CIO

What is security’s role in digital transformation?

Digital transformation is front of mind for many senior executives, but too often security is left behind.

Digital transformation (DX) is about digitizing processes and services so businesses can be more agile and operate more efficiently, from delivering customer service to improving processes with supply chain partners. It is the marketing team that wants to transform how it promotes product, the HR division that wishes to improve recruitment, and the IT team that wants to iterate online services in an instant.

To initiate a DX project, organizations need to bring together people, process and technology in the planning and strategy phase, offering them an opportunity to see where technologies like data analytics, internet of things (IoT), mobile and social can make a difference. However, many believe that information security is too often left out of the loop.

Security-less digital transformation increases risk

As IT and business fast-track initiatives like agile and DevOps to improve speed to market, security’s role is confined to asking questions afterwards about the knock-on impact on risk and security. In short, digital transformation is so rooted in giving value to the customer (or equivalent) that little consideration is giving to the impact on core security functions.

The rise in data breach and vulnerability figures has led some to suggest that security-less digital transformation leaves organizations at greater risk. Gartner recently predicted that 60 percent of digital businesses will suffer major service failures by 2020 due to the inability of security teams to manage digital risk.

“Digital business moves at a faster pace than traditional business, and traditional security approaches designed for maximum control will no longer work in the new era of digital innovation,” cited the Gartner report.

Is security being left behind with digital transformation?

Existing DX projects often fall down because they involve security late or not at all. Research from Dell and Dimensional Research suggested this to be the case, with chief among the reasons that business executives feared their digital transformation efforts could be hampered or blocked by the intervention of the security team.

Small signs indicate that the tide is changing. Record numbers of breaches, buggy IoT software, and the security-by-design movement (no doubt bolstered by the EU’s GDPR) have seen greater focus across the board on security. “Today, we are now seeing security has become a top-tier agenda item for all organizations and CIOs,” says analyst Nick McQuire, who leads CCS Insight's enterprise research practice.

“Over 70 percent of businesses we survey across the US and Europe have indicated their security budgets are increasing, with close to half saying it is likely they will be hit by a cyberattack in the next few years. Data security is the top investment priority for digital workplace and the main challenge to rolling out mobile applications, often the tip of the spear for digital transformation strategies,” says McQuire. “What has certainly changed is that today security has become not only a key technical priority but also a business one as well.”

This view isn’t shared by everyone. “My experience talking to many companies is that they pay lip service to security and that it is not a major component of the digital transformation process,” says Jack Gold, founder and principal analyst at J. Gold Associates, LLC.

This, he says, is down to CEOs who know it’s important but don’t know what it means, as well as technological “patchwork” involving a variety of solutions from different vendors. “It’s really difficult to bring it all together,” Gold says.

McQuire admits that companies do struggle to keep up with the technological progress. “Many firms are simply unable to keep up with the rapid technology changes. The threat landscape is transforming before our eyes with malware, ransomware, and phishing attacks all rising rapidly,” he says. “There is also significant regulatory change occurring in the form of GDPR, which adds new pressures and holds those with weak security and privacy processes financially accountable.”

“You combine this with a general lack of security talent in most firms and the fact that most run a complex web of legacy security technologies that don’t properly protect them from employees who now access work information across a mix of devices and cloud apps, and you have a security market that is booming,” McQuire adds. “This is why newer security technologies such as cloud access security, user behavior analytics and machine learning, identity as a service, multifactor authentication, and mobile threat defense for example are on the rise. These technologies represent the new layers of a modern security stack that protects organizations that must protect more and more company data that lives outside their perimeter.”

What is security role’s with digital transformation?

DX has a number of phases, but it’s unclear where security naturally fits in. Going by Altimeter Group’s six stages of business as usual (same old, same old), present and active (pockets of innovation), formalized (scaling out), strategic (business-wide collaboration begins), converged (dedicated DX teams), and innovative and adaptive (digital transformation becomes new normal), it is arguable that security could and should be involved in all stages, or at least in the latter phases.

CISOs, it appears, are trying to be present throughout the entire DX process. For instance, at an event late last year, Los Angeles CISO Timothy Lee said that CISOs that embrace digital transformation may help an organization adapt to a rapidly evolving global marketplace. "Our job is not just about managing opportunity and risk. Our role is shifting toward making cybersecurity a business enabler and part of the foundation of digital transformation," Lee said.

Meanwhile, Xerox CISO Alissa Johnson (former deputy CIO at the White House) has also said that CISOs need to put “security in the very beginning of the design process,” and that by blocking innovation, these same CISOs “can hinder your company’s ability to compete and stay relevant.”

At last week’s CSO50 conference, National Oilwell Varco CIO and CISO Alex Phillips explained how he rethought security infrastructure for digital, but with a trusted partner and a step-by-step process. This progress also chimes with Gold’s views that security needs to undergo its own transformation, and not simply be a service provider to all others.

It was former CISO and chief privacy officer Doug Copley, now principal analyst at Duo Security, who perhaps captured the digital transformation quandary the best, suggesting that CISOs simply have to respond both culturally and technologically to the new “building blocks” of an information age dominated by IaaS, microservices and APIs. “For those in a CISO or similar role, enabling your organization’s adoption of new business models and new technologies is the new norm, and is a base requirement for your role.”

Discussing the stages where security gets involved, McQuire agrees that security should be involved from the very start. “Security should be at the forefront of all digital transformation initiatives, ideally at the planning and design stages right at the beginning. Too often, I see projects that get delayed or railroaded because they are not designed with security in mind or the right principles from the outset. Therefore, when the security team does finally get involved, the entire project gets red flagged,” he says. “Firms that ensure security is part of the digital transformation effort…right from the beginning…are those that I have seen not only succeed in the long run but also move faster in terms of getting to market in today’s climate as well.”

Does digital transformation require new security solutions?

It is little surprise, then, in this digital age where we’re told security is as much now about response as prevention, that McQuire sees a demand for new technologies to bolster security. “The requirements for security are changing as the perimeter disappears,” he says. We are seeing a shift in focus now from customers having a complex mix of largely defensive security products that in many cases don’t speak to one another to requiring a more integrated and complete security platform that enables detection and response as well.

“The shift in need from defense mainly to defense, detect and response is largely fueled by the need for visibility across their infrastructure - across devices, networks and apps both on premises and in the cloud,” McQuire continues. “This has been a massive change as companies need to be able to detect threats across a wider attack surface and respond quicker than ever before to avoid reputation damage and compliance risk. It is why we are seeing security categories in the market merging and M&A activity rising over the past few years as the security market reshapes itself for this new era. Modern security technologies will help firms establish security architectures which are fit for purpose for the mobile and cloud era in computing and a new age in data compliance under GDPR.”

Gold sees potential for artificial intelligence (AI) to bring together “loose systems,” offering up new insight on networks to “find the needle in the haystack.” “New technology is not only required for digital transformation, but also to enable CISOs to implement new models of security,” he says.

Ultimately, the analyst says teams must have an executive in charge of digital transformation who gets security (or has staff that do), has the appropriate resources and can then educate the organization on why security is important. “If your company is in the process of digital transformation and not including security you’re going to fail. Without security, digital transformation doesn’t amount to much.”