Two years ago, digital transformations had kicked into high gear, with new processes and product development moving ahead at breakneck speed.
As IT and business fast-tracked initiatives like agile and DevOps to improve speed to market, security considerations were often left in the dust.
At the time, Gartner predicted that 60 per cent of digital businesses would suffer major service failures by 2020 due to the inability of security teams to manage digital risk.
High-profile security lapses ensued as expected, although it’s hard to pinpoint that digital projects were the leading cause. “Regardless of whether highly publicised breaches were directly linked to digital transformation, they got business leaders thinking again about risk and solutions that minimise risk,” says Pete Lindstrom, vice president of security research at IDC.
Today, some 62 per cent of global executives rank cyber attacks and threats as one of their organisation’s highest risk management priorities in 2020, according to a Marsh & McLennan survey of 1,500 executives.
Overall, security’s role in digital transformation has improved both in awareness and involvement in earlier stages of the design process, but CISOs are still grappling with visibility into the breadth of projects in their ecosystems.
Security’s challenge: keeping pace
IT decision-makers are not only including cyber security among their top considerations when it comes to digital transformation, but it is also their second biggest investment priority (35 per cent), just below the cloud (37 per cent), according to a recent Altimeter survey.
Investments in transformative technologies can be meaningless if they can’t protect the business, its customers or other vital assets, and the complexity and speed of development continues to challenge even the largest security operations.
“The battle being fought is moving faster than our decision cycle. If you’re moving slower, then you’re irrelevant from a leadership perspective,” says Dr. Abel Sanchez, executive director and research scientist at the Massachusetts Institute of Technology’s Laboratory for Manufacturing and Productivity. Agility, flexibility and rapid decision-making are required in security, as well as in development, he adds.
At global energy solutions company Schneider Electric, cyber security is at the center of its transformation strategy. Global CISO Christophe Blassiau grappled with gaining visibility of the entire organisation due to complex combinations of acquisitions and the many different activities of the company – from R&D to supply chain to services.
IT and operational technology (OT) integration also brings new connectivity, data sources and potential vulnerabilities that need protecting, and his team must connect the dots between the company’s security and its ecosystem of partners and vendors.
“We didn’t have the right level of ownership or aptitude everywhere, so we started by designing and organising the new governance set up across the company,” Blassiau says. "I didn’t want to grow bigger teams because you give the impression that it will be fixed by someone else. Here, security is everyone’s responsibility."
Instead, Schneider took a dual approach to cyber, creating a digital cybersecurity practice and embedding cyber professionals (digital risk managers and regional CISOs) in each practice and throughout the company to create a community of cyber leaders who are trained and focused on specific cyber risks.
The move gave Blassiau “a sense of control in the digital space. There is a cyber leader reporting to every digital practice executive leader and reporting to me,” he says.
Security teams must transform, too
The challenge for security teams remains how to add security at the speed of digital transformation and ensure that security spans every new internal digital process and external product developed or internet opportunity created. Much of the solution comes down to the culture of the IT and security departments, Sanchez says.
“Security teams have to go through a transformation, as well.” It’s not easy, he cautions, and many workers must be willing to learn new skills to be able to interact with the business organisation.
Some of it can be accomplished through reorganisation, Sanchez says. Testers in many practices, for example, are disappearing, and testing is now done by software engineers.
“Who knows better how to secure this product than the one who created it?” The same can be done with other areas of development, he adds.
“You may also need different talent, or the talent that you have needs to change. You may lose a bunch of people, but they need to fit. You need that type of person that can do the innovation and introduce it,” Sanchez says. “The world is just moving too fast.”
The good news is that security teams as a whole are becoming more approachable and part of the business, leading to better relationships, says Matt Handler, CEO of Security for the Americas at NTT, a large global consultancy and managed security services provider that offers digital transformation services.
“Security teams are learning that they can’t be the ‘Office of No’ all the time. They have to be agile, flexible and be seen as an enabler instead of a blocker,” Handler says. “This just happened in the last year or so.”
The CISO must evolve, too, and take on the role of internal advisor and collaborator to the departments that are deploying the applications or new technologies, Handler adds. “Instead of no, say ‘let’s see how can we do this as fast as possible and do it safely.’ That phrase alone, I think, changes the game for a CISO.”
Baking security in
CISOs have been touting for years that security needs to be inserted at the very beginning of the design process. Now, thanks to more nimble and dynamic components, this is easier to achieve.
“With cloud in particular,” and the built-in security features that can be utilised, “we can play with that to address risks,” Lindstrom says, “and we’re working up the stack more – away from network and host-based security -- to application, to data layer security, and identity kinds of things.”
In addition, investors are predicting that cybersecurity companies that use machine learning are likely to stand out in 2020, as the number of niche cybersecurity vendors consolidates, although they will face a high level of scrutiny around precisely what they claim their technology can do.
Companies with large pools of security data could combine algorithms, analytics and machine learning to identify and react to threats at lightning speed -- almost as quickly as they’re occurring. Machines can only be as good as the humans that curate them – and as good as the data they’re pattern-matching against, which will take time.
“From a CISO’s perspective, if you’re able to provide security at speed and help the business still achieve their milestones and goals, and security is baked into the process from the beginning, then you’ve got a home run. But that’s definitely a future state,” Handler says.
Are we there yet?
When it comes to cyber security in digital transformations, Sanchez says that more organisations are “past the middle.” They’ve gone through the process of automation, and they’re starting to look to AI and predictive modelling.
“We are on the right track, but that doesn’t mean there won’t be compromises” in the meantime, Sanchez says. “Just like software development across the board had not been integrated (before digital transformation) and now it is, the same is true for security. All of these have to come together now. It just takes time.”