Organizations undergo digital transformation for a variety of reasons, including maximizing insights derived from data, streamlining operations, and adjusting workflows for hybrid work.
Why is digital transformation important for business growth?
There’s no doubting the benefits. But there are potential traps along the road that businesses must also avoid, not least in the form of cyber security risks.
Typical risks may arise from failing to provide adequate resources to match a project’s ambition, lacking proficiency to handle a multi-cloud setup, and failing to align with security frameworks. These ‘bear traps’ can be more prevalent if digital transformation is rushed, and organizations speeding up their efforts must be double vigilant because, with haste, comes a lack of focus.
Prioritizing security, not project outcomes
Security must be the primary concern for any organization undergoing digital transformation, says Rick Hemsley, UK&I government and public sector cyber security lead at EY. That’s the bottom line. Organizations need to “integrate security considerations into every aspect of the development of new systems, processes, and products,” and those that fail to do so “will only be able to take a reactive, whack-a-mole approach to cyber security, instead of adopting a proactive mindset”.
There’s more to avoiding traps than putting security at the heart of digital transformation, though. Organizations need to learn to think differently about security too, says Frank Kim, SANS Institute fellow, cloud curriculum lead, and CISO-in-residence at YL Ventures. “A key metric in the past would have been the mean time to failure, or for something bad to happen.
“But in the modern world, we look at the mean time to recover,” he tells ITPro. “We don’t think about the mean time to failure because we are expected to fail on a regular basis, so recovery is more important.”
This approach resonates with a new attitude towards risk, where risk can’t be eliminated entirely, but needs to be understood and managed effectively.
Speeding up processes heightens risk level
Organizations that decide to speed up digital transformation efforts put themselves at greater risk of leaving cyber security gaps waiting to be exploited, says David Sarginson, head of software development at digital transformation consultancy Opencast. “More change means more risk,” Sarginson explains. “The more change you introduce at any time increases complexity, and therefore the chances of unanticipated consequences.”
Achieving transformative business results with machine learning
Discover why hundreds of thousands of organisations use AWS ML to resolve challenges and create new opportunities within their organisations.
Further complications arise from organizations having a multi-cloud setup, Kim adds, and staff needs to be familiar with the nuances of different cloud setups, he says. “Your security team must be knowledgeable in a multi-cloud environment in each of these areas including the pitfalls, the configurations, and the mistakes that could be made. Ideally, architect from the start what those best practices are into your infrastructure.”
When process speeds are accelerated, there’s less time to get to grips with the nuances, and more opportunity for gaps in security to manifest because security likely won’t be baked in at the outset. “[By] designing best practices directly into the infrastructure code and set-up, you’re providing a paved road for internal stakeholders that need to move to the cloud and adopt these processes,” Kim continues. “When you go off the paved road you know when to pay attention a little more.”
Instigating the right culture
Effectively dealing with cyber security risks associated with digital transformation, whether it’s been sped up or it’s happening at a slower pace, requires a risk-based approach from the outset, says Hemsley. The CIO and security teams should have the right level of knowledge and resources to “create a security framework which is defined by proactivity”, he says.
Managing a blend of legacy and modern IT during digital transformation
Achieving this might need an element of cultural change, and Kim confirms this isn’t always easy. “An organization can’t change culture overnight,” he says. “Depending on the size and the nature of the organization it takes anywhere from three to ten years to change.”
Once organizations then undergo a process of risk awareness, sufficient resources must be allocated, and all employees should be trained on cyber security best practice, adds Sarginson. In addition, his advice includes using frameworks, where possible, like the NIST Cybersecurity Framework or ISO 27001. This may help to make implementing protections more efficient by removing the need to work out a security posture from first principles.
Ultimately, avoiding cyber security bear traps involves taking the proper technical steps and the right cultural ones – or as Kim puts it: “It’s not just about implementing new technology, like lift and shift. It’s about building out your people and building out your processes.”
Do you want to make your voice heard as an IT decision maker? The ITPro Network is a select group of senior IT professionals who contribute to ITPro’s unique content through interviews, opinion, podcast appearances and more.
Members also get access to monthly group chats and other exclusive content and events. Interested? Fill out this form to apply.
(Please note we cannot accept applications from vendors at this time).
