AI, Blockchain, and Ransomware Context

AI, Blockchain, and Ransomware Context

Emerging technology tempts candidates into technical rabbit holes. CISM keeps it managerial: every new technology is governed by the same risk process — understand the business objective, identify the new risks, decide treatment against risk appetite, assign ownership, and monitor. The answer to "the business wants to adopt X" is almost never "ban it" or "adopt it immediately"; it is assess and govern.

Generative AI and large language models

The fastest-growing exam topic. The distinct risks a security manager must address:

The foundational control is an AI acceptable-use policy plus approved tooling — governance first, technical filters second.

Blockchain and distributed ledgers

CISM tests one nuance: blockchain provides strong integrity and non-repudiation (tamper-evident, immutable records) but it cannot guarantee the truth of the data entered — "garbage in, garbage permanently in." Immutability also collides with privacy rights such as the right to erasure (GDPR), because you cannot easily delete a record from a ledger. Smart-contract code flaws are a real risk and must be reviewed like any application.

Ransomware

Ransomware is the highest-impact threat in this chapter. The defensible posture is resilience, not payment:

• Prevention: patching, email filtering, least privilege, network segmentation, and user awareness.
• Detection and response: tested incident-response plan with defined roles.
• Recovery: tested, offline or immutable backups following the 3-2-1 rule (3 copies, 2 media types, 1 off-site). The trap is assuming online backups suffice — modern ransomware deliberately encrypts reachable backups.
• Payment: a last-resort business decision weighing legal, ethical, and sanctions risk (paying may be illegal and does not guarantee recovery). It is never a security control.

Worked scenario

A product team wants to feed customer-support transcripts into a public AI chatbot to draft replies. The strongest CISM action is to classify the data, define an acceptable-use policy that prohibits confidential data in unsanctioned models, offer an approved enterprise tool with data controls, and assign ownership — not to ban AI outright or to allow it because "everyone is using it."

Common traps

• Banning emerging tech instead of governing it (or adopting it with no assessment).
• Believing blockchain validates the accuracy of data, not just its integrity.
• Relying on online backups against ransomware, or treating ransom payment as a control.
• Ignoring shadow AI as a data-governance and policy gap.

Governing AI as a third-party and data problem

Much of AI risk is really the chapter's earlier themes in new clothing. A public large-language-model service is a third party that processes your data, so the contract, monitoring, and data-classification disciplines all apply: what does the provider do with prompts, is data used to train shared models, where is it processed, and can the enterprise opt out? When AI is embedded in a vendor's product, it becomes a fourth-party consideration. The CISM extends existing governance rather than inventing a parallel one — an AI acceptable-use policy sits on top of the data-classification and third-party programs already in place.

Ransomware as an incident-management bridge

Ransomware connects this chapter to the Incident Management domain, which carries 30% of the exam. A defensible response is not improvised: it follows a tested incident-response plan with defined roles, an isolation step to limit spread, decision criteria for engaging law enforcement and legal counsel, communication plans for regulators and customers, and recovery from verified clean backups.

The most-tested judgment is sequence and authority — containment and evidence preservation come before restoration, and the decision on whether to pay is escalated to executive and legal leadership, weighed against sanctions exposure, because paying may be unlawful and never guarantees a working key.

Emerging tech and risk appetite

Across AI, blockchain, and beyond, the governing question is always whether the residual risk after controls fits the enterprise's stated risk appetite. New technology often promises business value that justifies accepting some new risk; the CISM's job is to make that trade-off explicit, documented, owned, and monitored, so adoption is a deliberate management decision rather than an unexamined default. That is the difference between governing innovation and being governed by it.

A quick contrast captures the right instinct across all three technologies. For AI, the reflex answer "ban it" loses to "assess, set policy, provide an approved tool." For blockchain, "it makes data trustworthy" loses to "it makes data tamper-evident, but not necessarily true." For ransomware, "keep good online backups" loses to "keep tested, offline or immutable backups and never treat payment as a control." In each case the winning answer is governance-led, proportional, and owned.

Emerging technology questions look intimidating because the terms are new, yet they yield to the same management discipline the rest of the program uses — which is precisely why the CISM blueprint can fold them into existing domains rather than testing them as standalone engineering trivia.