[BreachExchange] Technology risks: What CIOs should know and steps they can take

Destry Winant destry at riskbasedsecurity.com
Mon Oct 22 10:21:17 EDT 2018


Adopting new tech helps businesses thrive, but CIOs must be aware of
accompanying risks. Experts sound off on how new tech continues to
muddle the cybersecurity threat landscape.

The cloud, AI and IoT have become ubiquitous in the business setting,
but the technology risks that come with adopting these innovations
have ushered in a wave of unprecedented security concerns for

Organizations that use any technology or service model that connects
to the public internet -- whether the cloud, AI or an IoT tool --
leave the door open for hackers to access their data and upload
malware, OpenVPN CEO Francis Dinha and other experts said.

"It is not an exaggeration to say you're essentially putting your
entire business at risk if you do not ensure these tools are
completely secure," Dinha said. "If you start using one of these new
tools assuming your technology is secure, you're starting out at a

Another problem is that many users assume that new technology is
developed with security in mind, when the reality is most developers
and designers do not have a security background. A general lack of
awareness about technology risks and a lack of user education about
their role in the process add to these risks, Dinha and other experts

For CIOs, it's important to look past the ways new technology can
benefit the company and consider the associated, underlying risk that
comes with it. To start, they should consider use cases that serve as
prime examples of how certain technologies can be abused, TCE Strategy
CEO Bryce Austin said.

"CIOs need to think like a potential criminal before they bring [any
new] technology into their organization," Austin said.

Cloud data security concerns

The cloud certainly enables business scalability and flexibility, but
it can also introduce a variety of new challenges and technology
risks, said Ed Featherston, vice president and principal cloud
architect at Cloud Technology Partners.

Organizations are often operating under the on-premises data center
mindset -- where there is full control over all the assets, storage,
compute and network -- when moving to a cloud environment. Cloud
computing turns that concept on its head, Featherston said, and
understanding the differences is critical to dealing with the threats
and risks associated with cloud implementation.

A lack of appropriate compliance and control mechanisms can result in
inadvertent security risks like the highly publicized AWS S3 bucket
data breaches, he added.

CIOs don't want to prevent their organization from taking advantage of
the flexibility that cloud offers, but they need to provide control
processes and alerts to avoid intentional and unintentional violations
that put their organizations' data at risk.

"It is a delicate balancing act between providing the benefits of a
cloud environment to an organization in an easy to use fashion vs.
protecting your data," Featherston said. "I liken it to walking a
tightrope over a tank of hungry sharks: One misstep in either
direction can be very dangerous."

AI and IoT technology risks

Although AI and IoT devices bring increased convenience and
connectivity, this accessibility also creates a larger attack surface
for cybercriminals to exploit, said Jessica Ortega, product marketing
specialist and member of the SiteLock research team.

Artificial intelligence can automate mundane tasks and make complex
tasks easier, she said, but when not properly secured it can easily
expose sensitive data to cyberattacks.

"Automated systems are often created to fill a gap in processes out of
necessity or in an emergency, but that means that security is an
afterthought," Ortega said.

Another issue with machine learning algorithms is a lack of
transparency: Most cybersecurity professionals don't know what's
inside them, Gartner analyst Avivah Litan said. Security
vulnerabilities can also arise from a third-party algorithm created
with malicious intent, she added.

When it comes to technology risks stemming from IoT, Ortega pointed to
the lack of proactive security in connected devices creates malware
vulnerabilities that malicious actors use to access company's internal

What CIOs can do to ward off technology risks

Litan's advice for CIOs is to steer away from adopting any technology
that they don't completely understand. CIOs also need to hire the
right people on their team to implement and manage these complex
technologies, she added.

For example, data scientists and AI specialists are in high demand as
new tech is incorporated in enterprise processes.

"The bottom line is you can't manage anything that you don't
understand. You need to make sure you understand what it's doing and
need to have quality control processes [in place]," Litan said.

CIOs should ensure that any new technology is only accessible to those
who absolutely need it for their job, OpenVPN's Dinha recommended. Any
access point should utilize two-factor authentication to keep hackers
from taking control with brute-force attacks, and CIOs should educate
their teams to make sure they understand technology risks and their
role in protecting the company's data and privacy, he said.

"Have a clear policy on how cybersecurity is managed with each
individual piece of new technology and educate everyone on the best
practices," Dinha said.

When developers are creating AI or task automation, CIOs should be
wary of what shortcuts their teams take and what "Band-Aids" are being
deployed, SiteLock's Ortega said. One major concern is to ensure that
AI has access only to the data necessary to complete its assigned
task, she explained.

"Taking a proactive approach and instilling a culture of security
awareness stops convenience from becoming dangerous, keeping sensitive
data safe at every level," Ortega said.

Given the evolving cybersecurity threat landscape, Austin said it's
time for organizations to make the shift to behavior-based
cybersecurity. Isaac Sacolick, president at StarCIO and author of
Driving Digital: The Leader's Guide to Business Transformation Through
Technology, agreed.

"It's a significant challenge to use traditional rule-based
cybersecurity technologies that protect the perimeter, and enterprises
need to consider technologies that study and respond to behavioral and
pattern based security events," Sacolick said.

The classic network perimeter or on-premises security mentality is not
enough in the current digital age, Cloud Technology Partners'
Featherston said. While the perimeter is still a factor and important
security consideration, CIOs must consider how business innovation
creates unforeseen risks for the company.

And because these innovations evolve so rapidly, CIOs must make sure
their company's security efforts follow suit.

"The barbarians are at the gates, leveraging every technology tool in
the toolbox with one, and only one, business goal in mind: getting at
your data," Featherston said. "Security in this new day and age is
never a once and done. It is a constantly moving, changing and
evolving process."

More information about the BreachExchange mailing list