
+ |
+ |
|
Increase = "+" |
Decrease = "-" |
Neutral = "0" |
Identification of potentially disruptive technologies and trends must be done on an ongoing basis. Research and commentary from industry is abundant and will help IT security teams stay on top of developments. And as always, security should work closely with counterparts in the legal and procurement functions of the organization so that any near-term technology acquisitions that might have escaped security review can be identified. But as leaders, we must take this a step further. By working with our counterparts in the business and operational areas of the organization, we have the opportunity to translate trends into impacts specific to our organization. A few ideas on how to accomplish this:
- Hold blue-sky white-boarding sessions once a quarter and invite a diverse, cross-business function group of people to attend.
- Change up the invitees to get different views.
- Embrace gamification; offer a prize and invite the entire organization to play.
Even if the resulting ideas are aspirational in nature, the concepts could be signposts to watch for. Perhaps most importantly, let go of pre-existing limitations and constraints; after all, this is about the future.
References:
https://www.investopedia.com/terms/d/disruptive-technology.asp
https://www.bizcatalyst360.com/disruptive-technologies-a-challenge-for-cybersecurity/
Article Link: https://feeds.feedblitz.com/~/624331600/0/alienvault-blogs~Disruption-on-the-horizon