Organizations these days constantly talk about or dive into digital transformation initiatives. And why not? These efforts can lead to greater efficiencies, increased agility and better customer experience — to name just a few of the benefits.
The problem is that many companies plunge into transformations without really considering the cybersecurity and regulatory compliance ramifications of these efforts.
Sure, organizations deploy all kinds of security tools and services — and that’s an important aspect of creating security and compliance programs. But they don’t think enough about how they need to change processes, procedures and organizational structures. For an enterprise to truly transform itself and secure that transformation, it needs to change its culture.
Change is never easy, especially when people are happy with the way things are currently done. That certainly applies to CISOs, CIOs, CTOs, and others involved in cybersecurity and compliance leadership — as well as end users. But implementing all the security technologies available without making needed changes in processes/procedures and organizational structures will likely result in frustration, and worst-case failure, from a defense and compliance standpoint.
Here are some of the changes that organizations will need to consider in these areas.
Many business processes and security procedures will need to be changed to bolster security.
One big area that needs tweaking is securing user identity. This is one of the most exploited vectors. All that needs to happen is for a user to fall for a phishing attack, and attackers will have a foot in the door. From there, they know they can begin a search for elevated privileges.
This is where multi-factor authentication (MFA) should be the bare minimum for user access to networks and other assets. While these methods are not perfect, they make it difficult enough for attackers that they might give up and look for another target.
MFA makes it much harder to compromise accounts. They should also stop requiring password changes every month and placing an overly complex burden on users. At a minimum, security teams should encourage “pass phrases,” which are easier to remember because they are basically a sentence that is much harder to guess and hack.
Organizations should also reduce the number of accounts with administrative rights and leverage a privileged access system, where users can request elevated privileges for a fixed purpose and time and then be automatically removed when that period is complete.
Many people are surprised to find that they have hundreds of accounts with administrative rights because they were supposed to be temporary, but were never removed.
Instead of creating “golden images,” which take considerable time to create and manage, use a baseline operating system image and application packages, so there is less to update and maintain. To complete the transformation, deploy a software catalog and self-service client so that users don’t need local admin rights to install applications.
Another good practice from a process perspective is something many organizations are already trying to do: automate as many things as possible. Automation of routine tasks reduces human mistakes and frees up staff time to work on higher-level projects.
In addition, apply software patches and updates as soon as possible. Waiting 90 days or more to “vet” an update to make sure there’s no negative impact on systems doesn’t make sense — especially when the time between a discovered vulnerability and an exploit of that vulnerability is about 22 days. There is a tradeoff of possible outage vs. a breach but often the validation period can be shortened with minimal risk.
Keep in mind that any changes in processes and procedures will likely displease some people. For example, in the education sector, many teachers do not want IT to deploy MFA, claiming that students would never accept it. In reality, the students are fine with MFA as part of the login procedure because they are used to it from getting into their online bank account and even onto their Facebook account.
People entrenched in existing ways of doing things resist change. IT and security teams should overlook the naysayers and work together to implement change wherever it’s needed.
Organizational structures also need to be tweaked to help support the new culture. For one thing, companies need to break down any information barriers that exist among different departments that should be working together.
The CSO or CISO can’t afford to wait for the IT department, operations, or some other unit within the organization to get valuable information and insights about threats or vulnerabilities that could help prevent a breach.
Organizationally, many companies still have silos that keep the various stakeholders from collaborating as they should be about security and compliance issues. In addition — and maybe even worse — there are still turf battles that can keep the different factions from working cohesively to protect the organization overall.
The best organizations talk and share information often among the various departments. But to be truly optimal as far as security and compliance are concerned, most forward-thinking organizations have flattened the org to eliminate the silos and turf battles and make sure different technology and business functions work in unison.
Another important element contributing to the silos mentioned above are the reporting structures of top security and compliance leaders such as the CISO reports to. Ideally, the top security executive should report to the CEO, CFO, CTO, or other high-level business executives. That can help eliminate layers of bureaucracy, particularly for areas such as budget approvals.
Having the CISO or other security executives sit in the C-suite and report to top executives means cybersecurity and compliance are ensured high priorities for the organization.
Having a strong leader is essential, but ultimately cybersecurity should be part of everybody’s job. There will always be somewhat of a tradeoff between being secure and having the freedom to innovate. But by creating a new mindset about security, organizations can truly succeed with digital transformation.