The Digital Transformation Journey: Why Security is Key

Kathryn Pick explores what the digital transformation journey can bring to an organization, and outlines why it’s vital that security is at the forefront of innovations

If you want to have a modern day business ready to thrive, it has to be ready for the digital age. Digital transformation is being embraced by companies the world over as they seek to ensure every piece of process is modernized, and that the culture is embraced by staff and customers alike. 

However, to get the recipe just right, security must be the key ingredient. So what can digital transformation bring to an organization, and what strategies must be implemented to make sure the journey is a safe, and secure, one?

"For some companies, ‘digital transformation’ projects are just a cover for what is essentially cost-cutting"

What is Digital  Transformation?
For Tom Rebbeck, research director at Analysys Mason, there is little agreement on the exact definition of digital transformation, but it is something that is broadly being looked at and embraced. 

“For some companies, ‘digital transformation’ projects are just a cover for what is essentially cost-cutting,” he argues. “For others though, there is a gradual transition to different ways of working.”

This can include bigger moves into mobile technologies, looking to the cloud and taking on more automation. However, to make it successful, it has to be about more than just the tech. 

Ruggero Contu, senior research director at Gartner, says: “It also involves the introduction of a new mindset requiring a constant rethinking of business approaches and how technology can support better services, and with that, improve competitiveness.”

Also, of course, no company wants to be bottom of the pile. “There is an element of keeping up with the Jones’ involved,” says Nigel Ng, international vice-president for RSA Security. “If your rival is able to deliver a better customer experience, then they are likely to gain more market share.”

"Anything connected is vulnerable to cyber-attack"

Security’s Part to Play
So, be it utilizing new tools, boosting your company’s culture, or simply down to the brass tacks of outshining your competitors, it is clear why so many businesses are embarking on digital transformation journeys. However, what role does security have to play in this revolution of sorts?

Mike Nelson, vice-president of Internet of Things (IoT) security at DigiCert, celebrates the capabilities of the new technologies businesses are exploring – especially when they are mobile and connected – and lauds the improvements they can bring to companies and their customers. 

“However, there is one big concern that must be addressed before we get too far down this path,” he warns. “Anything connected is vulnerable to cyber-attack. With connected devices, these attacks could come in the form of personal data theft, device manipulation – think hijacking a medical device or mass outages of devices like security cameras – and other catastrophic events.

“Security must be part of the digital transformation journey to ensure consumers and businesses have confidence in the changes.”

Ng from RSA agrees, adding that digital transformation projects are often customer-centric and data-driven, so security and regulation have to be key considerations. 

“Unfortunately though, this isn’t always the case,” he says. “The focus on delivering new technologies before the competition can mean that speed takes precedence over security. Security teams are often seen as the ‘no’ people, who are always finding fault in, or trying to put the brakes on, innovation. 

“This can lead to shortcuts being taken, with security teams being cut out of the loop, meaning insecure services and solutions can enter the marketplace.”

The consequence of this can be dire – from the simpler frustrations of disruption or customer services being taken offline, through to reputational damage, or even the risk of huge regulatory fines that could have a major impact on business operations. 

“So, ultimately, not having security functions involved in supporting the business throughout the process of digital transformation is often a false economy,” adds Ng. “The time that might be saved in the early stages will come back 10-fold when the business has to deal with the ramifications of a breach.”

Jeff Pollard, vice-president and principle analyst at Forrester sums up why security must be involved in one simple reason: “Security flaws can undermine the positive progress the firm makes with all its efforts, and cost it the ground it gained with employees and customers,” he says. 

Although, it is not just a case that certain C-level executives need to look at digital transformation from an overall business perspective – it is important for the infosec professional too. 

“If you secure the way your firm makes money, then you make the security program vital to the company,” says Pollard. “That’s why things like product security and securing innovation efforts are so important as an initiative for security leaders.”

In other words, it boosts the role of a security pro, and makes you a vital source that a firm may not have viewed you as before. 

Staying Safe
So, we have established that digital transformation can bring big benefits, and that security has a major part to play, but how do businesses ensure digitization is done securely?

“From the ground up is probably the key point here,” says Rebbeck. “Security is not something that can be added on later on top of other processes; it needs to be embedded into the new way of thinking. 

“For each step of digital transformation, a business needs to think about how it can be built securely and how that security can be maintained.”

Pollard agrees for the need of early markers, rather than later intervention. “Introduce the concept of minimum viable security as early as possible in the R&D, product management and development efforts,” he says.

“Security and privacy by design need to be more than buzzwords, and the security team needs to adapt its approaches to work within chaotic and dynamic workflows.”

Contu backs his peers, calling for the enthusiasm for each new technology to be matched by the enthusiasm for its security. “Businesses need to start with an assessment of the new risks being introduced by digital transformation,” he says. “Then try to implement new processes and tools that focus on the most critical threats and risks while enabling the business initiative undertaken.”

Ng says, that to truly adopt a working digital risk management strategy when embarking on digital transformation, it has to be a business-wide effort and one that breaks down the barriers between IT, security and the wider workforce.

“To do this effectively, organizations need to combine smart technology, strong processes and employee education.” 

He says this is all dependent on building a workplace security culture that encourages greater security awareness. “The workforce needs to be educated and updated on the security threats and risks they will face in their job if they are to effectively recognize them and take the steps to manage digital risks effectively. 

“An informed workforce can be the thin line between security and risk.” He recommends company-wide training led by CIOs or CISOs which is made available to all staff. 

Moves like this not only ensure that wider culture, and help users to do their job, but they engrain security as a key feature of any business venture into technology. 

“For each step of digital transformation, a business needs to think about how it can be built securely and how that security can be maintained”

The Start of a Beautiful Friendship
These changes do mean there will be a lot of pressure on the security team to encourage the wider business to embrace them and perhaps closer scrutiny of their performance. 

If you shine the spotlight on a previously shadowed part of the business, you have to make sure it highlights the best bits, but alongside this pressure, could digital transformation mean the relationship between a company and its security staff – and security leaders – flourishes rather than falters?

Rebbeck says it can, but it needs the backing of everyone at the top and for that to trickle down. “The leadership team of an organization has to understand and emphasize the importance of security as part of their transformation,” he says. “Again, it is not as an afterthought, but embedded in processes, and not a one-off problem to be ‘solved’ but an ongoing initiative.”

However, Rebbeck is confident such things are already happening. “The importance of security in a business has increased massively in the past few years,” he says. “High-profile security breaches mean that security is no longer just an issue for the IT team, but something that boards are aware of and interested in.”

The likelihood of someone in the business having seen articles about the Marriott hack, the attack on the NHS in the UK, or even having had their own email account compromised, is high. So, it is key to make the connection and show otherwise security blind employees how it plays into their work life, as well as their personal life.

Ng thinks it isn’t just something to try from the top down either, but horizontally as well. “It comes down to the need to break down divisions within the business,” he says. “It’s often easy for different business functions to have their own ideas of what should be a priority, and this can lead to friction when priorities do not align, potentially raising business risk as a result. 

“Instead of working as separate entities, IT, security and the wider organization must focus on communicating with each other and working towards shared goals.”

Digital transformation could be the project that brings that opportunity. “It offers the chance for company-wide communication and for the streamlining of efforts towards securing the business,” he adds. “In this way, security will no longer be side-lined as a task for just the IT teams, and instead will be adopted as a shared responsibility across the entire business.”

Although, it isn’t all on the other employees to embrace security, it is security teams that will have to build on their ability to reach out as well. Contu says: “As a result of the new pressures in place, security is required to improve its relationship with business by aligning and supporting digital transformation rather than trying to block initiatives for the sake of security. 

“The relationship can improve through an improvement in the way security communicates to the board/management and, on the other hand, the business’ better understanding of the new security risks and support of the security efforts to tackle those risks.”

Digital transformation is an exciting, opportunity-filled move for any company to make, and if security is at the top of the agenda, it can become a real success for business. It is also a chance for security professionals to show their skills, their worth and build a broader culture in a company where they are not the underappreciated team that says ‘no’ – they are the forward-thinking team paramount to building a business.

What’s Hot on Infosecurity Magazine?