Digital transformation is continuously changing the enterprise business-technology stack. What used to be centrally controlled gated perimeters, enterprise-issued endpoints, and on-premises infrastructure has evolved into a sprawling—and ever-increasing—web of software services, cloud infrastructures, and decentralized application services.
For proof, just follow the money. Enterprises now spend some
$700 billion annually on digital transformation projects, according to research firm Futurum. Not only does the typical enterprise have more than 200 actively used applications, but 60% of those applications turn over every two years, according to the company’s research. That means that by 2023, 60% of applications used today will be replaced.
That’s an astounding rate, one that is now vexing organizations because of the challenges it presents to cybersecurity. “All of this rapid change has flipped the traditional approaches to security on their head,” says Andy Ellis, advisory chief information security officer (CISO) for Orca Security, a cloud security company, and the former chief security officer at web-security outfit Akamai Technologies. “Throwing more human bodies at the problem is not the answer. It doesn’t scale.”
To keep pace with their organization’s rapid digital transformation efforts, and mitigate security issues, CIOs and CISOs should follow these five practices.
Bring security into digital transformation
Hard to believe that it still needs saying, but security teams must be brought in early on any new digital initiatives. Period. “Security needs to be included in the important early conversations and during the planning,” says John D. Johnson, a senior information security executive at a large processed-food company.
That way, he adds, “we have accountability if something happens, and we have a vital role to play in protecting the company. There’s no way to be effective at securing new digital initiatives by only coming in to fix things when something breaks. We have to be part of the entire conversation so that we can help chart a more secure roadmap for the organization to take advantage of the new digital marketplace.”
Weaving security throughout the organization doesn’t just include decision-making of the entire digital transformation process. Security also needs to be part of everyday business decisions, such as what apps the organization is deploying, what features are added to those apps, where data are stored, and who can access that data.
“You want everybody to be marching down the same path and understand the importance of business change,” says Scott Crawford, information security research head at 451 Research. “That means you need to have user awareness, and you need to work at building a healthy corporate culture.”
Shift security left
While security needs to be woven throughout your digital transformation, it is especially true for DevOps processes and software application development. Wim Remes, CEO and founder of Belgium-based information security consultancy Wire Security, has seen this firsthand. DevOps can result in higher software quality and security and can do so consistently, he says, but “it requires security capabilities to be well aligned with development and IT operations that take into account the threat model of software and continuously monitor for defects that will be remediated.”
All of this rapid change has flipped the traditional approaches to security on their head.Chris Blow, director of offensive security at Liberty Mutual Insurance, agrees and adds: When security is properly integrated into development, cyberdefense is built into the development pipeline instead of occurring after the software has been deployed. “This makes secure development scalable and swift,” Blow says.
Automate what you can
Manual processes don’t scale—thus the rise in process automation across a wide range of enterprise applications and workflows, from accounting invoice tracking to HR onboarding. Automation reduces human error, increases productivity, and boosts employee job satisfaction by freeing workers to pursue higher-level tasks. Automation should be a goal for cybersecurity as well.
Fortunately, the increase in application programming interfaces (APIs) and the ability to automate security operations—such as application security scans, system vulnerability and configuration assessments, and user provisioning—make this possible.
“Enterprises need to think in terms of continuous automated security testing and validation,” says Crawford.
Ellis agrees, adding: “Today, security is largely about the ability to automate. You have to automate so you stop spending time doing repeatable tasks. If you aren’t already doing this, you’re behind.” To get ahead, or at least catch up, he advises security and technology teams to use modern APIs and integration capabilities to monitor network configurations for security issues. “You have to figure out how to make integrations cheap and easy so that you can monitor them easily,” he says.
When systems are rapidly deployed, security basics must also be adopted quickly. That means systems need to be patched and up-to-date, system configurations correctly set, endpoints and networks scanned for threats and malware, data and systems backed up, and unnecessary services shut down, among many other security health essentials.
“Basic hygiene needs to be in place to have system agility, because if you don’t have basic hygiene, then it’s hard to perform more sophisticated capabilities during a new initiative or transformation,” says Campbell’s Johnson.
Crawford agrees. “It’s important to step back and make sure you have things like a coherent inventory of what assets are in place and who’s responsible to maintain and secure them as the technology footprint evolves,” he says.
Focus on higher-value, regulated data
There’s a statistical model that investment bankers use to quantify the extent of possible losses within a financial firm, portfolio, or position over a specific time frame. It’s called value at risk (VaR). For CISOs evaluating their organization’s security risk, VaR has become an increasingly important tool.
Security leaders need to quantify their digital risks based on the value of systems and data, which eases their ability to make cybersecurity investment decisions. The cyber VaR model looks at the potential financial loss caused by a security incident, its time frame, and the probability of its occurring. This lets CISOs discuss cybersecurity risks in a business context with key executives.
Focusing on the risks that matter is essential. If security teams want to keep pace with their organization’s digital transformation efforts, they need to be well versed in its risk score. Otherwise, they’ll be swamped by the unknowable.
“Security teams are often too small to cover everything that arises within an organization on any given day,” says Crawford. “So if they try to protect everything like it’s a national secret, they likely won’t be able to protect anything very well for long.”