As organizations continue to accelerate their digitalization efforts, those with early-adopter mindsets may be eager to rush into the next big thing due to curiosity or hype. In recent years, emerging technologies such as artificial intelligence (AI), cloud services, blockchain and the Internet of Things (IoT) have proliferated and attracted significant adoption. One of the contributing factors could be due to the increased number of digital natives within the global population who are more comfortable with digital technology and the adoption of new technologies.
From an organizational perspective, managing the security and risk associated with emerging technology can be challenging. To stay ahead, organizations may feel pressure to adopt these emerging technologies without conducting detailed and balanced risk and benefit assessments. But, to avoid being blindsided by potential threats, the risk involved in using these technologies must be understood and considered.
The Hype of Generative AI Services
One of the latest popular emerging technologies is generative AI. Mckinsey describes generative AI as “algorithms (such as ChatGPT) that can be used to create new content, including audio, code, images, text, simulations, and videos. Recent breakthroughs in the field have the potential to drastically change the way we approach content creation.”1 The global sensation of generative AI could be due to ChatGPT, which was launched for public use in November 2022. Two months after it launched, it had 100 million monthly active users. With its launch, ChatGPT set the record for the fastest growth of a platform.2 With such a rapid adoption rate, organizations must assume that ChatGPT or other generative AI services will be used by members of their staffs in one way or another.
With such a rapid adoption rate, organizations must assume that ChatGPT or other generative AI services will be used by members of their staffs in one way or another.
Emerging technologies offer unique benefits to their users. For example, generative AI services enable users to boost their productivity by generating content based on prompts without requiring the involvement of a human expert or specialized expertise.3 Users can utilize various generative AI services for different purposes such as creating artwork, writing computer code, explaining complex topics or gaining an understanding of a new domain.
However, looking past the hype, the use of emerging technologies is not without risk. Management should be cautious of the potential negative impact and risk to the organization. In the case of OpenAI’s ChatGPT, it encountered a data leak, and the service was taken down for 10 hours after users noted that they could see titles of other users’ chat histories. In addition, personal data from 1.2 percent of ChatGPT Plus subscribers were also potentially revealed.4
From a regulatory and governance perspective, Italy became the first country to ban ChatGPT over privacy concerns,5 and China6 and the United States7 are looking into the regulation of AI. In addition, technology leaders called for a pause on generative AI development and implementation, citing the fast pace of AI development and a lack of robust AI governance in place as significant concerns.8
Although many organizations embrace the mantra of “start small, think big, act fast,” it is important to balance this with careful consideration of the risk involved. It is understandable that organizations want to stay competitive and keep pace with the latest trends, but it is also important to approach emerging technologies with caution. Without adequate controls in place, organizations may unintentionally exceed their risk appetite when using these technologies.
Minimizing Risk From Emerging Technologies
The key is to find a balance between taking advantage of the benefits of technology and managing risk. Achieving this balance involves careful assessment of the risk and benefits of each technology and implementation of appropriate controls to mitigate the risk. Organizations should also perform ongoing monitoring and adjust their risk management approach as emerging technology evolves.
To minimize risk while embracing emerging technologies, organizations can consider 4 key factors:
- People—As noted, most organizations may not be able to prevent their staff from using publicly available emerging technology services. Staff members may find ways to bypass technical controls and access these services using personal devices, leading to potential negative consequences such as data leaks. Therefore, organizations should educate staff members on these technologies to promote awareness, develop a culture of security and communicate expectations. Organizations can also provide clear guidance as guardrails to staff members when they use these technologies.
- Data—Organizations should review and understand their data policies to identify any gaps or hazards when it comes to emerging technology services. This will enable them to assess the type of data suitable for uploading to or using with these services. In addition, organizations should implement technical controls, such as monitoring for data leaks through Internet browsers and Internet traffic, to detect and prevent potential data leakage or violations in a timely manner.
- Regulatory—In the technology domain, particularly in emerging technology, regulations are not always proactive, which can result in inadequate coverage. However, regulations often catch up when the technology matures and its risk becomes clear. Therefore, organizations should frequently review the regulatory landscape to avoid breaching any regulatory requirements as this could lead to serious reputational or monetary damage.
- Adversary—Although technologies themselves can be seen as neutral, they can be abused by adversarial actors. Therefore, organizations need to be vigilant of the adversarial use of emerging technologies as part of their threat landscape assessment and understand how their security posture can be affected if such actions are taken. In addition, organization should periodically review their current security controls against these potential adversarial activities to ensure that they remain effective. In the case of generative AI, these security controls can include antiphishing protection and insider threats mitigation.
Conclusion
The next emerging technology is always just around the corner. Organizations must be comfortable with both embracing these technologies and managing the uncertainties that come with adopting them to avoid falling into the hype trap. This is especially crucial for security and risk professionals such as chief information security officers (CISOs) because they are often tasked with assessing risk that could impact the organization. By taking a risk-informed approach, security and risk professionals can navigate the path forward in a way that balances the potential benefits of emerging technologies with the risk they may pose.
Endnotes
1 McKinsey and Company, “What Is Generative AI?” 19 January 2023
2 Hu, K.; “ChatGPT Sets Record for Fastest-Growing User Base—Analyst Note,” Reuters, 2 February 2023
3 Chui, M.; R. Roberts; L. Yee; “Generative AI Is Here: How Tools Like ChatGPT Could Change Your Business,” QuantumBlack AI by McKinsey, 20 December 2022
4 Tarantola, A.; “OpenAI Says a Bug Leaked Sensitive ChatGPT User Data,” Engadget, 24 March 2023
5 McCallum, S.; “ChatGPT Banned in Italy Over Privacy Concerns,” BBC News, 1 April 2023
6 Ye, J.; “China Proposes Measures to Manage Generative AI Services,” Reuters, 11 April 2023
7 Shepardson, D.; D. Bartz; “US Begins Study of Possible Rules to Regulate AI Like ChatGPT,” Reuters, 12 April 2023
8 Kelly, S. M.; “Elon Musk and Other Tech Leaders Call for Pause in ‘Out of Control’ AI Race,” CNN, 29 March 2023
Meng Fai Chan, CISA, CDPSE, CISSP, GRID
Is a seasoned technologist with more than 15 years of experience in the technology risk and cybersecurity field. Throughout his career, he has worked extensively across both private and public sector organizations, bringing a wealth of knowledge and expertise to each role he undertakes. His passion for staying up to date on emerging trends and best practices in the field enables him to deliver exceptional results for his stakeholders. As a trusted advisor, he is committed to improving security posture and minimizing risk in today's rapidly evolving technology landscape.