We have heard it all before – an enterprising company exploits an unregulated space, launching a product using novel technology that could solve a problem for consumers, but creates new risk scenarios for the general public. Regulatory agencies are caught flat footed and are unwilling to respond. Out of frustration, the company resorts to conducting live trials and operations without obtaining regulatory approval. Eventually, an incident involving the new product occurs and hogs the headlines. The government is forced to come down hard on the company in response to public pressure, rolling back years of innovative research and development efforts, canning positive use cases for the product. The possibility for industry to work with government in deploying the new technology for public good is all but dead in matter of months.
"When disruption eventually shakes up your sector and creates new risks, your agency would be a little more ready to respond and manage emerging risks, become they turn into full-blown crises"
It does not always have to end this way. Government agencies can play their part in mitigating risk while enabling businesses to adopt new security technology. In a VUCA world (volatile, uncertain, complex and ambiguous) world, there is no set template for regulators to follow; however, I believe there are three instincts which agencies can adopt to help them to respond effectively to technological disruption in the security industry – both in mitigating risk, and reaping rewards for the public good:
1) Smell what’s coming early – Start-ups are hunting down every opportunity for disruption, while perpetrators are seeking to exploit new technologies to strike at critical assets; it has never been more difficult to keep abreast of developments which may come your way to shake up how the industry deals with security risks. However, regulators do not always have to be caught off guard – Besides regular risk assessments, get into frequent dialogue with industry players to hear their views on technologies that interest or threaten them; keep an eye on what situations regulators in other sectors and jurisdictions are facing; take a step back and look at how your regulatory framework may be creating opportunities or disadvantages for different players and stakeholders. These practices help regulators develop foresight as to what the future holds, allowing agencies to gradually gear up legal, regulatory, and policy toolkits for emerging scenarios. When disruption eventually shakes up your sector and creates new risks, your agency would be a little more ready to respond and manage emerging risks, become they turn into full-blown crises.
2) Seize the opportunity to get clarity – You have had it! Why does that industry executive keep questioning your regulations at every turn? It is easy to feel irritated when businesses attack the rulebook in a bid to get their product approved and off the ground; but what if you saw it as a chance to examine whether the rule book is effective in achieving stated policy aims in the first place? More critically, perhaps that is the opening you need to begin a frank conversation with intra-government stakeholders on whether current policy goals are practical and achievable in the new environment you are faced with, and work towards alignment in your views. Are our risk assessments still valid? Do our requirements place an unintended obligation on companies to conduct an outdated process? Is our policy too restrictive with regards to the type of biometrics which can be deployed? Clarity on policy aims and regulatory tactics is sorely needed to ensure that your agency can mitigate risk while at the same time promote innovation in a fast-changing security environment. So, get in the habit of seeing such situations as opportunities for your agency to achieve clarity on new issues, which translates to better regulatory guidance to industry on new technology developments.
3) Sell the ‘our risk, our reward’ paradigm – With businesses becoming increasingly subject to the public eye and expected to operate transparently and ethically, it pays also for regulators to help businesses which are innovating to see that public risk is their risk as well. Not all companies are immediately familiar with operating in a regulated space, and such guidance by regulators might be welcomed. Ideally, all stakeholders in the ecosystem, not just regulators, should view mitigating public risks as a collective enterprise that if done well, can ensure that new technology and innovative products gain acceptance in general society, expand the market, and contribute to the public good. Hence, regulators should no longer see public risk as falling solely under their purview; instead, it is something for all of us to manage and internalize the costs for, so that all of us reap the reward. Doing so builds up the security culture and mutual trust of all stakeholders in the ecosystem in the long term, which can be more effective for strengthening security whilst encouraging innovation than promulgating a new set of rules.
Ultimately, a positive culture of innovation that increases public good cannot exist without with a supportive and prudent regulatory practice. Security continues to be a key preoccupation in multiple sectors; with technology becoming increasingly accessible to the rising Asian middle class, many have taken hold of the opportunities afforded to them and gotten in on the innovation act, for good or for ill. Disruption and adoption of new technologies will impact the security industry, and government agencies need to develop the right instincts to manage this new reality.
Disclaimer: The opinions expressed in this article belong purely to the author, and do not represent the views of any organization.