Security Think Tank: Blockchain – balance risk and opportunity for smart security

Enterprises are currently in the throes of digital transformation. Numerous technologies are helping power many of these transformations and, depending on who you talk to, a particular technology is the hottest one and is expected to change everything dramatically.

One such technology is blockchain, which has fans not just in the for-profit enterprise space, but also in government and the public sector. Worldwide spending on blockchain systems is expected to grow from $1.5bn in 2018 to an estimated $11.7bn by 2022.

Proponents believe that appropriate application of blockchain technology can solve problems on many fronts. In its simplest form, a blockchain is a distributed record or ledger of transactions which is also encrypted, with use cases including land record management, various applications in the banking and financial services industry, and everything else in between. It even promises to provide displaced populations with a way to maintain identity records.    

While enterprise transformation is one of the outcomes of all these technologies, juxtapose any of these technologies and what they are doing in the context of the enterprise and it becomes clear that each new technology opens up a Pandora’s box from the perspective of the information security professional, irrespective of the role he or she plays – be it governance, risk management or an assurance professional’s role.

I have been hearing a lot about blockchain and the various uses it can be put to and thought I should explore how the technology can be used by an information security professional.

With the rate at which technology is evolving, it is clear that we no longer live in a nine-to-five world, but rather in a world which is on and operating 24/7, and one where the customer is no longer just local, but global. Both of these evolving dynamics bring their own challenges.

Considering blockchain is a distributed record, one of the simplest things that can be done is to identify what data is to be recorded for each transaction and ensure that it is considered when establishing the blockchain algorithm and rules governing it. This will mean that all relevant details will be recorded for posterity, establishing an audit trail, which will withstand necessary scrutiny within the enterprise and from a regulatory perspective.

Add to this mix the fact that the data is encrypted and cannot be changed by any “one” entity, and an ironclad forensic trail can be established with the right configuration of the blockchain.  

Second, with advanced configurations of blockchains, such as smart contracts, information security professionals can ensure that reporting and record-keeping can be tagged to specific circumstances, such as exceptions and violations of rules, and automatically ensure that such transactions are subject to special scrutiny, both within the business process and also from an audit perspective.

From the perspective of the business process, this will mean that exceptions, violations or frauds can be caught earlier, making remediation easier, apart from also ensuring appropriate reporting in compliance to regulatory requirements.

From the perspective of the auditor, this will mean the auditor is able to focus on exceptions or violations early in the cycle, rather than by coming in post facto, enabling audits to become more current/real-time rather than something that happens after the horse has bolted.

This second aspect will become increasingly critical, because in the world of new technology, enterprise executives expect more from the information security professional/auditor, especially in terms of being able to use audits from a strategic perspective, rather than just to provide assurance.

In many instances, information security professionals can use other capabilities of blockchain, such as the ability to manage the identity of users, ensure data integrity, bring about business process efficiencies, use tokens to build trust among all the parties involved, reduce the need for interventions in processes required for authentication by decentralising the record-keeping, and making use of blockchain’s famed and much-touted capability for disintermediation. 

Blockchain technology can also be used to track the use and distribution of copyrighted content, such as music, books and movies, enabling the protection of key enterprise assets, which the information security professional will do well to understand and apply to other areas in the enterprise that need protection, keeping with the confidentiality-integrity-availability (CIA) triad that forms the cornerstone of information security.

At the end of the day, it is incumbent on the information security professional to ensure that he or she puts on their governance, risk and compliance hats to ensure that challenges, opportunities, risk, threats and vulnerabilities from the use of blockchain technology are identified appropriately and actions taken to enable effective usage by the enterprise.

A discussion during ISACA’s 2019 North America CACS IT Audit Leaders Summit highlighted concerns, both within the enterprise and the audit function, about the importance of assurance in the context of emerging technologies such as blockchain, which is being widely piloted across a range of industries.

The conversation reinforced the view that it is imperative for the information security professional, irrespective of their role, to ensure alignment of technology risks with the strategic vision of the organisation. The information security professional should ask the right questions that enable enterprises to understand the risks, and support the enterprise in effectively mitigating the risks, allowing organisations to remain resilient in the face of emerging threats and vulnerabilities.

This will facilitate the adoption of blockchains that allow enterprises to accrue the strategic advantages such adoption promises, including the rise of new business models and value chains.