Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Blockchain-An-Executive-View Wbfeg Res Eng 1120

Download as pdf or txt
Download as pdf or txt
You are on page 1of 15

Blockchain—

An Executive View
2 BLOCKCHAIN—AN EXECUTIVE VIEW

CONTENTS

3 Introduction
3 What Is Blockchain?
5 / Types of Blockchain
6 / Providers
6 Blockchain in Use
6 / Cryptotokens
7 / Smart Contracts
8 / Use Cases
9 Benefits and Risk for the Enterprise
9 / Blockchain Benefits
9 / Enterprise Risk
10 Security, Privacy and Legal Aspects of
Blockchain
10 / Privacy
10 / Legal Aspects
11 Getting Started with Blockchain
13 Conclusion
14 Acknowledgments

© 2020 ISACA. All Rights Reserved.


3 BLOCKCHAIN—AN EXECUTIVE VIEW

Introduction
Worldwide spending on blockchain solutions is expected to grow from US$1.5 billion in 2018 to an estimated US$15.9
billion by 2023.1 1

More than 50 percent of global enterprises view blockchain as a strategic priority. Nearly one-third (32 percent) of
enterprises are in the development stage of their blockchain project; 84 percent of enterprises indicate that they use
blockchain technology to a certain degree.2 Sixty percent of chief information officers (CIOs) across sectors are on the
2

verge of integrating blockchain into their infrastructure; 53 percent of C-level officers identify blockchain as a crucial part
of their organizational infrastructure in 2020.3 3

What the Internet did for communications, blockchain will do for trusted transactions.
—Ginni Rometty, Executive Chairman, IBM4 4

Clearly, blockchain is a groundbreaking approach to performing and securing the transfer of value. Its impact now,
although substantial, is likely to be the tip of the iceberg when compared to its future role in business. But where did
blockchain originate? How did it get its start?

In 2008, an anonymous technologist and author (or authors) under the pseudonym of Satoshi Nakamoto (still
unidentified) published “Bitcoin: A Peer-to-Peer Electronic Cash System”5 on a technology mailing list. By January 2009,
5

the first version of the open-source Bitcoin blockchain cryptocurrency system was made publicly available.

The publication of Nakamoto’s paper and launch of the Bitcoin blockchain initiated the first broad use of a
cryptographic, peer-to-peer system for the secure and anonymous exchange of value between parties. Its launch
created a more than decade-long discussion about the nature of trust, money and identity, and a wave of innovative
startups looking to reinvent whole economic models based on blockchain technology.

As the use of blockchain technology becomes more ubiquitous, it is important that executives understand what it is and
the value it can bring to an enterprise. This paper explains blockchain technology in layman’s terms and delves into the
opportunities and challenges resulting from blockchain.

What Is Blockchain?
At its core, blockchain is a twenty-first-century variant of the transaction ledger, which has been a part of society since
ancient times to determine ownership, establish valuations or delineate liabilities. Blockchain is a decentralized
database that is stored on multiple computers, i.e., nodes, as identical copies. Because blockchain is decentralized, it is
secure: The only way that a single user can alter or remove an entry in the blockchain is to change all the nodes—an
almost impossible task.

1
1
Liu, S.; “Blockchain—Statistics and Facts,” Statista, 13 March 2020, www.statista.com/topics/5122/blockchain/
2
2
Chapkanovska, E.; “Blockchain Adoption (The Latest Statistics of May 2020),” Spendmenot, 23 June 2020, spendmenot.com/blog/blockchain-adoption/
3
3
Petrov, C.; “91+ Blockchain Statistics: Understand Blockchain in 2020,” Techjury, 24 July 2020, techjury.net/blog/blockchain-statistics/#gref
4
4
Rapier, G.; “From Yelp reviews to mango shipments: IBM’s CEO on how blockchain will change the world,” Business Insider, 21 June 2017,
www.businessinsider.com/ibm-ceo-ginni-rometty-blockchain-transactions-internet-communications-2017-6
5
5
Nakamoto, S.; “Bitcoin: A Peer-to-Peer Electronic Cash System,” 2008, bitcoin.org/bitcoin.pdf

© 2020 ISACA. All Rights Reserved.


4 BLOCKCHAIN—AN EXECUTIVE VIEW

Blockchain can be defined by its basic elements:

• What—It is a shared transactions ledger.


• Who—It can be accessed by and among multiple parties.
• How—These parties use cryptography and peer-to-peer technology to secure data into blocks and store them in an immutable chain of
transactions, with no need for a trusted central authority to oversee the blockchain or provide attestation. Instead, consensus among
blockchain participants that data being added to the blockchain are accurate and valid provides verification and trust. By design, each
participant in the blockchain possesses the same copy of this ledger and can write to the ledger, if properly permissioned to do so.
• Why—Blockchain is meant to share and distribute data or value, without the need for a trusted intermediary or enforced system
management. Blockchain design allows participants to trust the accuracy and veracity of the information on the blockchain.

Blockchain is a unique and potentially disruptive technology because it is designed from the ground up to be fully
distributed, in contrast with the centralized principle on which traditional ledgers are based. For example, when a stock
is bought or sold through a broker, the details of the transaction are sent to a centralized clearinghouse that acts as a
trusted third party that journals the transaction in its ledger (figure 1). This third party ensures the existence of an
independent record of the transaction to prevent any subsequent disputes regarding the ownership of that security. The
clearinghouse attests to the integrity of its records if any future dispute arises between the involved parties or the chain
of custody is questioned by someone who was not party to the transaction.

FIGURE 1: Centralized System Example

Clearinghouse

Broker Broker

Buyer Exchange Seller

Although the value of transaction journaling remains the same in blockchain, the process by which it is achieved differs
significantly—most notably, no centralized private clearinghouse or trusted third party receives, processes and journals
transaction data. Instead, the blockchain ledger is made public and widely shared across a peer-to-peer network, with
each member contributing and journaling transactions to the digital ledger. A transaction that is submitted to the ledger
is signed using the submitting party’s private cryptographic key (figure 2). This key ensures integrity and makes the
record immutable, because any attempts to change the record will result in a mismatched signature.

© 2020 ISACA. All Rights Reserved.


5 BLOCKCHAIN—AN EXECUTIVE VIEW

FIGURE 2: Transaction Flow Using Blockchain

New
transaction
Participating nodes Ledger is distributed
confirm transaction Ledger throughout network

Transaction
added

Sign with
private key

Blockchain success depends on more than just hardware and software; it also depends on people performing the
myriad of tasks that make blockchain a trusted mechanism for value transactions. Stakeholders can be, but are not
limited to, the board of directors, executive management, business unit managers, IT managers and practitioners,
security personnel, assurance providers, risk management personnel, regulators, business partners and vendors.

Blockchain success depends on more than just hardware and software; it also depends on people performing the
myriad of tasks that make blockchain a trusted mechanism for value transactions.

Stakeholder definition and management are critical to a blockchain implementation. As with all IT management, the
process relies on aligning and consolidating the correct technology, processes and people in support of an agreed
strategy. Performed incorrectly, stakeholder management can result in the usual series of technology problems:
misalignment, scope creep, over-budget implementations and, in extreme cases, a solution that is not fit for purpose.

Given its fundamentally distinct approach, a blockchain implementation is a technical, product, project, business
management, compliance and risk discussion.

Types of Blockchain
Blockchains are not one-size-fits-all technologies. The multiple blockchain types are characterized by their approach to
permissions and participation.

Public blockchain is permissionless by design. Any person or party can join this type of blockchain network; participate
as a consensus participant or miner;6 and produce applications, smart contracts or transactions. Participants have a
6

transparent view into the history of all transactions on that blockchain. Public blockchains operate and are secured by
the combination of cryptographic verification and economic-based incentives to maintain and manage the blockchain
ecosystem.

Private blockchains are permissioned. They maintain access controls that can restrict which and what type of parties
can participate, and define their allowed functions and capabilities in the blockchain workflow. In private blockchains,

6
6
Miners keep the blockchain running by providing computing resources, performing the proof of work that is used to confirm transactions and producing
new blocks that are added to the blockchain.

© 2020 ISACA. All Rights Reserved.


6 BLOCKCHAIN—AN EXECUTIVE VIEW

one or more stakeholders or administrators control the network, which introduces a requirement for third-party
acceptance to transact on that blockchain—a requirement that is nonexistent in public blockchains.

Hybrid blockchains consist of one component that is a fully public blockchain (with all its associated benefits and
challenges) and a parallel component that is a permissioned private blockchain, allowing for enterprise-level
transactions that maintain regulatory compliance and access permissioning. Hybrid blockchains are not fully open to
any participant, yet they maintain data immutability and transparency. Hybrid blockchain transactions are not public, but
they are always available to be verified when necessary. These blockchains seek to realize the benefits of public and
private blockchain technology.

Providers
The number and type of providers of blockchain technology change regularly. Each offers features, taxonomies, industry
uses, protocols and toolsets that render its solution well suited to specific needs. Among the most widely used
providers are Amazon®,7 Digital Asset Modeling Language (DAML),8 Ethereum®,9 Hyperledger®10 and Microsoft®
7 8 9 10

Azure®.11 11

Blockchain in Use
Blockchain versatility is evident by its many uses—tracking the flow of goods, storing medical records, concluding
binding agreements, verifying payments through a supply chain, storing personal credit records, tracking the
provenance of artwork and much more. This section discusses the primary functions of blockchain and describes some
use cases.

Cryptotokens
The terms cryptotoken, cryptocurrency, altcoin, crypto coin, utility token, consumer token, security token and digital
asset are all used—sometimes interchangeably—to describe a digital unit of value, utility or asset on a blockchain. Some
tokens are natively digital, meaning there is no underlying offchain or real-world asset that the tokens represent. Other
tokens are tokenized offchain assets, which are assets in the real world (e.g., stock certificate, piece of real estate, work
of art, rights to intellectual property or royalty payments) that are represented as tokens on a blockchain.

Cryptotokens are used:

• As an investable asset class


• As a store of value
• To make electronic payments
• To access and use blockchain-based applications and services
• For distributed governance and voting
• To fund and create security for blockchains and blockchain-based applications
• To create tradeable and fractionalizable digital securities and nonsecurity tangible and intangible asset

7
7
AWS, “Amazon Managed Blockchain,” https://aws.amazon.com/managed-blockchain/
8
8
MarketsWiki, “Digital Asset Modeling Language,” http://www.marketswiki.com/wiki/Digital_Asset_Modeling_Language_(DAML)
9
9
Ethereum, https://ethereum.org/en/
10
10
The Linux Foundation Project, “About Hyperledger,” www.hyperledger.org/about
11
11
Microsoft Azure, “Azure Blockchain Service,” azure.microsoft.com/en-us/services/blockchain-service/#product-overview

© 2020 ISACA. All Rights Reserved.


7 BLOCKCHAIN—AN EXECUTIVE VIEW

Like traditional assets, there are cryptotoken trading venues, indices and derivatives.

Some industries are already interacting with cryptotokens. Some ecommerce sites accept bitcoin for payment. Selected
aspects of real estate are tokenized. A few securities tokens are issued on blockchains. Some less-regulated financial
services enterprises, such as hedge funds and family offices, are investing in cryptotokens. Supporting services, such
as custodians and data vendors, are springing up to service the cryptotoken needs of those enterprises.

As more business activity moves to blockchains and as more assets are tokenized on blockchains, more enterprises
and individuals will need to buy, hold, sell and use cryptotokens as an essential part of their economic and business
activity—securely, within risk tolerances, and while meeting their compliance and regulatory requirements.

Smart Contracts
One of the most compelling propositions for blockchain is the use of smart contracts. Smart contracts are software
programs that automatically execute transactions (e.g., exchange of money, property, shares or anything of value)
and/or enforce agreements based on the fulfillment of the terms of an agreement. Smart contracts are well suited for
business activities that involve purchases and exchanges of goods, services and rights, especially when frequent
transactions occur among a network of parties, and manual or duplicative tasks are performed by counterparties for
each transaction.

Smart contracts are software programs that automatically execute transactions (e.g., exchange of money, property,
shares or anything of value) and/or enforce agreements based on the fulfillment of the terms of an agreement.

Smart contracts perform their functions by leveraging a platform that uses public validation to ensure correct and
reliable performance according to agreed rules, using blockchain decentralized ledger technology. Constant public
review makes blockchains manipulation- and hack-resistant, thus eliminating the need (and fees) for third-party
intermediaries.

Smart contracts create their own audit trail by storing all contract transactions in chronological order on the blockchain,
if later review is needed.12 12

Among the properties of smart contracts are:

• Immutable—They are immutable when deployed onto the blockchain, so they cannot be changed, disabled or removed without requiring
considerable effort.
• Visible—They must be visible on the blockchain. By default, smart contracts are considered untrusted because the compiled bytecode is
not human-readable. This is rectified by having the human-readable form of source code compiled and verified against the deployed
bytecode.
• Deterministic—They must be deterministic, providing the same outcome of their execution for everyone who uses them.
• Atomic—They are atomic, which means that one or more conditions defined by the smart contract must be met for the transaction to
execute entirely. Changes in the global state to the contracts and accounts are recorded only if the entire execution terminates
successfully.

12
12
It is suggested that the enterprise not rely entirely on these audit trails. Traditional review and audit are still advisable and may be required by certain
legal authorities.

© 2020 ISACA. All Rights Reserved.


8 BLOCKCHAIN—AN EXECUTIVE VIEW

Because smart contracts are immutable, significant upfront planning is necessary to ensure that smart contract logic
can be modified (due to change in policy or procedure of regulatory requirement) while preserving stored data and
without the need for data migration. Multiple design patterns exist to enable smart contracts to be updated.

Use Cases
Although exchange of cryptotokens and use of smart contracts are the predominant applications of blockchain
technology in practice today, the following real-world use cases illustrate the impact and potential of the technology.
• Supply Chain—The global supply chain industry is a notable early adopter of blockchain technology, because it can provide much more

transparency and agility to the supply chain than previously available. For example, Bumble Bee Foods united several stakeholders in the

global fishing industry and launched a blockchain-based track-and-trace platform for fish, from the ocean to the table. A quick response

(QR) code provided by the enterprise enables the origins of the fish to be tracked, and also gives sellers and retailers the ability to obtain

real-time, confirmed-correct information about the flow of the physical goods, their status, progress and more.13 13

• Real Estate—Land titles rely on paper documentation for their existence and operation, an approach with several inherent areas of risk,

including theft, mismanagement, loss and fraud. Enterprises, such as Codefi,14 are partnering with major real estate and title firms to
14

remove the complexity of legacy systems by using blockchain technology to offer an immutable and secure digital registry of title

ownership. This registry includes document authentication and transaction transparency, resulting in reduced loss, fraud and legal

proceedings, and providing cost efficiencies to title companies and property owners.

• Food—Walmart is another enterprise that is moving its food supply chain to the blockchain, in a partnership with Dole Food Company,

Unilever NV, Tyson Foods, Inc. and other food enterprises, using a hybrid blockchain system. Statistics show that blockchain

implementation could generate US$700 million in increased productivity. Using blockchain to track the
Smart contracts food supply from farm to producer to delivery can potentially reduce the cost of a product recall. It
create their own audit typically takes seven days to trace the source of food. In a Walmart pilot project, blockchain reduced
trail by storing all
that time to 2.2 seconds.15
contract transactions
15

in chronological • Healthcare—The Medicalchain blockchain platform maintains a patient record of origin and protects
order on the patient identity, thus sustaining the integrity of health records while establishing a single source of data
blockchain, if later
that are accessible by doctors, hospitals and labs. Medicalchain also released MyClinic.com, which
review is needed.
enables patients to have video consultations with doctors and pay with MedTokens.16 16

13
13
Kotecha, N.; S. Muma; “The critical role for blockchain in the post-COVID-19 supply chain,” Modern Materials Handling, 9 June 2020,
www.mmh.com/article/the_critical_role_for_blockchain_in_the_post_covid_19_supply_chain
14
14
“Real estate asset tokenization in the UK,” Consensys Codefi, codefi.consensys.net/hmlr
15
15
Miller, R.; “Walmart is betting on the blockchain to improve food safety,” Techcrunch, 24 September 2018, https://techcrunch.com/2018/09/24/walmart-
is-betting-on-the-blockchain-to-improve-food-safety/
16
16
Daley, S.; “15 Examples of How Blockchain Is Reviving Healthcare,” BuiltIn, 25 March 2020, builtin.com/blockchain/blockchain-healthcare-applications-
companies

© 2020 ISACA. All Rights Reserved.


9 BLOCKCHAIN—AN EXECUTIVE VIEW

Benefits and Risk for the Enterprise


Blockchain is not automatically a good fit for every enterprise. However, for those enterprises with a business need for
blockchain, its benefits are many.

Blockchain Benefits
The benefits of blockchain are numerous. Blockchain is:

• Anonymous (or pseudonymous)—Private information (for a public blockchain) associated with transactions is linked to wallet17 17

addresses and public keys, and no personally identifiable information is viewable.


• Distributed—Renders it more reliable. Component failure is minimized because transactions are encrypted and stored on multiple nodes
globally.
• Decentralized—Eliminates the need to trust a central authority, resulting in less likelihood of a single point of failure.
• Immutable—Makes data append-only and unmodifiable. For the most part, public blockchain transactions are tamperproof.
• Transparent—Enables transaction history to be more easily audited and provides greater accuracy and consistency.
• More efficient than traditional methods—Blockchain eliminates much of the cost associated with journaling transactions for business
records and compliance purposes, and saves valuable time. In the previous example of purchasing stock from a retail broker, the time
required by the clearinghouse to settle the transaction for a traditional system is three business days. By using a commercial blockchain
implementation instead of a clearinghouse, the time required to add the transaction to the ledger (thus asserting the transfer of
ownership) and have it validated by other participants on the network is measured in seconds or minutes, depending on the maturity and
scale of the block used.

Enterprise Risk
Although blockchain offers many features that offer trust and security, it is not entirely without risk to the enterprise.
Areas of concern may include:

• Scalability of blockchain platforms


Enterprises must consider the potential
• Trustworthiness of the data services that provide information to the blockchain disruption caused by integrating
• Privacy/infallibility/security of the code within the contracts blockchain with their existing systems
• Interoperability18 of multiple technologies
18
and processes.
• Potential for collusion among those building the blockchain

Nontechnical risk areas include possible noncompliance with legal and regulatory requirements (see “Security, Privacy
and Legal Aspects of Blockchain, below).

Enterprises must consider the potential disruption caused by integrating blockchain with their existing systems and
processes. The impacts associated with the introduction of blockchain can be significant, and a failure to understand
and anticipate those impacts can place the enterprise at risk.

Another issue to consider is the average cost per transaction on any given blockchain at present and as the network
scales. To date, users have experienced wide variability in the cost per transaction. This variability needs to be
monitored and managed closely, especially for low-value transactions for which the transaction fees can eclipse the
overall value.

17
17
The user wallet is the primary interface to the blockchain. A wallet stores the public/private key pairings that allow a user to track ownership, and send
or receive cryptocurrency. A wallet controls access to a user’s money (but does not hold any cryptocurrency itself), managing keys and addresses,
tracking the balance, creating and signing transactions, and interacting with contracts.
18
18
Blockchain interoperability is the ability to exchange, access and use information across different systems and/or networks without the need for
intermediaries.

© 2020 ISACA. All Rights Reserved.


10 BLOCKCHAIN—AN EXECUTIVE VIEW

Security, Privacy and Legal Aspects


of Blockchain
The rapid expansion and evolution of blockchain can provide significant benefits, but reaping those benefits relies on
attention to data security and privacy, and consistent compliance with the growing catalog of pertinent laws and
regulations.

Privacy
Data stored on the blockchain are immutable and visible to nodes and node operators. Accordingly, as a general rule,
sensitive data must not be stored on public blockchains.

Due to its inherent distributed nature, blockchain implementations must consider the rights of individuals to protect and
erase their private information, particularly financial and health information. Therefore, instead of using actual data,
privacy implementations should use cryptographic hash for evidence on the chain. Other privacy measures may be
provided by the blockchain platform, such as the use of channels for private information exchanges between selected
members within a larger network.

Regulations, such the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA),
stress the need for blockchain solutions to provide data protection and privacy for all individual users of the solutions
within the domains they govern. Because of these regulations and others, all efforts to ensure privacy must be reviewed
and evaluated by relevant legal counsel or regulatory bodies to ensure compliance.

Legal Aspects
Privacy of personal information is only one blockchain-related area with legal/regulatory ramifications. Smart contracts
are also the focus of regulations worldwide.

In the United States, the basis for legal acceptance of smart contracts is derived from several key laws and regulations:
Electronic Signatures in Global and National Commerce (ESIGN) Act, Uniform Electronic Transactions Act (UETA), and
Food and Drug Administration (FDA) 21 Code of Federal Regulations (CFR), Part 11.19 19

These regulations establish the following requirements for smart contracts to be recognized as valid:

• Intent to sign—Electronic signatures, like traditional signatures, are valid only if each party intended to sign.
• Consent to do business electronically—The parties to the transaction, whether individuals or businesses, must consent to do business
electronically.
• Association of signature with the record—The ESIGN Act and UETA provide specific processes that must be used to prove the validity of
the electronic signature.
• Record retention—Electronic signature records must be capable of retention and accurate reproduction for reference by all parties or
persons entitled to retain the contract or record.

19
19
Chamber of Digital Commerce, “‘Smart Contracts’ Legal Primer,” January 2018, digitalchamber.org/wp-content/uploads/2018/02/Smart-Contracts-
Legal-Primer-02.01.2018.pdf

© 2020 ISACA. All Rights Reserved.


11 BLOCKCHAIN—AN EXECUTIVE VIEW

In the European Union, the Electronic Identification, Authentication and Trust Services (eIDAS) Regulation
(910/2014/EC) outlines the basis for legal acceptance of smart contracts. eIDAS requires establishment of:

• Basic electronic signatures—Granted the same legal effect and admissibility in legal proceedings.
• Advanced electronic signatures—Call for unique identification and authentication of the signer and ability to verify the signing through the
use of digital certificates, with the user’s uniquely held private keys.
• Qualified electronic signatures—Apply to certificates that can be used by a certificate authority, such as hardware security tokens.
• Electronic seals—Similar to electronic signatures, but for corporate entities.

Other regulations apply to the use and exchange of cryptotokens. The following examples are primarily US regulations,
but there are similar regulatory regimes that may cover cryptotokens in other countries:

• Money—Cryptotoken transaction platforms and exchanges may need a money transmitter license (MTL) to operate. In the United States,
each state has its own MTL.
• Commodities—Crypto derivatives, swaps and futures may be regulated under commodities laws.20 Transaction venues for swaps may
20

need to be licensed as a swap execution facility (SEF).


• Securities—Tokens may be securities that are governed under securities laws.21 The issuance of tokens as securities is an ongoing
21

challenge for issuers and regulators. The SEC has become increasingly active in policing issuers, launching investigations, and
enforcement actions and penalties, which can be millions of US dollars.22 22

In addition to these considerations, regulators set up rules to ensure that enterprise business activity does not support
crime, terrorism or embargoed countries. In the United States, the Financial Crimes Enforcement Network (FinCEN) sets
requirements for financial institutions. Different industries and countries may have different requirements.23 23

The requirements cited in this section do not constitute a comprehensive list of the laws and regulations related to
blockchain activities. Enterprises are advised to seek competent legal advice about pertinent regulations before
initiating a blockchain implementation.

Getting Started with Blockchain


The first thing to determine in considering blockchain is whether the enterprise actually needs to use it. Not all
enterprises do. Executives should examine how the enterprise shares and manages data value transactions, both within
and outside the enterprise (with vendors, customers, partners, etc.), and ask: How does the enterprise do these things
and why does it do them that way? Areas where multiple points require data reconciliation, where data are widely
shared and where the amount of resources and effort spent on those activities seems excessive may be prime
candidates for blockchain implementation.

Strategic issues must be considered:

• If the enterprise finds itself doing business with an increasing number of enterprises that use blockchain, how will that affect the
enterprise ecosystem in several years?
• What will be the impact on the enterprise if its operations cannot match the operations of blockchain-using partners or competitors?
• What type of competitive advantage can be gained (e.g., reduced cost, greater efficiencies, more immediate and reliable information) if
blockchain is implemented?

20
20
In the United States, commodities, derivatives, swaps and futures are primarily regulated by the Commodity Futures Trading Commission (CFTC).
21
21
In the United States, securities are primarily regulated by the Securities Exchange Commission (SEC).
22
22
Public information about these regulatory actions can be found at www.sec.gov/spotlight/cybersecurity-enforcement-actions.
23
23
FinCEN’s four core elements of customer due diligence for financial institutions can be found at www.federalregister.gov/documents/2016/05/
11/2016-10567/customer-due-diligence-requirements-for-financial-institutions.

© 2020 ISACA. All Rights Reserved.


12 BLOCKCHAIN—AN EXECUTIVE VIEW

Although executives can take the lead in shaping the discussion around business aspects of implementing blockchain,
they should not do that in a vacuum. Representatives from at least three areas should be involved in the conversation:

• Technology team/chief technology officer/chief information security officer—They have insight into the technology that is needed and
the IT risk it may entail.
• Product team/frontline employees—They have first-hand insight into how blockchain may affect the products/services that the enterprise
offers and how the changes are likely to be received by customers/partners/vendors.
• Legal team (external or internal)—They can advise on regulatory issues and changes that may be needed in contracts and other legal documents.

At this stage, the discussion should remain at a high level. It is important to resist the temptation to start designing a
solution before completely understanding the situation. Some pertinent questions may include:
• What systems and processes are part of the technology that the enterprise is seeking to replace or upgrade?

• Will the use of blockchain technology allow for portions of the existing process or workflow to be removed?
• What database(s) are involved, and what type of data are used? How are the data used and who owns the data?

• How many stakeholders add to/review data in the current database and processes? The blockchain platform must accommodate how

each stakeholder functions in the workflow.

• What is the trust profile of each stakeholder? For each use case under consideration, it is important to define how the network of

stakeholders will arrive at consensus. This entails knowing how consensus was achieved previously and how such consensus will be

replicated in the new system (which may contain a reduced number of intermediaries).

• Will new or existing intermediaries (e.g., new vendors, partners) add complexity?

Depending on the answers to these (and other) questions, even more granular questions and discussions may arise,
ultimately leading to specific, purposeful activities, such as the following:
• Defining the specific enterprise problem should include talking to internal and external

clients and other stakeholders for whom an enterprise process problem exists (for Executives should examine
example, an inefficient supply chain or incorrect data). how the enterprise shares and
• Determining whether the stated problem can be solved with existing technology manages data value
solutions. transactions, both within and
• Identifying the specific stakeholders involved and determining whether they will support
outside the enterprise (with
the use of blockchain technology. Any implementation is a collective process among system
vendors, customers, partners,
champions, IT leaders, implementation teams and the entire organization. Engagement and
communications with all stakeholders throughout the implementation process must be
etc.), and ask: How does the
sustained. Executive management and business unit managers must support not just the enterprise do these things and
elaboration of the problem but also that blockchain is seen as an optimal solution to the why does it do them that way?
problem and an ideal use case.

After the blockchain solution is implemented, it is critical to establish a monitoring and reporting system, to ensure that
performance remains at expected levels and problems and potential opportunities are identified promptly.

© 2020 ISACA. All Rights Reserved.


13 BLOCKCHAIN—AN EXECUTIVE VIEW

Conclusion
Implementing emerging technologies such as blockchain can set an enterprise above the competition and achieve
internal organizational goals. Yet any implementation of new technology entails risk along with rewards.

Blockchain builds on several trusted technologies to create its unique structure and features, including:
• Openness

• Decentralized infrastructure

• Anonymous transactions

• Ensured identity
• Elimination of third-party attestation

The adoption process, however, does not stop at implementation. Continual development, maintenance, testing, and
auditing functions of blockchain systems need to be implemented in order to ensure functionality and compliance
requirements are being met. As with any new technology, blockchain requires specific attention to the systems and
software that enable the technology. This requires specialized frameworks and guidance on implementation and
performing these functions on a system. Tailored frameworks like ISACA’s Blockchain Framework and Guidance24 24

enable enterprises to accomplish all these tasks, giving them the boost they need to utilize blockchain technology and
shape its future.

24
24
ISACA, Blockchain Framework and Guidance, USA, 2020, https://www.isaca.org/bookstore/bookstore-misc-ebook/wbfg

© 2020 ISACA. All Rights Reserved.


14 BLOCKCHAIN—AN EXECUTIVE VIEW

Acknowledgments
ISACA would like to recognize:

Board of Directors
Tracey Dedrick, Chair Brennan P. Baybeck
Former Chief Risk Officer, Hudson City CISA, CRISC, CISM, CISSP
Bancorp, USA ISACA Board Chair, 2019-2020

Rolf von Roessing, Vice-Chair Vice President and Chief Information


Security Officer for Customer Services,
CISA, CISM, CGEIT, CDPSE, CISSP, FBCI
Oracle Corporation, USA
Partner, FORFA Consulting AG,
Switzerland Rob Clyde
CISM
Gabriela Hernandez-Cardoso
ISACA Board Chair, 2018-2019
Independent Board Member, Mexico
Independent Director, Titus, and Executive
Pam Nigro Chair, White Cloud Security, USA
CISA, CRISC, CGEIT, CRMA
Chris K. Dimitriadis, Ph.D.
Vice President–Information Technology,
CISA, CRISC, CISM
Security Officer, Home Access Health, USA
ISACA Board Chair, 2015-2017
Maureen O’Connell Group Chief Executive Officer, INTRALOT,
Board Chair, Acacia Research (NASDAQ), Greece
Former Chief Financial Officer and Chief
Administration Officer, Scholastic, Inc.,
USA

David Samuelson
Chief Executive Officer, ISACA, USA

Gerrard Schmid
President and Chief Executive Officer,
Diebold Nixdorf, USA

Gregory Touhill
CISM, CISSP
President, AppGate Federal Group, USA

Asaf Weisberg
CISA, CRISC, CISM, CGEIT
Chief Executive Officer, introSight Ltd.,
Israel

Anna Yip
Chief Executive Officer, SmarTone
Telecommunications Limited, Hong Kong

© 2020 ISACA. All Rights Reserved.


15 BLOCKCHAIN—AN EXECUTIVE VIEW

About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
1700 E. Golf Road, Suite 400
talent, expertise and learning in technology. ISACA equips individuals with
Schaumburg, IL 60173, USA
knowledge, credentials, education and community to progress their careers
and transform their organizations, and enables enterprises to train and build
Phone: +1.847.660.5505
quality teams. ISACA is a global professional association and learning
organization that leverages the expertise of its 145,000 members who work in Fax: +1.847.253.1755
information security, governance, assurance, risk and privacy to drive
Support: support.isaca.org
innovation through technology. It has a presence in 188 countries, including
more than 220 chapters worldwide. Website: www.isaca.org

DISCLAIMER

ISACA has designed and created Blockchain—An Executive View (the “Work”)
primarily as an educational resource for professionals. ISACA makes no claim Provide Feedback:
that use of any of the Work will assure a successful outcome. The Work https://support.isaca.org
should not be considered inclusive of all proper information, procedures and
tests or exclusive of other information, procedures and tests that are Participate in the ISACA Online
reasonably directed to obtaining the same results. In determining the propriety Forums:
of any specific information, procedure or test, professionals should apply their https://engage.isaca.org/onlineforums

own professional judgment to the specific circumstances presented by the Twitter:


www.twitter.com/ISACANews
particular systems or information technology environment.
LinkedIn:
www.linkedin.com/company/isaca
RESERVATION OF RIGHTS
Facebook:
© 2020 ISACA. All rights reserved. www.facebook.com/ISACAGlobal
Instagram:
www.instagram.com/isacanews/

Blockchain—An Executive View

© 2020 ISACA. All Rights Reserved.

You might also like