Certified: The CISM Prepcast

Welcome to The Bare Metal Cyber CISM Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
Emerging technology risks represent one of the most difficult areas for security leaders to manage. These risks originate from innovations that evolve faster than existing controls, governance structures, and legal frameworks. Because these technologies are still developing, traditional risk models that rely on historical data often fall short. This lack of precedent introduces uncertainty—not just in how these technologies will behave, but in how attackers might exploit them. Organizations must manage uncertainty around impact, scale, and timing, especially as these technologies are rapidly adopted without mature control guidance.
When governance structures lag behind innovation, new attack surfaces appear faster than they can be secured. AI-driven applications, quantum computing, and the explosion of IoT and edge devices all present significant challenges. Identifying these risks early is critical to proactive mitigation. If ignored, emerging technologies can introduce silent vulnerabilities that may remain undetected until exploited. For the CISM candidate, understanding these risk types—and how to evaluate and manage them—is key to sustaining resilient security programs in fast-moving business environments.
Artificial Intelligence and Machine Learning introduce risks that are distinct from traditional software. These systems are vulnerable to adversarial inputs—malicious data designed to mislead or manipulate the model. Attackers may poison training data or introduce subtle changes that lead to incorrect outputs. AI also poses risk when used by adversaries. Threat actors can leverage AI to automate reconnaissance, optimize phishing, or generate malware variants, significantly increasing the scale and efficiency of their attacks.
A growing concern is the loss of transparency and accountability in AI decision-making. Many AI models operate as black boxes, making it difficult to trace how decisions are made. This raises questions about auditability and compliance, especially when decisions affect customers, employees, or partners. Privacy is another issue. Training data may include sensitive or regulated information, and the outputs may inadvertently reveal protected data. Finally, validating and securing AI systems is inherently complex. Self-learning systems can evolve in unpredictable ways, making traditional static security models inadequate.
Quantum computing introduces a completely different class of risk. Quantum algorithms are expected to break many of today’s widely used cryptographic standards, including RSA and ECC. This puts the long-term confidentiality of stored data at risk. Even if quantum computers are not yet practical at scale, data intercepted and stored today could be decrypted in the future. This is known as harvest-now, decrypt-later. Organizations that depend on long-term data confidentiality must plan for this scenario.
Post-quantum cryptography efforts are underway. These aim to develop encryption methods that remain secure against quantum capabilities. However, these standards are still emerging, and many organizations underestimate how much time and planning will be required for migration. Transitioning to quantum-safe algorithms is not as simple as flipping a switch. It requires reevaluating protocols, updating infrastructure, and coordinating with partners. Organizations must begin planning now to avoid being caught off guard later.
The Internet of Things and edge computing devices pose significant exposure for most organizations. IoT ecosystems consist of countless devices, many of which are minimally secured or completely unmanaged. Device diversity—across manufacturers, platforms, and protocols—makes standardization difficult. Firmware may be outdated or difficult to patch. Many devices also lack proper authentication or encryption. This creates an environment where attackers can exploit weak endpoints as entry points into core networks.
IoT risks include lateral movement, where compromise of a low-level device enables access to more sensitive systems. Smart lighting systems, HVAC units, or printers may seem harmless, but when connected to internal networks, they can serve as gateways for attack. These systems also increase the potential for cyber-physical disruption—where digital compromise causes real-world harm. Examples include manipulated industrial equipment, disabled medical devices, or tampered building control systems. The attack surface continues to expand as more devices are deployed without centralized visibility.
To manage these challenges, organizations must first evaluate how exposed they are to emerging technologies. This means assessing where AI, IoT, or quantum-adjacent solutions have been integrated into processes, tools, or services. Security leaders must also identify third-party dependencies that may be using these technologies. Vendors and cloud services may introduce new risks even when internal adoption is limited. Business innovation plans, especially those involving digital transformation, should be reviewed for emerging risk factors.
An accurate inventory of existing controls must also be created and tested against these new threats. Controls that work for legacy systems may not apply to AI-driven workflows or decentralized IoT networks. Visibility must be established across operational environments, development pipelines, and supply chain connections. Risk assessments should incorporate not just current usage but projected growth. Emerging technologies rarely remain isolated—they tend to spread across business units rapidly once adopted.
To capture this evolving landscape, organizations must adapt their risk assessment processes. Traditional risk models may not fully capture uncertainty, volatility, or irreversibility—factors common in emerging technology. Therefore, the scope of assessments should be expanded to include these elements. In cases where quantitative data is lacking, qualitative analysis becomes essential. Discussions, expert opinions, and industry benchmarks can fill the gap.
Asset classification also needs to be updated. Emerging technologies may redefine what is considered critical. For example, training datasets in AI systems or cryptographic keys for quantum-sensitive environments may now warrant elevated protection. Cross-functional input is vital. Risk assessments should include not just security teams, but also innovation leads, developers, legal advisors, and operational managers. This broader perspective ensures that assessments reflect how technologies are used, not just how they are deployed.
Governance must also adjust to accommodate new risk realities. Emerging risk monitoring should be a standing agenda item in governance meetings. Ownership must be assigned for monitoring, escalation, and mitigation of novel threats. Innovation programs—such as pilot projects involving AI or connected devices—must include security governance from the outset. Risk appetite statements should be reviewed and updated to account for technological disruption. Scenario planning frameworks must remain flexible, enabling the organization to pivot as threat vectors evolve.
Control strategies for emerging risk require creativity and adaptability. In many cases, standards do not yet exist, so compensating controls must be developed. Segmentation is often a useful strategy. High-risk or untrusted components should be isolated from critical systems. Authentication and monitoring must be enhanced to detect early signs of compromise. Anomaly detection can provide critical insights when baseline behavior is unknown.
Engagement with industry working groups provides early access to threat intelligence, best practices, and proposed standards. Participating in these communities allows organizations to influence direction and adapt faster. A layered defense approach—one that adapts across time, tools, and teams—is more effective than static or overly rigid defenses. Emerging risks require defensive strategies that evolve in parallel with innovation.
Training and awareness also play a key role. Leaders must be educated about the implications of new technologies—not just in terms of opportunities, but in terms of vulnerabilities. Technical teams need literacy in AI, quantum, and IoT systems to design controls that work. Awareness materials should reflect current threat vectors, including examples of real-world breaches or attack techniques. Development teams should be encouraged to innovate responsibly, considering security early in design.
Formal training programs and simulation exercises should incorporate emerging risk scenarios. For example, tabletop exercises could explore the consequences of AI model poisoning or a quantum-driven cryptographic failure. These exercises not only improve readiness but also build organizational muscle for dealing with uncertainty. Emerging risk awareness must extend beyond the security function and become part of enterprise culture.
Continuous monitoring and foresight are essential. Organizations must establish formal mechanisms to track both technology trends and threat developments. This includes subscribing to intelligence feeds, joining foresight groups, and conducting horizon scanning. A strong relationship with legal, compliance, innovation, and product teams ensures that new initiatives are evaluated through a security lens. Risk registers and control catalogs must be updated as threats and technologies evolve.
Emerging risk management is not a project—it is a cycle. It involves awareness, evaluation, adaptation, and response. It must be sustained through policies, communication, and leadership engagement. Organizations that institutionalize foresight and agility will be better positioned to withstand disruptive change. For CISM candidates, understanding this dynamic landscape is vital to building future-ready security governance programs.
Thanks for joining us for this episode of The Bare Metal Cyber CISM Prepcast. For more episodes, tools, and study support, visit us at Bare Metal Cyber dot com.