The blockchain’s distributed ledger paradigm is serving as the supporting foundation to some forms of digital transformation, including the utilization of cryptographic virtual currencies (VCs) such as Bitcoin. These virtual currencies are actively utilized around the globe, both within and outside the circuits of formal economies of countries, with important financial implications including increased economic disintermediation, financial inclusion and extended digital pseudo-ecosystems that combine people, business entities, and a new generation of smart connected components.
Not only is the whole fintech industry becoming substantially disrupted by the paradigm due to the ability to move money in a decentralized and secure peer-to-peer model, but virtually all other industries are prone to substitute often bureaucratic procedures for more automated and smarter business practices.
During recent years, global organizations including the United Nations system, Multilateral Development Banks (MDB), International Financial Institutions (IFI), and the World Economic Forum, were actively engaged in their respective roles trying to commensurate the impact of this paradigm in the societies and economies of the world.
The World Economic Forum, through its intellectual debate about the Fourth Industrial/Digital Revolution, as well as one of its Global Future Councils focused on the “Future of Blockchain,” has been vocal and active on the topic, stating that “blockchain is more than just moving money. It has the potential to transform our lives, and to make the world a more efficient, frictionless place. The number of people around the world living in either broken systems or entirely corrupt systems is staggering. If done right, blockchain could positively reform entire systems.”
In January 2016, the International Monetary Fund released a first-of-its kind professional paper called “Virtual Currencies and Beyond: Initial Considerations.” This so-called staff discussion note gave a serious consideration to how new technologies are driving transformational changes in the global economy, including the emerging utilization of virtual currencies created as private sector systems that, in many cases, facilitate peer-to-peer exchange, bypassing traditional central clearinghouses. The paper also notes that “VCs offer many potential benefits, including greater speed and efficiency in making payments and transfers—particularly across borders––and ultimately promoting financial inclusion. At the same time, VCs pose considerable risks as potential vehicles for money laundering, terrorist financing, tax evasion and fraud.”
In a separate article, the IMF explores the topic of how “The Internet of Trust” is transforming the financial sector. Per its proponents, Bitcoin’s blockchain technology can be used to transform the financial sector fundamentally, for example by reducing the settlement time for securities transactions. With faster settlement, less money needs to be set aside to cover credit and settlement risks—just as collateral is not needed for a cash transaction.
The Inter-American Development Bank (IADB), the main regional development institution for Latin American and Caribbean countries, in March 2017 released the discussion paper “Digital Finance: New Times, New Challenges, New Opportunities,” explaining the financial implications of distributed ledger technologies applied in the region and around the World. The paper explains that “there is growing consensus in the financial services industry that distributed ledger technology (DLT), also known as blockchain, might just be the answer to the need of more efficient management of collateral [risks], resulting in more firms accessing credit, as well as … freeing up intermediaries’ capital for lending, and potential effects on SMEs’ direct and indirect access to multiple ways of credit.”
Now, coming back to the question of what implications and motivations this new paradigm may have in our professional life, I believe that a new generation of the IT governance, oversight and assurance professionals are called to play an elevated role in future ecosystems, economies and societies.
Similar to other emerging topics such as the advanced application of artificial intelligence (AI), big data, cloud computing, and Internet of Things (IoT), this must occur only by providing an unprecedented new level of verification and trust required by the stakeholders to sustain a paradigm that intends to be intrinsically resilient and secure by keeping distributed copies of the thematic ledger supported worldwide, using cryptographic proofs of data integrity and providing tamper-proof ledger entries.
Extraordinary challenges and opportunities are ahead for the millennials’ generation of assurance professionals, when called to provide both holistic and transactional assurance on increasingly complex digital ecosystems that involve people, processes, systems, as well as connected physical entities.
But the level of disruption to the assurance profession may not stop there. As another report, “Here’s Why Robots could be the Future of Finance” from the World Economic Forum pointed, the traditional tasks of human audit work are also highly subject to substitution by artificial intelligence interventions. Meanwhile, some audit tasks may be better assisted by this advanced application of technology. We, the auditors, will face the challenge of providing assurance to our stakeholders that these algorithms are effectively well designed, implemented, deployed and operating as expected.
In our profession, traditional auditing will remain necessary in many parts of the globe and in many traditional businesses environment for a while. However, and not less importantly, a new generation of millennial auditors will need to raise the bar by providing increasingly complex assurance services in more agile business environments and in support of upcoming digital transformations. A different professional audit mindset and additional expertise will be required to satisfy the expectations of stakeholders and business owners in this new world.
Fernando D. Nikitin, MBA, CIA, CRMA, CCSA, CISA, CGEIT, CISM, CRISC, CISSP, CBCP, TCNA, Principal Auditor, Inter-American Development Bank
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Our hyperconnected world, comprised of myriad networks – both machine and human – has brought us to the precipice of a fundamental revolution and redefinition of the human experience and our socio-political and military world order. This is what author Joshua Cooper Ramo wants us to grasp in the book The Seventh Sense: Power, Fortune, and Survival in the Age of Networks.
The Industrial Revolution was a similar event. The advent of the personal computer, which replaced the typewriter, and the subsequent era of enterprise networks were others. Then came the internet era. Now we exist in a mesh of networks, which feature both concentration and distribution, and remarkable levels of persistence and resilience. The old definitions and practices of information security and governance, cybersecurity, and business strategy, developed in the era of the past no longer work.
Failure of executives to grasp this pivotal change, and their concomitant failure to tailor organizational and business strategy to the new reality, is the primary cause of organizational malaise and the massive cybersecurity breaches we have experienced. The author calls for a new breed of digital-native executive leaders who will inherit the problems and need to develop lasting solutions for the future.
We have experienced such revolutions in the past. Each time a new world order was created, decision-making and practices of the old world order ceased to function. Organizations and leaders who practiced outdated thinking were quickly wiped out or reduced to irrelevance. Each new world order also realigned the centers of power.
British imperial power and the subjugation of wide swaths of the world were fueled by superior technology, naval power, and education. Then, when the rest of the world began to innovate for a new era, there was a fundamental realignment of power. Today terrorism, war, cybersecurity, privacy of data, and even human relationships are being redefined by the network.
As the author states, “…networking something fundamentally changes its function.” Executives need to recognize that – yet they are not doing so because they lack the appreciation and understanding of the new networked world order and are still making decisions using models of the past, and both making decisions and developing strategy with the thinking of a bygone era.
Review
I have noticed political and business executives making seriously flawed decisions using models of the past. I have observed them being completely baffled by the hyperconnected new world. The book The Seventh Sense: Power, Fortune, and Survival in the Age of Networks (2016) by Joshua Cooper Ramo helped me understand why. The author helps us understand why we critically need cybersecurity leadership and digital strategy of a new kind.
The book has three parts, which I have broken down for you herein.
Part One explains the nature of the current age. This section explains why hyperconnectivity and the networking of everything, including human relationships, through networks and digital connections needs to be viewed differently. This is similar to recognizing that the world of analog systems and analog networks is gone. Analog thinking is anachronous in a digital world. Similarly, failure to recognize the new hyperconnected era, and failing to adapt to the exigencies of this new world order, can result in existential threats to leaders, organizations, and nations.
Part Two discusses what the author calls “The Seventh Sense,” which is a new way to view everything. Connectivity, as the author states, changes the very nature of everything. Thus, a networked heart monitor or pacemaker cannot be regarded as just a heart monitor or a pacemaker anymore. Similarly, terrorism, crime, pornography, bullying, forensics, and warfare conducted through the digital signals of a global network cannot be dealt with using the knowledge and models of the past. Executives need to think differently.
Humans have developed an intuition for dealing with events and circumstances of the past; some have called this the sixth sense. The author calls upon everyone – especially executives in charge of making consequential decisions – to develop a seventh sense to make strategic decisions relevant for a digitally hyperconnected new world. Business organizations, countries, and societies that fail to adapt to this new world are in real danger of becoming irrelevant.
There are numerous examples of previously powerful business organizations, nations, and societies that dominated in an older world order, but were rendered irrelevant and powerless in a new world – simply because they failed to anticipate, recognize, and adapt as the world around them changed. The author shares examples of such companies as Google and Uber that not only anticipated, embraced, and shaped the new world but were able to find gaps and unfulfilled opportunities, which allowed them to redefine the new world order in a way that benefited them. In doing so, they also became existential threats to organizations that were still living in the old world order.
The author shares how strategic leaders like Steve Jobs were able to imagine the future of smartphones, music consumption, and even movie production in a hyperconnected digital world, while many other contemporary leaders were still dabbling in an analog world. Leaders need to be able to recognize when the playing field has changed. Leaders cannot afford to play chess on a two-dimensional board when the board itself has morphed into multiple dimensions.
They cannot denigrate the new dimensions either – but must embrace them. I still remember the time in the late 1980s and early 1990s when we were building email systems and enterprise networks to replace the mainframes; people in the mainframe world called these systems a passing fad. Today, these very email systems and enterprise networks have become obsolete as new forms of human communications and hyperconnected business networks have become the new normal.
Yet, many enterprise technology organizations and executives have not adapted to the new world and are still focused on perimeter security in a world where there is no perimeter. They wish to control endpoints in a world where these endpoints do not belong to them. These executives are still discussing and demanding security as a static desired state when there is no such thing as absolute security anymore.
Cybersecurity is certainly not synonymous with security. Rather cybersecurity is a process of dynamic, continuous innovation and dynamic, continuous risk management – full of opportunities as well as pitfalls.
Part Three discusses how the power structure is being redefined in this new world. The author details several historical shifts in global power. Control of rivers, water supplies, and other land-based routes determined power during an era. At some point, it was replaced by control of the global waterways. Global naval superiority determined the British dominance of the globe. This was replaced by the rise of American global power through an unprecedented rate of innovation, which led to global domination in air power, military might, and economic strength. Sheer technological and financial superiority powered by an unprecedented pace of innovation unleashed by capitalism replaced all other forms of power.
Today, global power centers are in the process of realignment. A lot of power now resides in knowledge and information, as well as the control and sharing of such knowledge and information. Power will also be determined by the ability to understand and control the protocols and networks used for transmission. In a hyperconnected world, especially with unimaginable amounts of information being fed into the network, false information with rapid dissemination mechanisms can have dramatic consequences. Therefore, Facebook and Twitter have far more consequential relevance in this new world than traditional communication media, such as newspapers and TV.
In such a world, personal and corporate brands, and messaging, can shape people’s beliefs about reality. Once an affiliation with a brand is established, that brand can shape reality through messaging disseminated rapidly using new forms of communications. Failure of leaders to appreciate and harness the power of new forms of communications and develop the strategies, rules, regulations, and even laws that cater to the modern era can have massive implications in determining the winners and losers in the new world order.
Conclusion
The need for executives to think differently and have a digital strategy is acute. Author Joshua Cooper Ramo provides an easy to understand explanation of the new world, along with an analysis of the major epochal shifts we have seen in the past several hundred years.
Personal computers and the network were invented in the United States. In the past, as nations fought for domination of the land, water, air, and space dimensions – since the cost barrier for domination of these dimensions were extremely steep – the economic might of the United States allowed it to quickly overwhelm other nations in these dimensions.
However, global hyperconnectivity has created a completely new dimension, and the cost barrier for entry into this dimension is very low. In addition, the United States has done very little to restrict global open access into its systems. Readily available, low-cost access to technology has democratized the power of communications, influence, and even warfare into the hands of individuals. Therefore, a small band of malicious actors can cause massive damage on a global scale. Most often, their acts are not even regarded as acts of war. While international treaties related to conventional or even nuclear and chemical weapons exist, such treaties related to cyberweapons are non-existent.
In the past, in order to influence political outcomes in foreign countries or expand global power, nations had to fight wars, conduct espionage, and even resort to assassinations. Now, such actions can take a different form. Character assassinations through negative ads (frequently with no basis in fact), and false stories as well as pictures and videos are just as effective as actual assassinations – sometimes more so.
Information war and cyberwarfare are also incredibly cheap. Since laws and international agreements in these new areas are non-existent, foreign nations can influence political outcomes in countries as powerful as the United States or France without even being accused of warfare or crime. They do not have to use bombs to blow up communication systems, roads, or bridges; they can target networks controlling information media, or the networks controlling the national critical infrastructure, and exact far more consequential damage without the expense, stigma, or loss of lives created by conventional warfare.
Large swaths of people and even politicians and governments do not even view such actions as acts of war. Clouded by the thinking of the past, they use mild terms, such as “meddling” or “interference.” Even the active participation of a political campaign to support or benefit from foreign acts of cyberwarfare is viewed mildly and accepted by many as “opposition research.” If the same actions had taken place in a different dimension, such as a land attack, a sea attack, or an air attack, the language used would have been completely different.
Information-based decision-making at both the personal and organizational level is no longer possible using decision-making models of the past. Most of these models are not capable of differentiating between true and fake information. Decisions based on fake information will be seriously flawed.
Whether we call it The Seventh Sense or a new industrial revolution, or a completely new epoch, the old world is gone – and will never return. Executives who recognize, embrace, adapt, and rapidly develop a strategy to address this new world will leap ahead in the future power structure of this new world order. Joshua Cooper Ramo’s book The Seventh Sense: Power, Fortune, and Survival in the Age of Networks is a Cybersecurity Canon nominee for providing us a succinct and convincing analysis of a new world order that we all must understand in order to survive and thrive in it.
Recent and widely publicized cyber attacks must be the impetus for a renewed and more concerted and coordinated global commitment to strengthen cyber security capabilities.
In May, the WannaCry ransomware attacks struck, underscoring the potentially disastrous consequences for health care facilities and their patients when medical records and medical devices are compromised. June brought yet another major attack in Petya, originally characterized as another widespread ransomware attack, but later revealed to draw upon a form of malware that does not steal data but, in fact, destroys it.
These types of attacks, and those that will follow, accentuate the increasing concerns about the continued escalation of the global cyber security crisis. It’s no longer just about stealing money and data, but one that’s now placing human lives at risk. While health care has been a primary target this time around, more threats loom on the potential for breaches or compromised access to industrial control systems that could result in penetration of critical infrastructure systems such as electric utilities, oil and gas facilities, or nuclear energy plants. This shines a spotlight on the need for a unified global response now.
Amidst the challenges of the current threat landscape, there are promising signs that an increasing number of enterprise leaders and boards of directors are making the defense of their organization against ransomware and other cyber threats a top priority. ISACA’s State of Cyber Security 2017 research showed the percentage of organizations with Chief Information Security Officers (CISOs) is up to 65 percent, a 15-point rise over the year before. And in a micro-poll of the ISACA professional community in the immediate aftermath of the Petya incident, half of respondents indicated they took action after WannaCry to bolster their defenses – in case something like Petya showed up.
Additionally, half of the post-Petya poll respondents indicated their organizations provide ransomware awareness training to their staff, and more than half of organizations are applying software patches within the first week that they are available. That’s a good start. Promoting cyber security awareness and adhering to basic cyber security fundamentals needs to be as common in the global digital economy as seatbelts are in cars. We have a long way to go to make this the reality.
While the past several months have created an aura of inevitability around major attacks, more than 4 in 5 respondents to our micro-poll indicate they expect ransomware attacks will be even more prevalent in the second half of 2017.We cannot accept this level of havoc as a ‘new normal.’ Putting in place a viable incident response plan is critical, but what’s worthy of further investment is protection before an attack happens. Every organization should proactively employ cyber security awareness for all staff, performance-based cyber security skills training, timely hardware and software updates, and the hiring of the most highly skilled staff to ensure preparedness for the next attack, ransomware or otherwise. Start with an assumption that your organization will be the next target of a cyber attack.
Governments need to exhibit bold leadership and do more, too. This includes a commitment from G20 nations to expand cyber security research and training, and standardize some of the measures that individual nations are putting in place. G20 nations also should consider providing cyber security resources and support to nations that are not equipped to invest in themselves, as the connectivity of the global digital economy means all of us are in this together. This can help amplify the reach of encouraging efforts that are unfolding at national levels, such as the UK’s National Cyber Security Strategy and the recent executive order on cyber security in the US. Expanding public-private cyber security partnerships, while leveraging the resources of industry associations and academia, also should be part of the solution.
As a global community, we remain vulnerable to the cyber threats that already are here today, as well as the ones that will surface tomorrow. We cannot fall victim to cyber attack ‘fatigue’; attacks like the WannaCrys and Petyas cannot become “business as usual.” Cyber security is everybody’s business. Cyber security is more than pickpocketing; it’s a matter of public safety. Awareness must translate into resolve, not resignation. Only then will we make even greater leaps toward a more safe and secure future.
Editor’s note: This blog post by ISACA CEO Matt Loeb originally appeared in CSO.
Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA
