Editor’s note: This is the final in a weeklong series of ISACA Now blog posts sharing guidance on how to start 2025 strong across digital trust professions. Today, we focus on how digital trust professions can make better use of emerging technology in the new year.
As we begin 2025, it is apparent that technology will continue to advance rapidly. It is an ongoing challenge to evaluate the wealth of emerging technologies, whether it is from the perspective of an adopter/implementer or a risk/audit professional providing insight and assurance. As risk and audit professionals, we can add significant value to the organizations we work with when we are able to rise to this challenge.
The following are five practical approaches for making better use of emerging technologies in the new year:
1. Stay Informed About Emerging Technologies and Risks
A primary challenge in preparing for better use of emerging technologies is staying aware of what those emerging technologies are. There are a variety of sources that can be used for this purpose, including industry/trade publications, podcasts, networking, training and conferences. ISACA provides a wealth of information that can be used for this purpose and many industries have specific sources that can be used.
We all have limited time and resources, so I find it best to be intentional about staying informed and up to date on emerging technologies. I like to carve out time in my day or week, perhaps early in the day before it gets busy, to catch up on articles and news. I then make myself a focused list of specific things I want to research further and identify opportunities to make that happen by managing my schedule. If you work on a team, it can be helpful to designate a rotating group of individuals to monitor the emerging technology and innovation landscape and have those individuals make informal presentations at team meetings. This can prompt beneficial conversations among your teams and help with knowledge-sharing, but it’s also a great opportunity for professional development of team members.
For audit and risk professionals, the information gathered through individual or group-based processes should serve as a key input to ongoing risk assessments that can feed into monitoring and testing processes. Staying informed is foundational to making better use of emerging technologies.
2. Understand Your Organization’s Strategy
While understanding the overall emerging technology landscape is a starting point, it’s also helpful to understand the environment you are operating within. Ideally, audit and risk professionals will have a seat at the table to understand the direction your organization is heading. Some organizations and industries will be on the leading edge of technology, while others may choose to be slow adopters, with many organizations somewhere along the spectrum of these two approaches.
It is likely not a feasible strategy for organizations to take the stance that they will not adopt any emerging technologies. Think about the rapid rise of generative AI – it is often the employees of an organization who will be proactive adopters, versus adoption at the direction of management and Boards. Organizations must be prepared to evaluate, direct, manage and monitor these technologies through strategic planning and implementation, along with communication of applicable policies to govern the use of these technologies.
3. Advocate for Proactive Analysis of Opportunities
In line with the previous point, audit and risk professionals should advocate for the application of a replicable risk framework for evaluation of opportunities using emerging technology. We should keep in mind that risk management isn’t just about identifying, measuring and managing the potential downside of opportunities, but also the upside. Emerging technologies are likely going to carry significant elements of both upside and downside.
Risk analysis frameworks should capture both elements. Risk assessment frameworks for emerging technologies should also be tied to the organization’s strategy and overall risk management framework. The output should align with the defined risk appetite and tolerances of the organization. This is a great opportunity to align technology and business together, and to ensure that any emerging technologies considered support the organization’s overall strategy.
4. Collaborate with Others
The three lines model is a key component of adding value to our organizations. Particularly when it comes to emerging technologies, some groups within an organization may be able to provide more specialized input or analysis than others. For example, many emerging technologies, such as AI-based technologies, are going to have a heavy data-driven element, which has privacy and security implications.
Involving risk specialists in identification of emerging technologies and evaluating them for potential adoption can help minimize the likelihood of risk and control gaps in the process. When decisions are made to implement an emerging technology, involving risk, compliance and control specialists early in the process can minimize costly mistakes or delays in project management.
5. Ensure the Basics are Covered
Although there may be advanced technological components involved in emerging technologies, one of the best ways to more effectively (and safely) make use of emerging technologies is to make sure the basics are being done well. For some of our organizations, this may mean advocating for more formality and maturity in the realm of data governance practices before embarking on the adoption of emerging technologies.
Change management and project management will also likely be significant aspects of adoption of emerging technologies. For all our organizations, ensuring that existing control frameworks are applied is key. If you want resources to assist, the CIS Top 18 is an excellent place to start. The CIS Top 18 succinctly captures the control categories of security best practices, including hardware and software inventories, access management, and training and awareness. Ensuring the basics are applied, even with advanced emerging technologies, will go a long way toward reliable and effective adoption that balances risk management and security considerations.
In 2025, Be a Champion of Change
In summary, having consistent and repeatable processes to stay informed, evaluate and measure risks, collaborate with others and apply best practices for security controls can carry an organization a long way in more effectively using emerging technologies. Audit and risk professionals can be champions of change and proactive risk management practices that promote more effective adoption of technology, regardless of the specific technology being considered.
