Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Deployment of Emerging Technology in FinTech

Mahmoud AbouelhassanFighting poverty and achieving a high economic growth rate are two key priorities for developing countries.

Achieving both of these goals is reliant on financial inclusion. Developing a national digital transformation strategy that focuses on transforming the traditional economy to a digitized economy is the best way to accelerate the run rate in achieving this end goal. 

The journey to financial inclusion is reliant on fintechs; disruptors in the financial sector, driving innovative transformation and changing the way financial services are delivered, the medium of transactions and the approach to business analysis.

Unlike traditional financial services firms, fintechs are not tied by legacy systems which can delay progress: they can move faster toward new and innovative services by adopting new technologies and redefining standards and expectations within the industry. Fintechs can quickly deploy emerging technologies like blockchain, artificial intelligence and machine learning – technologies that will fundamentally change the world of financial services. PWC UK notes that already “Some large financial institutions are also relying on blockchain for internal transactions between territories, effectively reducing the internal cost of moving money.”

Rapid development in consumer technologies also means customers’ expectations have grown and they now expect a level of personalization and customization which can only be addressed through automation and keeping up with the pace of emerging technologies. Further, these technologies can be used to streamline customer service through the use of chatbots and automated tools. Electronic payments, biometric-enabled authentication and blockchain for digital transactions will all improve security and reduce fraud while increasing customer satisfaction – making them core to new financial services solutions.

Artificial intelligence and machine learning in particular have the ability to improve fraud detection and reduce the need for human oversight by up to 50%. Financial Fraud Action UK (FFA UK) stated this year that fraud costs the UK £2 million every day (according to 2016 figures), and experts expect to see costs reaching $32 billion yearly on online credit card fraud alone by 2020. Artificial intelligence can play a key part in detecting this, automating the process and reducing occurrences by following different approaches like oversampling, undersampling, and combined class methods.

Governments and banks are already seeing the benefits of these emerging technologies. There are two particular examples where their deployment is lowering the cost of financial transactions. In April 2018, the National Bank of Egypt announced that it has joined a large initiative focusing on the research and application of blockchain, with R3. More than 200 banks and international companies have joined this initiative.

By 2021, Dubai will be using blockchain technology for more than 50% of financial transactions, expecting to save 11 billion AED by doing so. When announcing its blockchain strategy, Dubai predicted a 300 million dollar blockchain market across the financial sector, healthcare, transportation, urban planning, smart energy, digital commerce, and tourism.

Emerging technologies readiness
The Emerging Technologies Readiness Survey, published in Egypt during August 2018 by my team, collected the responses of 91 executives from different sectors across technology, banking and fintech. The results show that almost 74% are already using emerging technologies, with almost 29% using big data, 18% machine learning, 17% artificial Intelligence, and almost 8% are using blockchain.

Figure 1: Emerging Technologies Readiness Survey

The main driver behind adopting emerging technologies was business improvements, with 62% of respondents using emerging technologies citing this.

Figure 2: Emerging Technologies Readiness Survey

Half of respondents said their companies measured the ROI after using these technologies, but a surprising 32% do not measure the ROI and almost 18% were unsure whether their company does or does not.

Figure 3: Emerging Technologies Readiness Survey

Almost 70% of respondents whose companies were yet to adopt emerging technologies in their business stated that they have plans to deploy one or more within the next five years.

Figure 4: Emerging Technologies Readiness Survey

When asked which emerging technologies they were most interested in deploying, almost 34% of respondents said they would consider blockchain, nearly 35% said artificial intelligence, 41% said big data, and nearly 30% said machine learning.

Figure 5: Emerging Technologies Readiness Survey

Embracing emerging technologies for financial inclusion in developing countries
It is clear that emerging technologies will be essential to accelerate the goals of developing countries in achieving high economic growth rates and in driving financial inclusion and a thriving digital economy. Yet, traditional Financial Services firms can’t adopt themselves easily to these emerging technologies because of their legacy systems They can, however, partner with fintechs to get the benefit of emerging technologies deployment and achieve great mutual success.

Fintechs, traditional financial services firms, technology companies and governments need to develop and build digital transformation strategies together – strategies that include a plan of secure emerging technologies deployment and that have a clear vision of how they will maximize the benefits and minimize the risks of these technologies.

Security readiness for emerging technologies
Using emerging technologies is not only beneficial in terms of innovative new financial services, but also improves the security of information systems.

At the same time, emerging technologies such as machine learning and artificial intelligence will increasingly be used for cyber-attacks and many are not yet equipped to withstand these attacks. Two-thirds of respondents to the survey see potential risks from emerging technologies, with almost 59% saying their companies also realize these potential risks. A somewhat smaller 44% said their companies have a risk mitigation plan for emerging technologies.

Figure 6: Emerging Technologies Readiness Survey

Figure 7: Emerging Technologies Readiness Survey

Figure 8: Emerging Technologies Readiness Survey

Despite the concerns around risks, most respondents could see a great opportunity for using emerging technologies to improve the level of information security at their companies, with almost 81% saying they will use emerging technologies for that purpose.

Figure 9: Emerging Technologies Readiness Survey

Editor’s note: Mahmoud Abouelhassan will provide further insights on this topic on 30 October at ISACA’s CSX Europe 2018 conference in London.

Peter Weill: Avoid the ‘Big Bang’ in Digital Transformation

Peter WeillEditor’s note: Peter Weill, senior research scientist and chair of the Center for Information Systems Research (CISR) at the MIT Sloan School of Management, is an award-winning author who focuses on the role, value and governance of digitization in enterprises. Weill, who co-authored What’s Your Digital Business Model? with Stephanie L. Woerner, recently discussed enterprise digital transformation themes with ISACA Now after addressing chapter leaders at ISACA’s Global Leadership Summit in Chicago. The following is a transcript of the interview, edited for length and clarity:

ISACA Now: What are the most important building blocks for organizations in terms of creating a winning digital strategy?
Having a compelling vision to excite customers is the most important factor. There are a whole lot of digital and cultural change capabilities that you need, but you can’t do it without the vision, and then there are a series of building blocks, like Lego blocks, that are your data, your customer experience components, new ways of working, your people innovating, that make it work.

ISACA Now: You emphasize the importance of the customer voice being a driving force in making decisions. What guidance might you have for organizations to ensure that is the case in their decision-making process?
The customer voice is all about how you listen to the customer and then amplify their voice in every decision, in every activity you make. And so, data analytics, real-time connections, mobile connections, sentiment analysis, social media – these are all ways you can amplify the customer’s voice, but then you have to change the culture in an organization to hear it and use it, and that is probably the hardest part.

ISACA Now: Why is understanding life events of customers so valuable and important?
Most companies have made a successful living selling products, but in a world of ubiquitous search, you can search for the lowest product at a certain quality level in seconds. Now customers want to have a broader set of needs met, and one extremely good way of doing that is life events. Some companies use customer journeys – but they are more about how the sequence of meeting life events is enacted. Take a B2B customer – are they entering a new market? Are they doing a merger? Is there a change of CEO? Those all have needs, and there are products and services that need to be connected together to achieve the life event.

ISACA Now: What are some of the common missteps organizations make when it comes to pursuing digital transformation?
The most common misstep is once you have a great vision, to try to do a big bang. In our digital world, with all the new digital tools, we use test and learn. So, you use some lessons from Silicon Valley of MVP (minimum viable product). You try lots of things, you see what works, and once they work, you scale and integrate. That’s a very different way of operating, so that’s one of the biggest problems we see. Another is that companies feel they can do these things all themselves. Digital is a partnering world. So, how do you get better at partnering, sharing information appropriately, and using that collaboration to provide better services?

ISACA Now: Can you elaborate on the concept of a higher-value digital business model? What does that entail?
The average profitability of a supplier model is significantly less than the average profitability of an ecosystem driver model, but a much higher percentage of companies are supplier-dominant models than ecosystems. So, an ecosystem is a much higher value model, but it’s harder to achieve and there is significant consolidation amongst the players.

ISACA Now: From your interactions with boards and executive leadership, what stands out as the toughest types of decisions leaders have to make when it comes to digital transformation?
The most difficult question I hear from senior executives is ‘Do we have the right talent?,’ particularly at the senior leadership team, and we often see quite a high turnover in companies that successfully transform. But also, how do we engage the brains and energy of all the people in the company? It’s not just the senior leaders that have to transform the company; everybody has to. And so how do you engage the whole hearts and minds of everybody, and through that, change the culture from a hierarchical, linear project culture to an agile team, test-and-learn, minimum viable product culture?

ISACA Now: With a forward-looking lens, which new technologies or emerging digital themes do you see as having the biggest impact on reshaping the business landscape?
I’m a big proponent of the future of IoT because I think it will create great customer value, but with it comes all kinds of risks, and the whole cyber question around IoT, I think, is unanswered. AI will help with cyber, and I think one of the great potentials is the use of AI to do cyber analysis. I’m less concerned about the technologies themselves because they’ll change over time, but how do we provide better customer service at lower cost, and how do we avoid a world of the information rich and the information poor? One of the troubling trends we’ve already seen is a disproportionate spread of wealth in many countries, and I would love to see digital technologies create a better future for the next generation so that everybody has access to opportunities and education, and I think ISACA has a role to play in that.

Digital Transformation Brings More Opportunities to Financial Sector

Kris SeeburnEmerging technologies and the pace of innovation are reshaping the banking/financial industry and operating models, while influencing the shape and dynamics of the broader financial services ecosystem.

Banks have adopted new technologies to varying degrees. Most banks use elements of cloud computing, a key technology that reduces the costs of rolling out and scaling the online and mobile banking capabilities that digital era consumers expect. Many institutions also are gradually implementing elements of big data and analytics as well as robotic process automation (RPA) to strengthen controls and reduce costs. Other technologies, such as distributed ledger technology and the Internet of Things (IoT), are only in the early stages of commercialization by banks.

Respondents to ISACA’s 2018 Digital Transformation Barometer identify financial/banking as the industry showing the most leadership in adopting emerging technologies. Banks are undergoing a fundamental transformation resulting from a range of technological innovations. Six technologies are currently most prominent in financial innovation: cloud computing, big data and analytics, artificial intelligence (AI)/machine learning, RPA, distributed ledger technology and the IoT. These technologies are at different stages of maturity, and some have the potential to significantly change the industry in the coming years.

Technology Trends & Game Changers

The questions that pops up is: How rapidly is the pace of change accelerating for financial services industry firms, and how are leaders planning to navigate their firms into the future?

To answer these questions, it’s important to first consider that there are some regional and national differences in competitive market structure, regulatory environments, and the global scale of the industry that influence outcomes. Even though the larger G7 economies (Canada, France, Germany, Italy, Japan, the United States and the United Kingdom) are still dominant, in terms of size (assets) and number of transactions, other countries, especially from the large emerging markets, are catching up steadily as well. The growing, emerging economies have been able to more easily implement modern core technology platforms because of the relative absence of legacy investment and integration with 40-year-old systems often found in firms in the G7.

New technologies are allowing banks to re-examine their business and operating models, and determine which functions and capabilities should be retained internally vs. obtained externally. Banks are able to benefit from technological advances made by other organizations in several key areas (such as customer reporting, risk analytics as a service, blockchain) by entering into strategic partnerships with these entities.

Technological innovations also are enabling banks to virtualize more of their banking operations and shift non-critical functions (for example, managed treasury and cash services, white label call centers) to business partners — allowing firms to increase their focus on core services and improve efficiency, while maintaining robust oversight and controls.

We also need to understand that there is a growing customer expectation of what “great” service looks like that often is shaped by “single best user experiences.” The optionality, transparency and affordability of products and services offered by prominent digital era companies have set a new baseline for banking customers’ expectations of convenience, simplicity and customer engagement.

Further, machine learning and advanced analytics are enhancing risk monitoring, controls and risk mitigation across the banking industry. Banks are able to leverage expanded internal and market data and advanced analytics to better understand key customer and financial transaction related-risk factors.

The shift toward digital platforms allows banks to interact more closely with customers, and quickly design and deliver relevant services. Digitizing end-to-end business processes further enables banks to achieve scale and become more efficient, resilient and transparent. As a result, banks are better able to quickly respond to changing customer needs, market dynamics and regulatory expectations.

Maintaining an appropriate balance in regulating and supervising banks as they innovate is not a new challenge. Key examples of impactful, organic incorporation of technological innovations into banking include, among others, the advent of call centers and the shift from paper to electronic/digital books and records. Banks determine the precise design and use of each technological innovation based on customer needs, opportunities to enhance customer value, compliance with regulatory requirements and supervisory expectations, their business models, risk tolerances and other market factors. Banks rely on their first (business), second (risk management) and third (internal audit) lines of defense to maintain compliance. The banking industry’s long and successful track record of safely implementing technological innovations speaks to the effectiveness of its regulatory engagement model.

Policymakers and regulators continue to actively monitor developments within the banking sector, including those that are technology-related, so that emerging, potential risks are appropriately addressed.

To date, banks have safely implemented many beneficial technologies without adverse repercussions to institutions or the broader financial system. Nevertheless, implementing technological innovations, particularly emerging technologies, will always have some element of risk, given the heuristic nature of innovation and new activities and services.

Going forward, digital transformation has the potential to continue to significantly transform the financial services industry and benefit society. It can replace individual banks’ legacy systems, enhance processes, improve efficiencies and strengthen controls. Digital transformation also can provide opportunities for the creation of new products and services that benefit customers. Ultimately, technological innovations hold great promise for the identification of new customers and the provision of financial services to the unbanked or underbanked community in a safe and sound manner.

AI Factors Heavily into Future of Digital Transformation

Rob ClydeThe second installment of ISACA’s Digital Transformation Barometer research underscores the ascent of artificial intelligence as a technology with growing potential – and how urgently enterprises must rise to the occasion of addressing the related risk and security implications.

In the 2018 Digital Transformation Barometer, global respondents rank AI/machine learning/cognitive technology as the second-most transformative technology for organizations, finishing just behind big data. While big data also was the top choice in the 2017 version of this annual research, the gap between big data and AI shrunk from 18 points to 3, reflecting a growing realization that AI technology is on the verge of profoundly reshaping many aspects of society.

Already, AI and machine learning hold significant sway in our daily lives, ranging from the way our flights are piloted to matters of simple convenience, such as how photographs are tagged on Facebook. Larger impact is on the way. AI and machine learning are being explored to set medical breakthroughs in motion, improve farmers’ crop yields and help law enforcement identify missing people, among a wide range of promising applications on the horizon. As new uses continue to be developed and refined, there will be increased need for enterprises to safely and securely deploy AI. On this front, there is much work to be done.

Only 40 percent of Digital Transformation Barometer respondents express confidence that their organizations can accurately assess the security of systems that are based on AI and machine learning, a statistic that is concerning enough today but will grow considerably more problematic in the near future if enterprises don’t make the needed investments in well-trained staffs capable of putting the needed safeguards in place. As AI evolves – consider the likely proliferation of self-driving vehicles, or AI systems designed to reduce urban traffic – it will become imperative that enterprises can provide assurance that the AI will not take action that puts people in harm’s way.

Contending with malicious uses of AI will be one of the central challenges for our professional community, as a concerning report from a range of global researchers accentuated. The Digital Transformation Barometer research shows that potential instances of social engineering, data poisoning and political propaganda are among the malicious AI attacks that need to be accounted for in the short-term, but even more concerning possibilities loom, such as the activation of autonomous weapons, driving home the urgency of bolstering AI security capabilities. In many cases, the solution to keeping AI in check will be tapping into AI technology that enables security innovations.

Whether thinking about AI or other emerging technologies, practitioners should look for opportunities to expand their knowledge base and explore ways for their enterprises to leverage new technology to connect with customers in new and potentially more impactful ways. More than 4 in 5 respondents (83%) indicate their organizations have no plans to accept cryptocurrency in the future, while the majority of respondents (53%) consider public cloud to be high risk, reflecting mindsets more tethered to the status quo than embracing opportunities to fuel innovation. Not every new technology is the right fit for every organization, but enterprise leaders owe it to their stakeholders to ensure they are actively exploring promising technologies and determining how technology can be securely leveraged to drive the innovation needed to compete in today’s digital economy.

Change is difficult for organizations, which traditionally are structured with stability, rather than innovation, in mind. However, as technology plays an increasingly prominent role in our daily lives, customers increasingly are expecting dynamic, swift-to-market, technology-driven solutions. To be able to deliver, organizations must prioritize investing in the security capabilities needed to enable effective and responsible digital transformation.

Shining a Light on the Biggest Healthcare IT Challenges

Larry AltonHealthcare has experienced significant modernization and is now closely intertwined with IT. But as the industry changes and marketplace demands evolve, new challenges emerge. Understanding how to address these challenges is paramount to the future success of healthcare organizations and their stakeholders.

Five healthcare IT challenges the industry is facing
What used to be a small intersection is now a fully developed relationship. It’s nearly impossible to understand the current or future state of healthcare without looking at IT and the role it is playing.

Even with all of the good things that are happening, there are some challenges, hurdles, and points of friction that must be dealt with and overcome. Let’s highlight a few of the more significant ones you should know about.

1. Data security
Data breaches are, unfortunately, a part of modern life. As more and more data is created and stored online, hackers will continue to go for valuable information. Because of the privacy associated with patient data, healthcare providers are often primary targets.

The challenge moving forward is for organizations to be more protective of their data, without adding unnecessary layers of bureaucracy. Better access control and simplified reporting will play a key role.

2. Network integration issues
On the business side of healthcare, there are plenty of mergers and acquisitions. Unfortunately, they often lead to network integration issues. The biggest challenge involves blind spots.

“Blind spots are areas where IT does not have complete visibility into what is happening on the network or how applications are behaving,” explains Keith Bromley of Ixia. “Mergers between IT systems for any organization, especially healthcare systems, take time. The problem is that patients and doctors do not have time to wait. Electronic medical records (EMR) must be available at all times, for all patients.”

Figuring out a way to smooth over these transitional points and prevent blind spots from occurring will be a key focus in the months and years ahead.

3. Remote patient care
The latest research suggests that 71 percent of all healthcare providers use telehealth or telemedicine tools to connect with patients. Considering that just half of healthcare providers were using telemedicine solutions and services in 2014, this represents a rather steep increase in adoption. The expectation is that close to 100 percent of providers will be using solutions like these by as early as 2021.

But there are still some distinct challenges. One such challenge is the issue of helping patients get the care they need after leaving the direct care of the healthcare provider.

“As a physician, I know that medicine is important to people’s health, but the vast majority of what determines a person’s health is not medicine, it’s the ability to take care of themselves, live well, manage disease, and give care to others outside the doctor’s office,” says Stacy Lindau, MD, who has worked closely with Rush University Medical Center to incorporate the NowPow platform to help them connect with patients after they leave.

The more sophisticated platforms like these become, the more well-rounded patient care will become.

4. HIPAA compliance
Whereas cybersecurity and strict BYOD policies are important for businesses in every industry, issues like these are even more challenging in healthcare. HIPAA laws are very strict on issues like unlawful disclosure of private patient information, and any unintentional mishaps can result in huge fines and significant reputational damage.

Having a plan in place for dealing with ransomware is crucial for healthcare organizations of all sizes. While encryption and backup storage are important, they may not be enough. Organizations that consult with cybersecurity experts specializing in HIPAA laws will see the biggest benefits.

5. Consumerization of medicine
“A big area of interest for healthcare institutions is the consumerization trend in which information is being collected and made available to mobile and web-based devices. For instance, hospitals are now embracing bring your own device (BYOD) for healthcare professionals and support the use of patient accessible Wi-Fi,” Bromley explains.

As consumerization increases, it’ll be important for healthcare organizations to choose the right technologies and use them in the appropriate ways. A failure to invest in the best solutions for the application will bog organizations down and create additional friction that hurts the patient experience (not to mention the practitioner’s experience).

Putting it all together
Healthcare innovation happens at a startling pace. From pharmaceuticals to health procedures, changes are occurring around the clock. From an administrative perspective, however, few areas are more important than successfully managing and governing the technology that enables the innovation. As IT progresses, so will the healthcare industry.

For IT professionals, understanding this relationship will help you get a firmer grasp why certain developments are taking place and what direction the industry is headed in the future.

Can Blockchain Help Fight Digital Ad Fraud?

Ankit ShrivastavIf you are a netizen, you must have already noticed how certain ads pop up while you are surfing videos on YouTube. Most of the times, these advertisements have close connections to the products and brands you have been searching recently. However, this is not the case always! Finding fake ads of reputed brands like Mercedes-Benz and Waitrose is not uncommon at all. According to reports from The Times of London, several reputed brands have found their advertisements among objectionable and explicit content.

Why should you care about online ad fraud?
If you are an advertiser, this should be a cause of concern for you. According to a recent study, over 20% of the clicks you are getting on your ads can be from bots and tricksters. Censoring the internet and running the entire web without advertisement is impossible. In short, good content and commendable user experience require sponsorship.

Sadly, advertisers are pouring money into digital ads, but they are not receiving the returns they expect. The advent of various smart devices may have expanded the scope of viewing content, but they have done little to ensure that the content is genuine.

According to the Association of National Advertisers, entrepreneurs are wasting over $7 billion on online adverts people do not see. The experts expect the numbers to grow beyond $335.5 billion in the next two years. When companies are ready to spend billions on online advertisements, it is understandable why malicious activities are always around the corner, waiting.

We have seen the likes of Meth-bot that cost the ad industry around $5 million per day. They used bots to mimic human data, created over 250,000 individual domains. These new sites had a resemblance to big fish like ESPN and Vogue.

Digital ad fraud is a serious concern for advertisers and users, too. While the fraudsters use bots to mimic human behavior, trace cursor movements, and hack social media accounts, they fake their geo-location data to avoid detection. As a result, along with regular display ads, the premium online video advertisements are also taking a hit. Digital fraudsters are messing up analytical data, upturning the KPIs and disrupting online campaigns of many of the more reputable brands in the world.

Blockchain as a potential solution to online fraud
Is there any current technology that can prevent pixel stuffing, ad stacking, search ad frauds and affiliate ad frauds? Experts say that it’s possible. They believe that advertisers can prevent similar frauds by turning to blockchain. We are not talking about cryptocurrencies, but the decentralized open-source ledgers.

A fusion of existing ad technology and blockchain can give advertisers the power to keep an eye on each impression and eliminate the fear of fraud. Leading advertising research firms like Interactive Advertising Bureau’s Tech Lab and Data & Marketing Associations already are working on creating a blockchain solution that can help advertisers detect and prevent fraudulent activities. However, the wide variety of online ad frauds make the task of developing a uniform system difficult.

Below are the major use cases of blockchain that can be implemented to prevent online ad frauds:

Ethereum-based ready solutions – Several startups and advertising research companies have been working on blockchain systems that can stop bots and impostors. Ethereum is the best-known blockchain right after Bitcoin. Instead of a central ad server, it offers a decentralized system to advertisers to monitor the activity of their partners. Google, Amazon, Twitter, YouTube, Facebook, and Snapchat have adopted similar history-proof, decentralized ledgers.

Blockchain counterattack – This mechanism adopted by the Ads.txt DApp allows publishers and content owners to list the authorized sellers of their inventory in a .txt file. This file is served from within the root path of their domain’s web server.

Blockchain-based exchange for traders – A combination of the financial matching engine and the latest blockchain technology allows advertisers to enable transparent transactions. It is a NASDAQ Inc. initiative that aims to provide advertisers and publishers a completely secure platform that supports buying, selling and re-trading advertising contracts.

In the digital era, online ads are an important channel for brands to use to reach out to their target audience. Ad fraud not only puts a hole in the pocket of the brands but also harms the end users, who need reliable information to make the right decisions. With the ability to impart transparency to the system and trace an online asset, blockchain can surely help reduce, if not completely stop digital fraud.

A Prominent Place at the Table for Rural Technological Advancements 

Matt LoebWhen the general public thinks about today’s exciting technological breakthroughs, the imagery that springs to mind is unlikely to be a crowded pigpen in China or yam fields in the farmland of Nigeria. Yet, rural areas are the frontlines for some of the most important gains technology is enabling in modern society. The growing imprint of technology-driven advancements on the agriculture industry and in rural areas, generally, is one of the tech field’s most promising success stories.

Digital transformation is making its mark on the agriculture industry, with the Internet of Things, blockchain, robotics and drones among the technological forces that are helping to offset modern obstacles with which previous generations of farmers did not have to overcome. In the not-so-distant-past, farmers fretted about the weather, pests and their equipment – and that was about it. Today’s farmers must contend with a range of more sophisticated challenges, such as market volatility, international trade friction, serious labor shortages, borrowing costs and capital availability, and an increasingly complex regulatory environment.

Amid these challenges, in an industry known for razor-thin margins between success and failure, enabling even a 5% increase in yield can make a dramatic difference. Technological innovation increasingly is the path to swinging that equation in farmers’ favor by equipping them with an expanded set of solutions to their challenges. At the same time, for these innovations to serve their important purpose, it is imperative for security professionals to support suppliers’ and distributors’ assurance that these technologies are being deployed safely and securely throughout the supply chain.

Technology enabling a global bounty
The recent Forbes AgTech Summit underscored how key industry advancements – such as more reliable pathogen detection, autonomous wheelbarrows and analytics software that allows farmers to more accurately predict crop conditions – are capable of improving profitability for farmers and providing a more robust global bounty that will be increasingly critical as population growth, climate change and soil degradation put strain on the world’s food supply.

Much of the technological progress that is recalibrating the way food is being grown and distributed is attributable to automation. The implications of automation can cut in both directions, often driving improved business outcomes while, in some cases, imperiling job security for current workers. The net impact of automation, though, tilts heavily in a favorable direction when it comes to the agriculture industry. In many countries, including the United States, agriculture workers are in short supply, not because automation has put them out of work, but because of a range of factors that include urbanization and more stringent enforcement of immigration laws. Automation is a potent force in counteracting that labor shortage, producing driver-less tractors and more efficiently planting and harvesting to maintain productivity and prevent wasting crops while people around the world go hungry.

It is not just automation that is serving as a new catalyst for farmers and food producers; a variety of emerging technologies are modernizing business models in rural areas around the world. From a Chinese tech giant deploying AI-powered pig-tracking systems, to a growing number of blockchain implementations that will allow food to be tracked globally throughout the supply chain, more efficiently addressing customer risk, it is encouraging to see technology deployed so creatively in an industry that affects all of us on a daily basis.

The ability to more effectively address food security is especially notable, with blockchain and IoT technology allowing inspectors and consumers to become aware of potential hazards in more timely fashion and avert potential health crises. Dubai has shown leadership in this regard, moving to put in place a food monitoring system that will make its reported $200 billion of annual food imports safer and more secure for its residents.

Life-saving health measures
Agriculture is not the only cornerstone of rural life that is being enhanced by technological innovation. Medical drones in Africa deliver life-saving supplies that are not readily available in local clinics, such as blood, medicine and emergency vaccines. In China this year, a logistics firm initiated delivery of goods to sparsely populated areas that will rely on larger drones transporting products to warehouses and smaller drones connecting rural residents with final deliveries. As with all technological innovations, organizations must deploy the needed safeguards and controls to keep pace with the deployment of these new technologies, with drones in particular posing several legal and security considerations. Organizations must determine their appetite for added risks and liabilities introduced by a drone program, as well as how to meet the related compliance requirements on an ongoing basis.

Undeniably, however, these are significant opportunities for residents of rural areas that would not have been possible as recently as five years ago. Even as global population trends reflect increasing urbanization, the capabilities that are being developed will ensure farmers and rural residents stand to benefit from technological innovations that are taking root every bit as much as city-dwellers. As digital transformation spreads beyond our urban hubs to rural fields throughout the globe, it us up to the security community to perform the due diligence necessary to enable these advancements to truly blossom.

Editor’s note: This article originally published in CSO.

Preventing the Next Digital Black Swan: The Auditor, The CISO and The C-Suite

Jeff WelganTheir brand names are notorious in cybersecurity circles: Equifax, Uber, Maersk and Saudi Aramco. Each of these businesses suffered a big breach – cyber incidents that, together, affected many millions of customers. But it wasn’t only consumer data that was compromised; these companies took huge reputational hits as well. Today, all organizations live in fear of experiencing a similar “digital black swan” event and being made an example of by the media.

Understanding Digital Black Swans
Digital black swans presuppose two key characteristics. First, their impacts are catastrophic. For example, during the 2017 Equifax breach, hackers stole personal data from over 145 million Americans – nearly 44% of the US population. Equifax’s CEO, CIO, and CSO were all forced to resign. And the company is facing dozens of government investigations and hundreds of class-action lawsuits.

Digital black swans are not always limited to individual companies and their customers; sometimes, there can also be national or global impacts. During the 2012 Saudi Aramco cyberattack, three-quarters of the company’s hard drives were destroyed. Saudi Aramco sent representatives directly to computer factory floors in Southeast Asia to purchase 50,000 new hard drives – every single hard drive on the factory line. This constrained the global supply of hard drives, causing computer prices to spike.

The second characteristic of a digital black swan is that they are unpredictable. The cyber event appears to come out of nowhere, catching companies by surprise. Consequently, organizations often don’t hold themselves accountable because they are under the false belief that there is nothing that they could have done to prevent an attack of this nature.

Controlling Your Swans
On the surface, digital black swans may seem unforeseeable, but if you dig a little deeper, you’ll generally discover that many of these incidents could have been prevented. For instance, in the Equifax breach, hackers exploited a vulnerability that was publicly disclosed two months prior to the attack. If Equifax had installed the patch in a timely manner, this breach would likely have been prevented.

The key to preventing digital black swans is carefully putting critical controls in place. There are a number of controls that companies can use to reduce the odds of experiencing a major cyberattack. For example, Equifax suffered from faulty vulnerability management. The credit reporting company had ample time to install a routine security update that would have prevented the cyber incident.

Poor security practices at Equifax were systemic. Shortly after the breach, it was revealed that one of the company’s online employee portals could be accessed using the default credentials of  “admin” as both the username and password. This simple negligence put millions of Americans’ data at great risk.

Likewise, the major cyber incidents at Saudi Aramco, Uber, Maersk and even the Ukrainian power grid could have prevented their attacks – or at least drastically reduced the impacts of those attacks – with proper security controls in place.

Flying (In)Formation
Contrary to popular belief, cyber risk is not a nebulous concept. Cyber risk can be measured, and because it can be measured, it can be managed. Cyber incidents can be anticipated by using risk scenarios that quantify potential loss magnitude (such as business impacts). When organizations evaluate the variety of threats and potential success rates against the various assets they own, they can quantify the possible losses in these observed or contrived scenarios. As such, senior business leaders can prioritize the appropriate controls and countermeasures to ensure that their most valuable assets – their crown jewels – are properly protected.

Cybersecurity matters affect many areas of an organization, and thus involve people in an array of positions: auditors, CISOs, senior officers, etc. Though each of these roles have different responsibilities, they share a common mission: keeping the company safe from cyber threats. Cybersecurity is a true team sport. And like all team sports, one of the keys to success is effective communication. IT auditors need to look across the organization to ensure it is in compliance with any regulations as well as to identify potential areas of weakness and to convey new requirements and recommendations to the CISO or other information security managers. CISOs need to work within their budgets to protect their enterprise from cybersecurity risks, while balancing the need to keep the organization fluid and functioning. There are several resources available that can help senior executives and other business leaders manage and oversee cyber risk, such as CyberVista’s Resolve Program. Furthermore, CISOs need to communicate this risk to executives and the board by explaining cybersecurity issues in business terms; they need to translate bits and bytes into dollars and cents. And conversely, business executives need to overcome their technophobia, become more informed on cyber risk issues, and prioritize and manage that risk as an enterprise risk.

Editor's Note: Jeff Welgan will present on this topic at the 2018 Governance, Risk and Control Conference, to take place on 13-15 August in Nashville, Tennessee, USA.

Understanding Risks to Data Drives Controls Efficiencies

Fouad KhalilAs we reflect on recent regulatory changes and trends, we notice a heavy focus on privacy and cybersecurity across the globe. The European Union has recently passed the General Data Protection Regulation (GDPR) and the Payment Services Directive 2. Taking it a step further, in July 2018, the EU proposed a new Cybersecurity Act (9350/18) mandating cybersecurity certification for critical infrastructure industries.

States in the US are following suit; recently, California signed into law a GDPR-like privacy law. This is predicted to continue across US states in response to the many data breaches we have witnessed across the globe.

As consumers, we are excited to have laws and regulations designed to protect our privacy. Businesses, on the other hand, are scrambling to ensure compliance with these stringent requirements. It is my strong belief that we should focus our risk mitigation and control implementations around what’s important – the data!

Business professionals and IT practitioners agree that data are a valuable commodity for enterprises in many ways. The notion of using data to help monitor and manage risk tolerances in audit and assurance activities often is overlooked. Data should be considered and analyzed as the enterprise selects, plans and deploys controls, and should also be part of enterprise evaluation of the performance of those controls.

This recently was highlighted by ISACA, which has put forth new guidance in partnership with SecurityScorecard titled Continuous Assurance Using Data Threat Modeling. In collaboration with industry experts, practitioners and ISACA subject matter experts, the guidance provides an excellent overview on how to adapt threat modeling to data in transit and data at rest as a strategy to put forth a more holistic, comprehensive and continuous model for understanding data risk and for analyzing potential risk in the supply chain.

New threats to data might occur suddenly or over time, so a formal mechanism should be established to account for data threats in a structured, systematic way. By looking at data this way and following a formalized methodology, enterprises can establish a model and baseline for monitoring data risk over time and maintaining risk within acceptable parameters. Keep your controls environment up-to-date and protect the data and other valuable enterprise assets needed for competitive advantage.

Data threat modeling can be a difficult landscape to navigate. Organizations must first elevate its priority among the enterprise and then follow a systematic process to decompose their applications into their various parts so that each can be analyzed from an attacker’s point of view. Once we discover threats and evaluate risks to applications, we can focus on the data that is used, stored or transmitted by the enterprise or when trusted to the supply chain. This provides the foundation needed to build out an effective control environment for applications, operating systems, network components, etc.

These risk mitigation methodologies are becoming more critical in our effort to protect what’s important, prevent data loss and ensure ongoing compliance with laws and regulations. Having a complete data inventory and visibility into potential threats throughout the data’s lifecycle creates a baseline for continuous assurance that we need to make critical risk decisions.

First Things First: Know Your Data

Baan AlsinawiIt’s been three years since the U.S. Office of Personnel Management’s (OPM) two data breaches shocked the country and spawned immediate cyber initiatives in response to the theft of millions of highly sensitive records –possibly now resulting in identity fraud, as reported by the Wall Street Journal. In the months that followed, the nation’s agencies were required to make an honest accounting of vital systems and the state of their security.

Although the new processes will not mitigate the full impact of the OPM hack, we now have access to a better process for identifying and managing critical assets or high value assets (HVA), which are defined as information systems, information and data so essential that unauthorized access, use, disclosure, disruption, modification, or destruction could cause significant harm to national security or interests, and to an organization’s business operations.

It is equally important to keep in mind that the single most important part of the process is to fully understand what makes up a high value asset, regardless of whether you are in the public or private sector. In talking to many CISOs over the last past few years, it is clear many organizations are still not sure what constitutes their most valuable assets and, as a result, cannot adequately protect their “crown jewels.”

As part of the risk management process, I encourage all my clients to take a step back, so they can truly see the big picture in understanding their critical data assets. While this seems rather fundamental, it is still very much a challenge for many security professionals today.

The key takeaway is that until organizations, public and private, have a firm grasp on what their most valuable assets are, it is relatively impossible to develop an effective security program. Both public and private organizations that move forward without this knowledge generally invest time and resources that are not based on a solid foundation where critical assets are identified, business impact analysis performed and risk-based decisions executed accordingly. The results may yield a false sense of security, especially since they are not based on risk modeling and situational awareness.

To its credit, the U.S. federal government has issued several informative security bulletins to address prioritizing risk based on the value of its information assets, including several worthwhile ones that give users a good place to start:

  • OMB M-16-04 details the Cybersecurity Strategy and Implementation Plan (CSIP).
  • OMB Circulars A-123, A-130 and OMB-M-13-13 outline requirements for identifying assets, maintaining inventories, performing risk assessments and addressing risks related to assets and
  • OMB M-17-09 lists additional agency obligations and introduces the Agency HVA Process for managing risk to HVAs across the enterprise.

In addition, the Department of Homeland Security, which is vested with the authority to define agency information security policies and practices, collaborated with NIST on an HVA Control Overlay. Risk management professionals, government or not, will find it provides valuable information on how they should implement critical security controls for their high value assets to mitigate against known threats and weaknesses.

As I tell my clients, always remember that compliance is a means to the objective of effective risk management. It’s so important to always take a step back and look at the big picture, so you can define and quantify the value of your assets and the business impact. Make sure the conversation is a business-focused one about what matters most to the board, agency heads and key stakeholders. Start by mapping critical assets to business priorities, beginning with an initial gap analysis that addresses the business impact. Then, identify the corresponding frameworks, and be on the path to effective risk management—all centered around your HVA.

When your foundation is solid, fulfilling the control requirements is much easier, and more importantly, you have the benefit of knowing that your sense of security is real.

1 - 10 Next