The potential of blockchain technology has inspired hype and buzz for years. However, we are really starting to see implementation in various sectors. Use cases have been extremely beneficial in industries such as banking, healthcare, and security. One such industry where the technology is gaining prevalence is travel and hospitality. Although we have not seen any full-blown disruption there just yet, this could be on the horizon. Technically, these can be considered two separate industries, but for practical purposes can be grouped together.
Advantages of Blockchain
Blockchain is essentially a publicly available ledger, or list of digital archives, where individual records are stored namelessly and permanently. The individual records, or “blocks,” are crypted while uploading, so once the information has been logged in the blockchain, it is permanent and cannot be altered or erased. That is also what makes it so unique as all the data available on blockchain is decentralized and is shared through a peer-to-peer network.
Below are some of the key advantages of blockchain:
- Transparency – All the individual pieces of data come together to form a digital ledger. Since the data is hosted on a peer-to-peer network, this ledger is accessible to everyone. Essentially, everyone on the network can always access all data.
- Security – A blockchain can potentially be one of the most secure and protected forms of data storage. All the data on the network is not only encrypted but is also linked to the previous transaction on the ledger. Additionally, the data is stored across various devices on the network, protecting it from hackers.
- Cost-effective – Blockchain will help you reduce your business cost by a fraction on many fronts. Firstly, you no longer need third parties to manage transactions and keep records. Also, you will be able to track your functioning in a more meticulous manner that will reduce discrepancies.
- Efficient – Since all the data is available on one ledger, the amount of clutter and unnecessary documents and files are reduced substantially. At the same time, it is also easier to track your data when you need it instead of going through stacks of files.
Blockchain in the Travel Industry
Below are the ways in which blockchain is being implemented in the travel industry:
- Payments – Certainly one of the most prominent uses of blockchain is in digital payments, and the same goes for the travel industry. The payments are secured and trackable through the blockchain network and at the same time very convenient. This can be done through a mode of cryptocurrency or even through a streamlined bank payment method that is an upgrade from the traditional approach.
- Security – This is a very important and sensitive aspect of travel, and blockchain is making an impact here as well. The blockchain can store data and ID information of every passenger and identify potential threats. Used properly, this technology has the potential to drastically decrease check-in times and queues in airports, as a simple retina scan or fingerprint can be used instead of documents.
- Tracking luggage – Every so often, passenger luggage does end up getting misplaced or sent to an incorrect location. Such problems and other such logistical challenges can be managed thanks to the blockchain technology. The decentralized nature of the database can help companies share the information to the benefit of everyone involved, especially in flights where luggage changes hands several times.
- Loyalty program – Loyalty programs are very important for many frequent travelers and help the companies generate a significant amount of revenue. With the help of blockchain, these programs can be made better by simplifying the process of earning and redeeming reward points. The access and distribution of reward points can also be simplified thanks to this technology, as they can be made available anytime and anywhere.
Current Examples of Blockchain in the Travel Industry
Although blockchain does have unlimited potential for future technologies, it is already being implemented in many businesses today:
- LockChain – This is a marketplace that allows individuals and businesses to rent out their spaces and property. Thanks to the decentralized nature that eliminates the middlemen, there is no commission fee charged. This is a business that can potentially disrupt the industry and challenge companies like Airbnb, Booking.com, etc.
- TUI – Tourism company TUI can maintain and manage inventory through the use of blockchain. TUI is one of the few mainstream tourism companies to fully commit to the tech and is now seeing the benefits.
- Trippki – As mentioned earlier, loyalty programs are the cornerstone of any good hospitality company. Trippki offer TRIP tokens to users and is now being powered by blockchain technology. Once again, since there is no third party involved, there is a direct connection between the company and its consumers.
- ShoCard – One of the uses of blockchain is in the identity management space, which is where ShoCard has been implemented. Customer ID details can be uploaded and then shared or retrieved at any time to verify their identity. This not only helps with security but is also very convenient and efficient.
Though these are just a few examples of blockchain’s potential, there is so much more to come. Since it is a recent technological advancement, we have only been able to scratch the tip of this potential iceberg. According to some forecasts, the global blockchain market is expected to be worth US$20 billion by 2024. With new industries and new use cases coming up every day, it won’t be long before most of the consumer base starts interacting with this technology on their travels and beyond.
Author’s note: Harsh Arora is a proud father of four rescue dogs and a leopard gecko. Besides being a full-time dog father, he is a freelance content writer/blogger and a massage expert who is skilled in using the best massage gun.
Cyber risk has understandably become a focal point for enterprise risk managers, but the risk landscape is multi-layered and extends beyond the realm of cybersecurity. In addition to contending with a daunting array of cyberthreats, enterprises are determining how much risk they are willing to accept in deploying emerging technologies, working through a heightened focus on customer privacy and adjusting to changes in the regulatory environment.
New industry research from ISACA, CMMI Institute and Infosecurity shows that enterprises are struggling to manage and optimize their risk, not only when it comes to confronting cyber risk, but in gathering a firmer handle on the holistic enterprise risk environment. Below is my perspective on three data points from the research that I found to be particularly significant:
The shifting threat landscape is wreaking havoc. Changes/advances in technology and changes in types of threats were pinpointed by survey respondents as the top two cybersecurity challenges organizations face today, even moreso than other response options, such as too few security personnel and inadequate security budgets.
This data point reinforces that the unprecedented pace of technological change – and the corresponding domino effect on the threat landscape – is placing a heavy strain on the capabilities of enterprises to effectively and securely leverage these new technologies. Security and enterprise risk programs that were sufficient five years ago – or, in some cases, maybe even five months ago – can be inadequate in holding up to new risks that emerge.
Risk management is about optimizing risk, not removing it from the equation altogether, so these challenges should not preclude enterprises from thoroughly testing and exploring how emerging technologies can be deployed to create efficiencies and spark innovation.
The ISACA study found that while nearly two-thirds of respondents’ have defined processes for risk identification, only 38 percent feel that those processes are at either the managed or optimized level of the maturity spectrum for risk identification. This points to a high adoption, but low optimization trend, demonstrating room for improvement in terms of enterprises actually taking action to address risk, and not just setting up the framework.
Security and risk professionals must revisit their processes, pursue the ongoing training and knowledge resources needed to understand how these technologies are reshaping the risk environment, and communicate those risks clearly to enterprise decision-makers who might be tempted to green-light deployments based on market pressures without first conducting the needed level of due diligence.
Cloud was identified as the emerging technology that most increases risk. By an overwhelming margin, cloud is deemed to be the technology that most expands risk (70 percent of respondents say it increases risk, compared to the next highest response option, Internet of Things, which came in at 34 percent).
As the survey report notes, “There is a good reason why the cloud percentage is so high – practitioners are intimately familiar with the challenges of cloud, including compliance and regulatory challenges, data sovereignty, lack of direct operational control over service provider environments, shadow adoption, and numerous other pain points.”
Essentially, cloud-related risk is much more of a known commodity than risk related to more recent, emerging technologies. However, if organizations align their cloud projects to business strategies and provide relevance governance oversight, cloud risk can be appropriately mitigated.
This data point also raises questions about how technologies that are less mature than cloud – such as artificial intelligence and blockchain – will impact enterprise risk as adoption increases and more use cases arise. Each technology brings its own set of risks and potential misuses that will need to be accounted for in enterprises’ risk programs.
Reputational risk should not be overlooked. Respondents identify reputational risk as the second-most critical area of risk facing their organizations today, behind only information/cybersecurity risk. While respondents naturally identify cyber risk as a leading concern, given the volume and increasing sophistication of the current threat landscape, ultimately, reputational risk can have an even longer-term impact on an organization. There are countless examples of enterprises that have become embroiled in a public relations crisis and never fully recovered – or if they do, only after several years of concerted time and expense dedicated to rehabilitating their brand image.
Of course, cyber risk and reputational risk often go hand-in-hand, given that the fallout from major breaches and other cyber incidents can have a direct and serious impact on an enterprise’s reputation with customers and the general public. But reputational damage also can arise from a variety of other sources, such as fiscal mismanagement, penalties from regulatory compliance oversights and a lack of transparency with customers when it comes to how their personal data is being leveraged.
Even greater challenges ahead
The considerations mentioned above are just some of the many topics that enterprise risk leaders will need to work through in the 2020s and beyond. The risk environment will only become more complex in the new decade, as the aforementioned pace of technology-driven change will further accelerate, with the evolving cybersecurity landscape and the rise of AI factoring prominently into that equation. Managing and optimizing risk have long been essential objectives for high-performing enterprises, but the stakes are rising – as is the degree of complexity.
Editor’s note: This post originally appeared in CSO.
Based upon my experience in Enterprise Risk Management, I was not surprised to see respondents to new State of Enterprise Risk Management research from ISACA, CMMI Institute and Infosecurity identify risk identification and risk assessment to be the most employed risk management steps in their organizations. Nor was I surprised to see that only 38 percent of respondents indicate that their enterprises have processes at either the managed or optimized level for risk identification. In my experience, this happens often due to the suboptimal execution of the risk identification process.
As the report states in the Executive Summary, “Risk management is about optimizing risk rather than removing it entirely.” It has always been my belief that risk management serves two purposes. The first is to keep the enterprise from stepping unwittingly into a big pothole. The second is to provide the executive team with the last best piece of information required to optimize the use of risk capital across the enterprise.
In order to successfully deploy an enterprise risk framework across an organization, it is always best to be practical and expedient to the extent allowed by your regulatory environment. Where I have seen this go wrong most often is in the deployment of an enterprise-wide risk assessment. I’ve seen instances where an enterprise assessment completely missed accounting for the biggest risks, usually produced by enterprises that do not have the right participation from top management. Further, I’ve seen enterprise assessments get so detailed as to tie the organization into knots. A friend in the consulting business told me of a project in which an unnamed regional bank was in the process of unwinding a risk assessment that had paralyzed the institution with 52,000 items of identified requiring remediation. A risk assessment run amok ties up valuable resources in an endless loop leading to the suboptimal allocation of resources within the business as well as risk management.
Below are several (what I hope are) practical recommendations to try to avoid this phenomenon.
1. Big risks can be ignored when the right people aren’t in the room for the conversation. Start at the highest level within the organization and get the people in the room that own the risk from the top down. This keeps the right themes in play and avoids the well-meaning though less informed from dragging the exercise down to a mind-numbing level of tedium. A risk assessment needs to be the business or operating function’s view, guided and respectfully challenged by risk management. Including the right people in the process from the outset creates buy-in to and ownership of the results.
2. When constructing your risk assessment, keep to a five-box chart. Anything greater invites a significant amount of conversation parsing the shades of gray while providing immaterial benefit.
3. A risk assessment is NOT a SOX process. This is not about curing control deficiencies; this is about managing risk to an acceptable level after controls have been put into place. After you have determined the Residual Risk Rating in a risk assessment, there should be an evaluation as to whether or not a risk is “worth” fixing from a financial, reputational or strategic perspective.
4. In your enterprise risk framework, include a formal Risk Acceptance process. Here is where you may declare that as an organization any residual risks that end up in the lower-left quadrant may be risk accepted and no steps need be taken to cure. If this risk acceptance process is well documented, reasonable and supportable, it should pass muster with any regulator. A risk assessment should be reevaluated annually to keep an eye on risk migration.
5. Make sure that the Impact and Likelihood scales reflect the size and maturity of the organization and are clearly discussed and agreed upon by all participants through the risk governance process. This will help keep the minutia and disagreements from creeping into the process. Consult your finance team or head of investor relations (if publicly traded) to obtain a sense of what external constituents may feel is material when constructing a table for discussion. Another suggestion is to listen to your company’s earnings call, if publicly traded, and pay attention as to how earnings are discussed and the questions asked by the analyst community. It will tell you what rises to the level of materiality to your shareholders.
View large table.
6. Agree that the risks in the upper right-hand quadrant of the Residual Risk chart have the highest priority with regard to mitigation strategies and deal with those first. Provide a reasonable expectation and timeframe for the moderate risks.
7. Be sure that executive management and the board agree and sign off on the results of the final risk assessment, including the scales used in your charts and the risk acceptance process.
An appropriate risk assessment process is a valuable tool in managing enterprise risk. Improperly deployed, it can result in poor allocation of resources. I am confident enterprises would prefer resources spent on mitigating material risk issues rather than doing risk assessments that add little marginal value. Enterprise Risk Management should be a partner with the business in ensuring an appropriate risk-adjusted return is made for the entity’s constituency. It is inevitable that a natural tension exists in that relationship, but reasonability, transparency and participation create buy-in into the process and ownership in the results.
In today’s environment, companies all over the globe are experiencing culture risk. Yes, culture indeed has an impact on risk and every company has a unique culture. The key is to understand it, manage it, and leverage it when possible to obtain competitive advantage. Every company is faced with both positive and negative risk – that is, threats and vulnerabilities that could adversely impact the organization, its reputation and stock value, as well as opportunities that could have a positive impact. While there are many factors that impact the risks that a company faces, many times business leaders overlook and underestimate the impact of company culture.
So, what makes up company culture? Company culture is the character of a company. It sets the tone of the environment in which employees work daily. Company culture includes a variety of elements, including company strategy, mission, vison, value, policies and behaviors. Recently, many major organizations like Google and Microsoft are revamping policies and procedures to address issues such as sexual harassment, racism, and discrimination because of the negative impact these cultural behaviors have had on the overall success of the company. Policies and procedures are tools that can be used to hold individuals accountable for their behavior. The key is ensuring that everyone adheres to the rules. It is also important to visibly reward good behavior and punish bad behavior on a consistent basis.
Once policies and procedures are put in place, it is important to gauge their effectiveness. Are the policies being followed and do they need to be modified in any way? Organizations that are truly committed to the idea will institute monitoring mechanisms to ascertain this information. Oversight and reporting tools that are properly implemented will allow employees at all levels to feel free to report breaches without fear of retribution. The actions of the oversight function to move quickly and consistently on reports will encourage a culture of accountability. The lack of such functions leaves an enterprise at risk of high-turnover, unmotivated employees, and even potential lawsuits. Tools and procedures such as anonymous hotlines, required compliance training, and explicitly stated company values could be viewed as ways to mitigate such risk.
Simply instituting tools, policies, and procedures could be largely ineffective if the organization’s leadership doesn’t first take a long hard look at the current state of affairs. What is the employee demographic (age, gender, educational status, etc.)? Understanding backgrounds and human behavior can be key to having a clear picture of the culture within an enterprise. For instance, studies have shown that millennials view and respond to the world, including the workplace, in a very different way than older professionals. Understanding people helps an organization refine its culture, including the inherent risks associated with it.
There are many factors that typically impact the culture of an organization, including industry regulations, the competitive environment and economic climate. These factors have direct and indirect influence on how people make decisions on a daily basis. Leadership should set clear expectations about what is acceptable behavior in light of these factors. Influencing culture is not easy and can be time-consuming and costly. However, the cost of doing nothing can be even greater.
The benefits that can be realized from using third parties to support the delivery of products and services are always part of any good sales pitch by prospective vendors. Often these benefits include reductions in operational spend, scalability, improved delivery time, specialized capabilities, and the availability of proprietary tools or software, all of which equate to a competitive advantage for companies leveraging third-party relationships effectively.
Companies recognize and capitalize on these advantages: A study in 2017 of nearly 400 private and public companies reported that two-thirds of those companies have over 5,000 third-party relationships, according to a report released by the Audit Committee Leadership Network. This staggering statistic illustrates how deeply organizations have come to rely on third parties for everything from back-office activities (payroll, help desk, business continuity infrastructure, etc.) to customer-facing roles (call center, sales and distribution, marketing, etc.). But this heavy reliance also elevates third-party risk management from a “nice to have” capability to a business imperative.
While these relationships provide the opportunity for an organization to realize significant benefits, they also introduce a number of potential risks. Before deciding to outsource responsibilities, business leaders must have a broad understanding of their organization’s risk landscape and develop an approach to evaluate the risks introduced by using third parties. Shifting the focus from saving money to creating value is one way companies can start thinking differently about how they manage third parties.
How Do I Know What I Should Outsource?
The most essential step is knowing the value your organization brings to the market.
As an example: If your company is known for developing and distributing high-quality instruments, outsourcing your manufacturing operations is not the best place to start. Issues with that third-party relationship are likely to be customer-facing and impact your hard-earned reputation for precision and quality. Additionally, the skillsets and facilities required to manufacture your product may not be widely available, making your business effectively a hostage of your vendor.
In contrast, if you decide to outsource a function like a payroll, even though poor performance might be an annoyance for employees, it is easily remedied by switching to one of the many alternatives available. There also is no direct customer impact in the short term, so your reputation remains intact.
The most successful outsourcing relationships allow companies to focus on the value they deliver to the market by outsourcing activities that require significant resources or specialized abilities but are outside an organization’s core competencies and not aligned with their long-term strategic vision.
How Should I Perform Due Diligence on Potential Third Parties?
Once you have identified which processes can be outsourced as well as their inherent risks, you can begin performing due diligence on potential vendors. The level of due diligence should be tailored to the significance of the relationship as well as the potential risks it poses. Document your requirements and request prospective vendors to address each item directly, rather than allowing the vendor to give you their boilerplate sales pitch, as they are typically designed to gloss over or avoid known weaknesses. Make sure you are comfortable with any capability or control gaps and have considered whether internal resources can shoulder the additional burden.
We Have Selected a Third Party to Engage – Now What?
Once you have determined the process to be outsourced, identified the inherent risks associated with that process, performed your due diligence, and selected a vendor, it is time to formalize the relationship with a contract – typically a Statement of Work (SOW) – that includes both adequate safeguards and defined performance targets.
Those charged with contract negotiation (typically Legal and/or Procurement) need to be acutely aware of the value you expect the third party to provide to structure an effective contract. To avoid potential conflicts of interest, purchasing managers should not be responsible for negotiating vendor contracts without oversight, as they are often incentivized by operational goals, and less likely to consider the broader enterprise risk landscape.
While most vendor contracts contain defined Service Level Agreements (SLAs) for operational metrics, like timeliness and accuracy, they often don’t include provisions like the mandatory disclosure of system/data breaches, timely communication of relevant audit observations, insurance requirements, periodic reporting on financial viability, etc., leaving organizations in a tough spot when issues stemming from a third-party relationship arise.
How Can I Make Sure My Outsourced Provider Is Meeting Expectations and Minimizing the Inherent Risk to My Organization?
The best way to illustrate this step is to steal from an old cliché: “Treat others how you wish to be treated.” That is, if you want your third parties to share your values and protect the interests of your organization that same way you would, not only is it important to formalize critical details of the relationship in the contract but also to help them understand the business context around the service they provide. The more you treat your third parties like partners rather than vendors, the more likely they are to perform in line with your organization’s values. Mix in a reasonable number of SLAs designed around the identified risks with clearly assigned accountability for monitoring SLA performance, and you will be positioned to identify threats or emerging risks that could impact your organization before they damage your bottom line – or worse – end up as front-page news.
Editor’s note: For additional insights on the topic, download ISACA’s recent white paper on managing third-party risk.
All too often, IT and risk management professionals seem to be speaking a different language—that is, if they even speak at all. Bridging the Digital Risk Gap, the new report jointly authored by RIMS, the risk management society®, and ISACA, promotes understanding, collaboration and communication between these professionals to get the most out of their organizations’ technological investments.
Digital enterprise strategy and execution are emerging as essential horizontal competencies to support business objectives. No longer the sole purview of technical experts, cybersecurity risks and opportunities are now a core component of a business risk portfolio. Strong collaboration between IT and risk management professionals facilitates strategic alignment of resources and promotes the creation of value across an enterprise.
ISACA’s Risk IT Framework acknowledges and integrates the interaction between the two professional groups by embedding IT practices within enterprise risk management, enabling an organization to secure optimal risk-adjusted return. In viewing digital risk through an enterprise lens, organizations can better realize a broader operational impact and spur improvements in decision-making, collaboration and accountability. In order to achieve optimal value, however, risk management should be a part of technology implementation from a project’s outset and throughout its life cycle. By understanding the technology life cycle, IT and risk management professionals can identify the best opportunities for collaboration among themselves and with other important functional roles.
IT and risk management professionals both employ various tools and strategies to help manage risk. Although the methodologies used by the two groups differ, they are generally designed to achieve similar results. Generally, practitioners from both professions start with a baseline of business objectives and the establishment of context to enable the application of risk-based decision making. By integrating frameworks (such as the NIST Cybersecurity framework and the ANSI RA.1 risk assessment standard), roles and assessment methods, IT and risk management professionals can better coordinate their efforts to address threats and create value.
For example, better coordination of risk assessments allows organizations to improve performance by identifying a broader range of risks and potential mitigations, and ensures that operations are proceeding within acceptable risk tolerances. It also provides a clearer, more informed picture of an enterprise’s risks, which can help an organization’s board make IT funding decisions, along with other business investments. Leveraging the respective assessment techniques also leads to more informed underwriting—and thus improves pricing of insurance programs, terms of coverage, products and services.
Overall, developing clear, common language and mutual understanding can serve as a strong bridge to unite the cultures, bring these two areas together and create significant value along the way.
The report is available to RIMS and ISACA members through their respective websites. To download the report, visit RIMS Risk Knowledge library at www.RIMS.org/RiskKnowledge or www.isaca.org/digital-risk-gap. For more information about RIMS and to learn about other RIMS publications, educational opportunities, conferences and resources, visit www.RIMS.org. To learn more about ISACA and its resources, visit www.isaca.org.
Recently in the UK, the women’s national football team manager, Phil Neville, called for all social media accounts to be verified and accountable as the result of a spate of racist postings, and asked for a boycott of social media until the situation is addressed. He said that one of his fellow footballers had demanded that people are verified and give passport details and addresses to be held accountable for their postings. As he said, “You can be an egg on Twitter and no one knows who you are.”
Now it’s probably a sorry state of affairs if the footballer is handing out cybersecurity advice to the world of technology practitioners but that’s in fact exactly what has happened. Needless to say, Twitter responded with a typically uncommitted answer where they “will continue to liaise closely with our partners to identify meaningful solutions to this unacceptable behavior.”
So, to be clear, they won’t verify peoples’ identities as that will not suit their business model. Think how many users they will lose if everyone has to upload passport details before tweeting.
This is not a one-off problem. Depending on which report you want to look at, the problem of fake accounts and duplicate accounts is rife. Facebook deleted more than 2 billion fake accounts in the first quarter of the year, between 9 and 15% of active Twitter account may be social bots and a Twitter audit estimates that only 40-60% of Twitter accounts represent real people. It’s even possible for people to fake the verified indicator on LinkedIn.
So, why is this a problem for information security practitioners?
Multiple reasons, really. Fake actors are spreading misinformation about your products, impersonating you and selling counterfeit products, phishing your staff and customers, and putting in links to malware in postings on your social media sites, among many exploits. And when it goes wrong, your organization loses business and gets bad PR. Further, there will be no chance of catching the perpetrator as you don’t know who they are since the social media platform did not have a know-your-customer process.
So, any review you carry out on the use of social media in your organization should be based on the knowledge that no one knows who anyone else is and your marketing people should have processes in place that takes this into account, along with a response plan for when something inevitably goes wrong.
I’ll be presenting on this topic and other social media exploits in my session, “Auditing Social Media and its Cyber Threats,” at EuroCACS/CSX 2019, to take place 16-18 October in Geneva, Switzerland.
Certain industries have a better conceptual understanding of their supply chain than others. For instance, in manufacturing, it’s very clear that raw materials come in one end and out the other comes a completed, processed product for consumption. Those products may get shipped to another manufacturer for integration into their products or off to the consumer for their use. You can link these organizations together and build a map showing the full supply chain network. Indeed, this is often done to help planners, engineers, and managers better understand what their exposure is to hiccups in that chain. For other companies, however, this connection to the full breadth of vendors is more difficult to understand. The work is more evanescent as digital transformation makes work between companies seamless.
In a new ISACA white paper, Managing Third-Party Risk, I wanted to help organizations better understand how to build a third-party or vendor risk management program to better manage their cyber risk posture. When the basic building blocks of these vendor risk technologies and processes are in place, it allows other risk disciplines such as operational risk, privacy risk, country risk, etc., to gain a better handle on their loss exposure as well.
The white paper covers topics in the order in which the vendor process would be executed, starting with a discussion around governance and how foundational it is to have vendor roles clarified, procurement procedures locked down (not just anybody should be able to buy services), data sharing agreements solidified, and the collection of metadata secured (which feeds the next part of the assessment).
The main thrust of the paper is how to assess how much cyber risk a particular vendor poses to your organization. This involves triaging all your vendors and sorting them into buckets, with the riskier buckets meaning more evaluation. For those that need it, I discuss a series of artifacts that you should ask for and tests you should run.
I close with a discussion on what to do with that assessment data. I discuss how to threat model vendors and feed that into your risk assessment, and how to improve upon vendor risk evaluations done with a simple heatmap (such as focusing on the economic impact to the organization using cyber risk quantification). The paper ends with a discussion of ongoing monitoring and what to do with vendors exhibiting bad control posture.
I hope you find this white paper helpful in either establishing a new vendor risk management program or improving the maturity of your existing one. As companies continue transforming their operations with digital technologies, it’s inevitable that an organization will share its data (and its customers’ data) with more and more partners. Let’s be sure that the solutions are in place to help protect that data and engender trust in our digital economy by managing that vendor risk well.
About the author: Jack Freund, Ph.D., CISA, CRISC, CISM, is director, risk science for RiskLens, member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.
Have you ever stopped to consider the ethical ramifications of the technology we rely on daily in our businesses and personal lives? The ethics of emerging technology, such as artificial intelligence (AI), was one of many compelling audit and technology topics addressed this week at the 2019 GRC conference.
In tackling this topic in a session titled “Angels or Demons, The Ethical Considerations of Artificial Intelligence,” session presenter Stephen Watson, director of tech risk assurance at AuditOne UK, first used examples to define the different forms of AI. For example, it was initially thought a computer could not beat a human at a game of chess or Go in the early stages of AI. Many were fascinated to find that indeed the computer could be programmed to achieve this goal. This is an example of Narrow or Weak AI where the computer can outperform humans at a specific task.
However, the major AI ethics problem and ensuing discussion largely focused on Artificial General Intelligence (AGI), the intelligence of a machine that has the capacity to understand or learn any intellectual task that a human being can. Some researchers refer to AGI as “strong AI” or “full AI,” and others reserve “strong AI” for machines capable of experiencing consciousness. The goal of AGI is to mimic the human ability to reason, which could, over time, result in the deployment of technology or robots that achieve a certain level of human consciousness. Questions were posed to the audience such as:
- Should we make AI that looks and behaves like us and have rudimentary consciousness? Around half (49 percent) of the session attendees polled said no – not because they felt it was immoral or “playing God” but because it would give a false sense that machines are living creatures.
- Can morality be programmed into AI since it is not objective, timeless or universal and can vary between cultures?
- Would you want AI-enabled technologies to make life-and-death decision? Take the example of the self-driving car. Should the car be programmed to save the driver or the pedestrian in the unfortunate event of a collision?
In what scenarios would you want the AGI-enabled device to make the decision? Assurance professionals and others have been focused on gaining a better understanding of mechanics of AI and ISACA provides guidance on the role IT auditors can play in the governance and control of AI. However, it became apparent, after this thought-provoking GRC session, that considerations such as the following should also be seriously considered and discussed to ensure ethics and morals in the development and use of AI are not forgotten in the effort to harness this technology:
- What rules should govern the programmer, and to what extent should the programmer’s experience and moral compass play into how the AGI responds to situations and people?
- What biases are inherent in the data gathered and upon which the AGI is learning and making decisions?
- How to evaluate the programs and associated algorithms once the machine has gained the ability of the human to comprehend, such as Blackbox AI?
The session intentionally stayed away from a deep discussion on the mechanics of the technology to foster the dialogue and thinking necessary to reflect on the ramifications, pro or con, of this growing technological capability, its future direction, and its impact on our business and social lives.
Over time, less and less technologies will be considered part of AI because their capabilities will be considered so much a part of our daily life that we won’t even think about it as AI. This was referred to as the “AI Effect.” Let’s not hesitate to ask the tough questions to ensure we are responsible and ethical in our development and use of this amazing technology as it continues to integrate into our daily routines to make our lives easier.
Share your thoughts on the ethics of AGI and other emerging tech in the comments below. We would love to hear from you and see you at the 2020 GRC conference, planned for 17-19 August 2020 in Austin, Texas, USA.
The past decade has seen a significant advance in cyber risk assessment maturity. There has been wide recognition that security and risk frameworks provide excellent process for assessing risk, but miss out on defining exactly how to compute and communicate risk. Increasingly, corporate boards have been asking for quantitative measures of cyber risk, similar to what other disciplines in the organization have been doing for a long time (e.g. measuring financial impact). Instead of being content to continue providing stoplight chart risk reports, CISOs are moving toward providing reports of economic impact of cyber incidents. This move helps support critical board-level and executive decisions regarding capital adequacy and cyber insurance purchases.
This maturation in risk practice was given Gartner’s imprimatur in 2018, when their analysts declared Cyber Risk Quantification (CRQ) as a critical component of integrated risk management. This was a clear indication that the future of cyber risk assessments would be to assess and present it the same as other corporate risk disciplines. Supporting this effort was the FAIR Institute, founded in 2014 and which currently has nearly 6,000 members worldwide, covering about 30 percent of the Fortune 100. The FAIR Institute was founded to promote the de facto CRQ standard, FAIR, which was released by the Open Group.
All this great progress, however, has been primarily focused on the private sector. One notable exception is the US Department of Energy (DOE), which has publicly indicated that it will be using the FAIR standard to conduct CRQ assessments on critical infrastructure, both public and private. Others in the public-sector service can find comfort in the DOE’s trailblazing example. One key threshold that a lot of public-sector organizations struggle with when adopting CRQ is the notion of expressing cybersecurity as financial risk. In many ways, it appears at first blush to be anathema to public sector service; their work is truly service to a broad population. Profit and loss are foreign concepts in that realm. In many cases, such public-sector work is literally done to save lives, and after all, how can we put a dollar value on that?
As it turns out, accounting for human life in the process of decision analysis has long been a common practice in social and political sciences. This concept is called “value of a statistical life,” or VSL. It’s been in use for some time by the very public-sector agencies that are in need of help assessing cyber risk in a quantitative way: the US Department of Transportation, FDA, EPA, and various public health plans. These values have been placed as low as $129,000 per year of life to as much as $9.6 million per life. Such values are used to provide a richer tapestry of information for decision-makers as they allocate limited resources. It does not serve in any way to cheapen life or any of these organizations’ missions. Instead, it helps these organizations accurately evaluate public policies to budget investments based on anticipated outcomes. It’s no different for cybersecurity.
Once an organization is able to vault over the inertia of not wanting to quantify these values, they can quickly see improvements in their organizational risk assessments. For public-sector organizations, this can manifest itself in stark contrast to existing methods. Consider the difference in cyber risk assessment or cybersecurity strategy discussions between a work product that essentially says “this is high risk therefore we need to do it,” versus “not fixing this deficiency/investing in this new capability will expose our constituency to $5 to $10 million of economic impact annually.” It becomes a far more compelling and persuasive conversation to be able to articulate and defend your assertions. So, too, does it place the appropriate level of accountability on the decision-makers to formally accept the risk associated with their decisions.
Accounting for these values in your public-sector CRQ assessment using the FAIR standard can be done by considering the broader economic impact of a cyber incident. Instead of thinking about an availability incident affecting sales, consider a municipal services availability problem. State and local governments in the United States are increasingly becoming the target of ransomware and, in cases such as the city of Baltimore, we are seeing problems with water and other critical services. As the city recovers, customers are getting large water bills to make up for months of the city being unable to run accounting and billing processes. Further, the city has been unable to collect the revenue incrementally, endangering its ability to fund this critical infrastructure.
These kinds of events can be straightforward to foresee and, as a result, straightforward to account for the economic impact. If a critical public-sector service is unavailable, then what are the impacts to the community serviced by them? Can businesses operate without it? What is the impact on tax revenue if the power goes out and commerce is unable to be conducted? How many people will be unable to work as a result of public transportation being unavailable? How does this impact the most vulnerable in the community, who often have little economic cushion to fall back on during crises? Accounting for the number of people affected by estimates of how many people will be displaced, lose their housing, be unable to purchase critical medications and food, etc. is the right way to think about CRQ economic and financial impact for public-sector concerns. The same is true for confidentiality losses: how will a breach of local taxpayer information affect the citizens you serve? What kinds of economic activity will it hinder, how many hours of their time will be spent rectifying fraudulent events, and what is the economic impact of a loss of privacy?
These kinds of questions and more can be the basis for assessing quantitative cyber risk impact scenarios for public-sector organizations that plan to use the FAIR standard. FAIR advocates using the accounting process called activity-based costing (ABC) to think about all the costs incurred by various parties as events plays out in the lives of those affected. This will give the organization a sense (using ranges of impact representing least, most, and most-likely results) of where priority for a particular service lies. When we consider how much citizens rely on their government’s providing basic services and critical infrastructure, it is imperative that we endeavor to accurately reflect the economic impact of the failure of these services not just on the for-profit industry, but on the underserved and vulnerable in the community who need these services the most. Not providing accurate valuations of the impact on human life will result in a misallocation of resources at best, and unnecessary loss of life at worst.
About the author: Jack Freund, Ph.D., CISA, CRISC, CISM, is director, risk science for RiskLens, member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.