In January, a Frost & Sullivan study revealed that 60 percent of retailers had put their digital transformation programs on hold due to fear of cyberattacks.
According to that same study, 56 percent of those organizations had either experienced a security incident (27%) or were not sure if they had even had a security incident as they hadn’t checked (29%).
A delay in digital transformation due to security concerns is a major barrier to market success and competitive strength so we brought together experts from the SDLC Partners’ digital transformation solutions team and our sister cybersecurity company, CyLumena, that we created in 2017.
Ryan King, VP of Services at SDLC Partners and Chris Hart, Director of Cybersecurity at CyLumena came together to discuss this concerning trend and what every organization should do to stay the course of digital transformation and build a robust cybersecurity program that will enable innovation, not stifle it.
Q: Related to Digital
Transformation, what do you both see are the most relevant issues that organizations should be addressing now?
Ryan: Related to transformation, some think that they have to reinvent the wheel, but they shouldn’t. What is your digital vision and strategy? Transforming shouldn’t mean that we move away from best practices. Transformation really means looking at your enterprise from a digital angle: different market angles, change the nature of your value chain, disintermediate the expensive parts or plug-in new parts.
Each digital goal has a specific security overlay related to them. Once you understand where you’re going, you can get a clear picture of the security needs that marry with your digital design.
Chris: Agreed, any organization that embarks on a real digital transformation (not just point updates) is looking at revolutionizing the tech sphere or leap frogging to the next generation of technology. If the organization doesn’t have a solid software development lifecycle that takes information security into account, with the appropriate controls and hygiene, it will run into problems that will delay or eliminate their projects.
Many organizations have a great vision, but aren’t clear on the scope and security dependencies of a wholesale update or upgrade in IT, operations, HR, or finance. Many times, it’s a lot more complex than originally envisioned.
Ryan: I think it’s important to define what is real digital transformation for your organization. And, create a clear idea of what’s changing the enterprise at scale through multiple scenario planning. Look beyond tech, the market, or other one-dimensional views. Ensure your plans address business sustainability and security.
One issue is that many approach transformation reactively once the tech is out in the world and many folks use it in different ways. Starting with a prescriptive, multi-factor view of security and transformation, together, yields a more comprehensive view of opportunity and risks to be addressed.
Q: Related to cybersecurity, what do you both see are the most relevant issues that organizations should be addressing now?
Ryan: There’s a tension: IT folks are reticent to change things because it’s risky and possible loss of control and the development army wants to break (aka transform) everything. They’re both right. Yet, A lifecycle approach can satisfy both aims — progressively drive for change while ensuring the technology is scalable, secure, and productive. I use a baseline for change. I know the chain of connections I’m creating and I am clear about the risks and controls that we need to build into our development process.
Chris: We must be deliberate. Lots of leaders see something on NBC and want to move in that tech direction. But, it’s a better approach to use a methodology to make that shift happen smoothly and with intention.
More often than not, security concerns, related to digital transformation, come from the thought that “we don’t have our ducks in a row.” Of course, no one wants to lead transformation that will get their organization written up in the WSJ for a major breach. A strategy-first approach to digital transformation takes data security into account from the first meeting.
Ryan: I think it comes down to how can organizations have a complete vision, but also a path to grow incrementally to achieve the vision that’s secure, effective, and scalable.
Q: How should organizations approach this marriage of digital transformation with information security?
Chris: It used to be that application security was a gate review at the end of a PMO, but the world has changed dramatically. Consumerization of IT within the org, like personal phones and VPN for work from anywhere, have stretched the boundaries. Security controls should be built into the requirements phase so, as you transition from business requirements to tech requirements, you’re addressing the specific needs of data privacy and security.
Ryan: The big story is that all core technology and systems used to be built into the tech, like claims system and banking systems. They were in a self-contained world. But, now, I have a “piece of glass,” and behind it I have a lot of fungible processes. That requires a new view of security.
Chris: It’s obvious that IT has become a much more complicated business-integral endeavor. The number of companies, queries, and connections needed to execute a seamless experience require a thoughtful, strategic view of data, tech, systems, processes, and security.
Ryan: From a services perspective, most companies are running data services. But when you talk about an API economy, it’s a business event and anyone can consume it. We have to remember that transformation is not driven by API, but by user. Our security controls must start there.
Q: What advice do you both have for organizations that are holding their digital transformation back due to data security concerns?
Ryan: I would say that the number one need is to have a formal cloud strategy and inventory of how you and your partners are using cloud. It’s the biggest blind spot that is tripping up companies, especially from a data security perspective.
Chris: People look at the big movement of IT to the cloud. They think, “we’re just moving boxes.” But, it’s much more than that where the native fabric (microservices) of a cloud is functionally very different. SLAs for security can vary widely based on many factors.
If the project is already delayed due to security, I would suggest that an organization look to retro fit the right tech that can enable the digital transformation with an adequate strategy rather than bolt on solutions after risks pop up — or when regulators come after you.
As we said earlier, build security into the lifecycle fabric from beginning.
Ryan: Some CIOs decree, “We’re not doing cloud!” But what they don’t consider is their partners are already using cloud. You’re already a part of the cloud whether you realize it or not. Their breach is your breach.
Q: How can an organization feel more confident about creating secure, scalable digital products and experiences for their consumers?
Chris: Understand your security maturity. Have a clear view of how to become a really good security organization. Security enables the business to do what you want to do that you couldn’t without security. Good infosec controls enable a good business strategy.
We hear lots about fear, but look at how much technology has revolutionized life in 3-5 years ago. Most of that digital transformation is reasonably safe and protected. There’s so much positive change and possibilities within a reasonable level of security risk.
Ryan: In general, growing pains come with digital transformation in a modern data security ecosystem. You never want fear driving your business.
Lastly, I’d say that you must accept risk and build failure into the system. What does failure mean and how can you can do all that you can to take control? Certainly, fear won’t stop your competitors!
Have a specific digital or security question for Ryan or Chris, contact us at firstname.lastname@example.org or call 412.251.0848.