Securing the Digital Transformation Part 1: Defining Digital Transformation
By: Jeremy Wittkop
If you’re like me, hundreds of “Digital Transformation” marketing emails fill your inbox every week from vendors pitching their products and services as “transformative.”
I thought I understood the trend’s overall benefits after reading extensive research from sources such as the International Monetary Fund and the World Economic Forum. But countless vendors have since associated their offerings with the concept, and I found I had lost track of what the term actually meant. I’m probably not alone and the definition of “Digital Transformation” likely remains unclear for many.
So I set out to understand the idea a little differently—through the lens of a security professional intent of perceiving it in less conceptual and in more practical terms. A better understanding of the trend makes it possible to protect an organization’s most sensitive information throughout the transformation. I’ll share what I’ve learned below, including the fact that Digital Transformation in the end prompts a healthy shift in security strategy.
What is Digital Transformation?
First, what is digital transformation? Through this journey, I found many people that told me they knew what it was, but their definitions of it were wildly different. How can that be if they all understand it? In my experience, while most people understand digital transformation as a concept, it can be expansive and difficult to define. .
This led to the first problem. How can we effectively communicate something if we don’t agree on what it is? We can’t! Much less, how is transformation possible when the end state we seek is hazy?
Not only does a lack of clarity limit an organization’s successful change, in my opinion it also weakens an organization’s security posture. The two depend on each other, and I believe as security professionals we must always reduce ambiguity in order to protect our organization’s most sensitive information.
So I set out to understand the term “Digital Transformation” from a people, process, and technology perspective. I will share what I’ve learned in part 1. Once that was clear, it seemed easier to ensure our security practices can keep pace with this phenomenon, which will be outlined in part 2.
Big, Ambitious, Expansive Definitions
It turns out even the experts muddy the concept. I’ve chosen a few favorite sources that helped me distill a clearer meaning.
The European Union’s I-Scoop defines the term as:
“The profound transformation of business and organizational activities, processes, competencies and models to fully leverage the changes and opportunities of a mix of digital technologies and their accelerating impact across society in a strategic and prioritized way, with present and future shifts in mind.”
That pretty much describes anything that consumes electricity. I-Scoop’s statement and supporting narrative goes well beyond business applications and discusses how Japan is using digital transformation for societal benefit. The group’s intentions are honorable, but it doesn’t lead to a useful definition.
The second source is a little more business-centric. The Enterprisers Project defines digital transformation as:
“The integration of digital technology into all areas of a business, fundamentally changing how you operate and deliver value to customers. It’s also a cultural change that requires organizations to continually challenge the status quo, experiment, and get comfortable with failure.”
OK, that’s a little better. This version scopes the definition narrower than affecting the entire planet or society as a whole, but it’s still too broad, referencing all aspects of a business. What both sources have in common is the idea that this is a big, transformational change driven by technology, and that it requires a change in thinking as well as a change in operations.
The third source I consulted is one I rely upon frequently, CIO Magazine. Rather than invent their own definition, they quote an authority on the subject: George Westerman, principal research scientist with MIT Sloan Initiative on the Digital Economy. He says:
“Digital transformation marks a radical rethinking of how an organization uses technology, people and processes to radically change business performance.”
His explanation is the most specific, calling out digital transformation as a change in how people, processes, and technologies combine to provide business value. He best summarizes the fact that organizations must undertake their digital transformations with a wary eye on market disruption. Now more than ever, established companies face significant risk that new, digitally native competitors can quickly arrive and put them out of business. Customers today demand more, and firms that can’t adapt won’t survive.
With a better definition in hand, let’s look closely at how businesses are changing people, processes, and technologies to optimize their operations and better engage customers. Then we’ll examine the security program changes that must accompany these initiatives in part 2.
Process – Speed, Agility, ROI
A very important shift associated with Digital Transformation is the widespread use of “agile” rather than traditional “waterfall” development processes. In fact, the two seem inextricably linked.
Digital Transformation articles commonly reference user stories, sprints, and continual evaluation, essential agile methodologies. Experts write that traditional waterfall methods are simply too slow to react to changes in the marketplace. And since rising customer expectations are driving businesses to achieve results even faster, traditional hierarchical decision making and approvals associated with waterfall development projects are also being replaced. Now agile teams make decisions much more quickly thanks to customer input during each development sprint.
The need for speed and agility also gives rise to use of another core agile practice: Minimum Viable Products. Rather than wait to deploy robust digital solutions that meet every conceivable use case, firms using agile methods introduce basic capabilities quickly and enhance them as they go. The MVP philosophy to get to market quickly and iterate after the fact forces companies to streamline processes and eliminate unnecessary or wasteful activities.
Another important shift taking place with Digital Transformations is the trending requirement to show the economic value that comes from the change. In fact, many technology leaders refuse to consider new projects if their value cannot be quantified. This is a significant change in thinking, and one security leaders should pay attention to.
People—Responsibility, Learning, Change
Most experts agree Digital Transformation is so impactful that it should be directed top-down by the CEO and the board of directors. In reality however, the CIO is often charged with implementing the initiative. Often CIOs must create new roles to help manage these projects, such as an initiative leader or a Chief Technology Officer to evaluate the technologies needed to transform business operations. And hiring isn’t limited to IT. Once the firm makes changes, people must support, maintain and enhance the new solutions.
In order to perform their essential functions in the transformed organization, many employees will need to be retrained. Many times there is a shortage of talent for organizations to hire specialists to operate the new processes and technologies developed as part of the initiative. Some will embrace the challenge and the opportunity to develop new, more marketable skills. Others will become disgruntled and could even become insider threats. Therefore, leaders must effectively manage the people-related risks during the transition.
Fortunately during this era of unprecedented change, firms such as Prosci, experts in organizational change management, can address this foundational element. Their ADKAR model, which stands for Awareness, Desire, Knowledge, Ability and Reinforcement, defines the successful phases each employee must experience in order to successfully adapt.
Technology—the Sky’s the Limit
A staggering array of technologies can potentially play a role in Digital Transformation, which is precisely why securing data along the way is so difficult. Technologies that don’t even exist today will become part of tomorrow’s computing ecosystem, so teams must embrace and evaluate emerging technologies quickly. While it’s difficult to predict specifically what happens next, here is a list of sample technologies currently part of many Digital Transformation initiatives:
· Software as a Service
· Public Cloud Infrastructure
· Mobile Applications
· Connected Technology (IoT)
· Wearable technology
· Artificial Intelligence Driven Solutions
· Machine Learning Models
· Autonomous Vehicles
· Virtual and Augmented Reality
This list is in no way exhaustive, but it shows the challenges facing traditional security paradigms. In the upcoming part 2 of this blog, we will explore changes security programs must make in order to secure the digital transformation.