Securing the Digital Transformation Part 2: Necessary Change to Secure the Digital Transformation

Jeremy Wittkop

05.10.2019

Now that digital transformation is better understood, we can start to look at necessary changes to people, processes, and technology in order to adapt to the new technology paradigm. It is important to remember that digital transformation is not something to be resisted but rather embraced. The first change that is necessary for security professionals is a change in mindset. Security teams should not be focused on saying “no” to the business, but rather focused on enabling the rapid deployment of transformational technology in a safe and secure manner.

Process – Securing Rapid Change

Just like their peers leading Digital Transformation initiatives, security teams must use new approaches to adapt and deploy solutions. Why? We live in an age where change is so rapid that every security program must evolve quickly in order to remain relevant. Now more than ever, security is a journey and not a destination. Therefore executives must think about data protection in smaller, rapid, ongoing development cycles instead of the occasional large, discrete project. We must safeguard sensitive information for the entire movie, not just during one snapshot in time.

(By the way, we will soon be unveiling an entirely new approach to data protection that will help you keep up. Data protection will no longer be an event but an ongoing process that continually reduces risks.)

In part 1, it was mentioned that many security leaders will not consider projects that do not have a clear return on investment. Security programs then must be examined through the same lens. For a long time, many have thought a security program’s Return on Investment (ROI) could not be measured at all. I strongly disagree. For the better part of a decade I’ve helped organizations quantify the business value of data protection. As business executives embrace Digital Transformation, however, any executive, including those working in security, will find it increasingly difficult to obtain resources for projects that do not show a quantifiable benefit to the business.

People – Changes for CISOs

Digital Transformation means even more adjustments for the Chief Information Security Officer (CISO), a position that’s changed significantly over the last ten years. Historically, many CISOs reported to CIOs, but along the Digital Transformation journey, many organizations have reconsidered the relationship.

Why? Facing immense pressure to make radical, transformational changes, there’s a risk the CIO will ignore security concerns and cut corners in pursuit of their goals. Concerns about the fox guarding the henhouse have caused some organizations to restructure in order to allow greater CISO independence. That way CISO’s can more objectively safeguard sensitive data by checking the safety of new technologies and practices from outside the CIO’s influence.

And in the words of Spider-Man, “With great power comes great responsibility.” CISO’s charged with this watchdog role during Digital Transformation must have business, in addition to technical skills. Greater independence necessitates this change since the CISO is suddenly accountable for managing a budget and crafting investment justifications. CISOs lacking business acumen should immediately begin broadening their skills.

Technology for Securing the Digital Transformation

Even before Digital Transformation grabbed headlines, perimeter-based security was on life support. Now that idea is officially dead.

In today’s distributed on-premises, cloud, hybrid and mobile computing environments, there’s no longer a perimeter to protect. Legacy technologies such as firewalls, IDS/IPS, and endpoint protection platforms simply don’t do enough. That’s because today the majority of data traffic moves outside the business network on devices the business doesn’t own. How can CISO’s be successful when it comes to Digital Transformation’s rapid advances?

I recommend dynamically identifying and classifying classifying data deemed sensitive or critical to the business and then building in protections to follow that data wherever it goes. Information Rights Management solutions separate sensitive from commodity data, then Data Loss Prevention and Data Classification, when paired with Cloud Access Security Brokers, make it all possible. For an extra layer of insider threat protection, I recommend deploying User and Entity Behavior Analytics as well.

Along with an organization’s shift to new technologies that enable Digital Transformation, investment in new security approaches must also occur. Firms invest much more in firewalls and endpoint protection platforms than can be justified in the era of Digital Transformation. Sticking to the past only creates more risk for the modern, digital business.

Conclusion

Today’s vague buzzword, Digital Transformation, in truth describes a path for established companies to compete more effectively in the customer-driven era. Along with it comes necessary changes to people, processes, and technologies, including adoption of agile development practices, credible financial justifications, and in many cases, an entirely new role for CISOs.

Digital Transformation means a healthy shift in security strategy, too. Gone is the outdated “castle doctrine” of perimeter-based security and replaced with protecting data wherever it’s created, stored, moved or accessed. In a sense, Digital Transformation may be the best thing that’s ever happened to our discipline. In this quickly evolving, mobile, hyper-connected world, we’re encouraged to focus on what information security was meant to be all along: protecting data and people, not devices and networks.