Digital Transformation Requires Security Transformation
Technology can transform a company—but only if it changes processes and deploys people in secure ways.
Before she joined Honeywell, Sheila Jordan says the company’s crucial data—about customers, employees, and partner experiences—lay scattered in silos across different parts of the sprawling conglomerate. That ad-hoc arrangement makes data not just hard to access but hard to secure.
To remedy that, Jordan, the company’s chief digital technology officer, hired 700 people. Together, they united all that data through 40 digital transformation projects. The result: Unified data that can now help create better customer, employee, and partner experiences.
“It’s not about functions talking together,” says Jordan. “It’s about letting the data speak for itself and tell us things we otherwise wouldn’t see.”
Control all network IT assets in minutes with automated client management.
Among the things organizations often don’t see—or don’t consider—when they embark on digital transformations, says Jordan, is data vulnerability and visibility. Digital transformation is continuously changing the technology stack. What used to be centrally controlled gated perimeters, enterprise-issued endpoints, and on-premises infrastructure has evolved into a sprawling web of software services, cloud infrastructures, and decentralized application services.
True transformation, says Jordan, happens when companies enable “horizontal” and secure digital experiences: those that involve all operational silos necessary to deliver results and so incorporate every aspect of the business, including cybersecurity.
It’s about letting the data speak for itself and tell us things we otherwise wouldn’t see.
Honeywell used a “horizontal orientation” to create secure services such as Honeywell Forge. It is an Internet of Things (IoT) platform that can combine a company’s IT operations with its building operations technology (OT), which runs systems such as lighting, HVAC, and electronic access cards. “I can look at information from IT and OT to provide insight about a building, even when it is several thousand miles away,” says Jordan. “That historically wasn’t available” to organizations.
The question for other business and tech leaders considering digital transformation projects: How do you do it successfully and make it secure?
Security as a business partner
By integrating technology into all aspects of a business’s operating model, digital transformation can help businesses achieve scale, develop new products and services, create new markets, improve the customer and employee experience, and manage risk. “Technology changes how business operates,” says Oliver Yao, associate dean at Lehigh University College of Business.
Things can go really wrong if you don’t do these things right.
To digitally transform, security must be part of the effort from the start, with a focus on data vulnerability. “We’re in the data business, so things like security, ethics, privacy, compliance, are at the forefront,” says Sandeep Kharidhi, general manager of data and analytics platforms and chief product officer at Deluxe, the financial services company that is best known for making personal and business checks. “Things can go really wrong if you don’t do these things right.”
At Deluxe, information security partners sit at the table with application developers and engineers. The security specialists resist the urge to simply bless an architecture change, says Kharidhi. In that way, they provide a crucial partnership with the app development team.
Once a digital transformation project has been completed, especially one that involves accessing sensitive employee, customer, or partner data, IT teams must make sure that the data remains off limits to the wrong people—both from outside and inside the organization. This is done by ensuring the principle of “least privilege” access to the data and to its administrative rights.
[Read also: Zero trust strategies must look beyond the user]
“There has to be a single source of truth for the data and a limited number of people with access to that single source of truth,” says Barbara Rea, chief operating officer at Arden Logistics Parks.
The real estate operating company—which buys, spruces up, and manages light industrial business parks across the country—recently digitally enabled $800 million in operational activities. It plans to expand that to $2 billion. “We’re using tools to estimate the amount of electricity we’re using in HVAC units, so we can understand the lifetime of the unit,” she says. However, when it comes to data and data access, Rea notes, “You can’t let everyone in.”
CISOs and cyber hygiene
Ultimate responsibility for the security of digital transformation rests with the CISO, says Jordan of Honeywell. “I believe it’s the CISO’s job to protect the company’s assets—and data is an asset,” Jordan says. “When you think of an [IT] architecture, you think of all the infrastructure, all the devices, and all the data.”
There has to be a single source of truth for the data and a limited number of people with access to that single source of truth.
Regular vulnerability assessment, vulnerability monitoring, software patching, vetting external data, robust threat hunting, and other cyber hygiene issues need to be top of mind, as well.
But the CISO must work together with the CIO to put in place “layers of security,” says Rea, whether it’s keeping bad guys out or protecting assets inside. “Security is everyone’s issue,” she says. Effective cybersecurity involves regular training and testing of personnel: phishing drills, tabletop exercises, and resilience plans as buttoned-down as those for a natural disaster.
[Read also: Meet the man who can help prevent a cyber disaster]
“There’s security as far as job classification, and then there’s security in logistics,” says Jean Vixamar, a senior vulnerability management specialist at Verizon. He says security should be separate from IT, especially from a leadership perspective, during digital transformation projects. “You want security professionals to make decisions based on stated and written policies versus a security professional reporting to an IT executive who just wants to move the project forward.”
“Security is a helpmate,” says Vixamar. “At the end of the day, you don’t impede the business from doing what it’s doing to make money. But you want to make sure that as you operate, you do so in a secure manner.”
As companies transform themselves, they need to balance the twin pillars of technology and security. Only then will they produce a meaningful impact.