Digital transformation can mean many different things to a variety of business leaders. But at its core, it is the process of integrating digital technologies into business practice. Organizations embark on a digital transformation journey for more efficiency, increased cost savings, enhanced customer experience and better productivity, just to name a few reasons. Research firm IDC estimates that spending on digital transformation will reach $1.7 trillion worldwide by the end of 2019—up 42 percent in the year prior.
But as digital transformation sweeps business planning around the world, one thing that continues to emerge as a roadblock in the process is security. SoftServe, a consulting and research firm, reports that 55 percent of companies indicate that cybersecurity is their biggest concern when making digital business transformation investments. And the Harvard Business Review cited security as one of the top 10 obstacles to digital business transformation.
Part of this tension involves answering the question of where and when security should be involved in the planning and process of digital transformation initiatives. While organizations may be reluctant to involve security teams early on out of concern about stifling innovation, many security leaders see that as a mistake.
“There are very few companies that are building cyber and privacy risk management into their digital transformation,” said Sean Joyce, PriceWaterhouseCooper’s US Cybersecurity and Privacy Leader in response to PWC’s 2018 Global State of Information Security Survey (GSISS), which was released earlier this year.
That’s concerning, considering the impact digital transformation is having on each organization’s risk posture. With more devices on a network and a larger attack surface, the very process of building digital technology into business is opening each organization up to more threats. According to research from Fortinet, 85 percent of CISOs think security issues during digital transformation had a “somewhat” to “extremely large” business impact. The data makes a compelling case for why security needs a seat at the outset of digital transformation planning.
“Digital transformation cannot be successfully implemented without the security teams input and they must have a seat at the table from the beginning,” said Matthew Rose, Global Director Application Security Strategy, Checkmarx. “You are changing legacy processes to a new platform that requires new technology components and software to achieve success. By leveraging the expertise of the security team from the beginning stages of the digital transformation design, you will save significant time and money associated with rework or redesign to account for security risk that is identified after the digital transformation is rolled out.”
Yet, research from Dimensional Research and One Identity found only 18 percent of organizations agreed that their security team had been involved in all of their digital transformation projects, and 76 percent noted that security considerations were added too late in the project.
How can security leaders get a seat at the table at the start when it comes to digital transformation efforts and ensure risk concerns are addressed? In a blog post on the topic, Darron Gibbard, managing director EMEA North at Qualys, argues companies need look to digital transformation as an opportunity to make the case for an organizational security transformation as well.
“Rather than being gatekeepers and guardians, IT security teams have to provide guidance and best practice to everyone across the business and then ensure that those rules are enforced appropriately,” said Gibbard.
This means building security priorities into the process and advocating for how enhanced security is better for business and an integral part of the digital transformation process. Making executive leadership aware of the state of security before embarking on the digital transformation journey is key to getting security a seat at the table from day one.
“Baseline your organization’s current cyber hygiene before implementing any digital transformation efforts,” said Josh Mayfield, director of security strategy at Absolute. “Start with asset intelligence—an intimate awareness of what makes up your IT environment. Then, form red teams to identify and assess risks, test assumptions and reveal the security blind spots for your organization.”
It is after this thorough examination of cyber hygiene that CISOs and security managers can be in a strategic position to make recommendations for moving from legacy technology to modern infrastructures, such as cloud-based solutions, for both security and efficiency.
“Legacy on-premises applications, such as CRMs and email, can be replaced by modern SaaS solutions such as Microsoft’s Office 365,” noted Ron Gula, president and co-founder of Gula Tech Adventures. “These apps are often less expensive to operate and are at a higher state of security and resilience than doing similar things with internal processes.”
While security is still lobbying to have early input into digital transformation planning, that doesn’t mean it is not a consideration. Research firm Lucid surveyed IT leaders on behalf of Nintex and found 49 percent think that better cybersecurity protection is one of the reasons their company is looking at digital transformation. This means there is no better executive to be a key stakeholder in this process than the CISO.
Risk management as a part of your business digital transformation efforts can’t be added in after changes have taken place. It needs attention at the start of the process, and across the organization.