Digital transformation is undoubtedly a good move for businesses, but it is creating headaches for security professionals who now must safeguard data beyond the traditional network perimeter and on mobile and IoT devices and the cloud.
One thing is for certain: security in the age of digital must be a top priority and security controls need to be embedded into all applications wherever they reside.
And, as organizations embark on their digital journeys, CISOs and other security leaders should be included in the conversation.
“When an organization delivers the value of digital business to customers, it’s often the case that security professionals are not at the table when critical decisions are being made,’’ observed the 2017 NTT Security report Embedding cybersecurity into digital transformation. “And without security professionals in the room at the right time, organizations are exposing themselves to business-critical risks that could damage the brand.”
Digital initiatives create new risks, agrees Gartner, noting that “The failure to manage your digital risks is likely to sabotage your digital business and expose your organization to potential impacts well beyond a simple opportunity loss.”
The firm is seeing a shift among clients that are “moving from an approach based on pure prevention to one complemented by a detection and response function -- almost like adding a last-chance safety net to catch any bad things that the prevention layer might have missed,” observes Gorka Sadowski, a senior director and analyst at Gartner.
See Related: Top 5 Security Initiatives IIOT, ML & Extensive Research
This trend is being fueled by the maturity of big data technologies, and notably, the sophistication of detection methods based on advanced analytics, such as supervised and unsupervised learning, and soon, deep learning, he says. Additionally, a new class of service providers has emerged, offering managed detection and response (MDR), he says. These providers “can get this function off of a client’s hands and provide a white glove service to organizations,’’ Sadowski says.
The issues remain much the same
There are a number of benefits organizations will find by integrating cyber security processes at the outset. Not only will it strengthen digital transformation projects, but it will also address risk management; reduce the complexity of security architectures and operational models; add value to the digital business team and prioritize areas of business-critical risk, the report notes.
Whether CISOs and other security leaders are brought into conversations at the outset all depends on the individual organization and culture and the industry you’re in, observes Randall Frietzsche, enterprise Chief Information Security Officer (CISO) at Denver Health. In his organization, it’s not an issue, he adds.
The “board and executive teams are very concerned about protecting patient information,” he says, “so they invest in cyber security leadership and they support our initiatives and give us money when we ask for it and support us when we want to do something that some organizations would say no to.”
Frietzsche eats and breaths risk management, not surprising given that healthcare is a highly regulated industry. When a digital initiative is being proposed, IT and security professionals “need to understand how to build that infrastructure …not only how to secure [data] as it sits, but also as it talks,” says Frietzsche. That means knowing who people are sharing data with, how the data is secured both in transmission and at rest – and what legal agreements are needed to reduce risk, protecting the organization/customers, and what regulatory requirements are in place.
Bringing the cloud into the mix
As more digital transformation initiatives are deployed in enterprises, a big security risk continues to be a decidedly old-fashioned technology: passwords, Frietzsche notes, especially with so much data today residing in the public cloud. While an obsolete technology, passwords remain something we still rely on so much today, he says. And they are easily hackable.
“So we have to all learn about the different types of clouds and what you’re responsible for,’’ he says. For example, AWS will assume responsibility for the security of the cloud infrastructure, but the data you put in is your responsibility, “and sometimes, we don’t realize that, and we think “Oh, Amazon has security and now your stuff is out there, and it’s exposed.”
Cloud computing is the biggest risk, he stresses, because despite all the benefits it provides, “we’re transforming how we store and where we store” information.
“As we transform,” he adds, “we have to make sure we’re accounting for additional security problems that come with that and where we go wrong is making [security] onerous for users.”
This requires continuous threat intelligence on the part of security teams, Frietzsche says.
What he worries about pretty much hasn’t changed -- whether it’s a digital initiative or day to day security concerns – it remains ransomware and email phishing attacks. “In the old days, hackers tried to break your firewall,’’ he says. “Today, they’re just phishing your users.”
Yet, CISOs like Frietzsche know that digital transformation is an ongoing process in most organizations today and it will likely continue as long as technology keeps evolving. For security professionals, it means staying hyper vigilant.