Digital Transformation Shouldn’t Require a Security Transformation

It’s often asked, why can’t security innovate more?

The answer lies somewhere within the very nature of information security itself, how technology is developed, and how enterprises deploy the technology. Because hardware and software are designed, built, and deployed to solve pressing business problems. Most organizations don’t operate just to secure themselves: they deploy technology to get something done.

This is one of the main reasons why it’s so hard for any security innovation. Any real innovation that arose would have to be fitted within existing and widely deployed business-technology systems. So by its very nature, information security must contend with where organizations and the market live with the state of broader technology deployments. And security must be able to defend and respond within these constraints while also keeping up with broader technical innovations.

This information security dynamic has played itself out many times, such as the rise of distributed computing in the 1990s and the rush to protect the associated networks. Then eCommerce and the Web in the early 2000s. A decade later, the same happened with virtualization and the cloud. Today as enterprises accelerate their digital transformation efforts, it’s happening again: security teams find themselves trying to keep up with the dramatic and accelerating change in the environments they must secure.

And change is accelerating. According to research firm IDC, investments in digital transformation will total $6.8 trillion between 2020 and 2023 as enterprises continue to increase the scale of their digitalization efforts. IDC also estimates that at least 30% of enterprises will increase their digitalization efforts toward renovating or reinventing their business model this year. That’s more than just changing or upgrading technology: 30% of businesses will be dramatically altering or changing entirely how they make money.

The challenge for security professionals, of course, is to keep their organizations secured through the change. That’s no small ask, but it is attainable. While security teams don’t have to reinvent themselves or even transform themselves, they have to ensure that they can keep themselves aligned with the change. Based on my discussions with numerous CISOs within organizations undergoing digital transformations, there are at least four essentials that must be performed or maintained to succeed:

Access the current environment and its security posture. As enterprises reinvent themselves, not only do new applications emerge, but protected data finds itself shared within those new applications and managed on new systems and infrastructure. Security teams must continuously assess where within their networks, applications, cloud partners, and third-party partners, this data is being shared.

This is something security managers must not only gather from the IT team and application owners, but it’s something they must also go and find across network connections, network segments, servers, cloud services, remote locations, and endpoint devices that capture, manage, store or transmit protected data.

Once the assessment of the current state of the enterprise’s technology is complete, the security controls designed and in place to protect those systems and data from compromise must be evaluated. Teams have to take a hard, objective look at where they really stand today and identify where security is being done correctly and where it must be improved.

Build continuous monitoring capabilities. During this time of digital transformation, enterprise technology is constantly evolving. Whether that’s on-premises systems moving to the cloud, application teams increasingly embracing continuous delivery, applications being assembled from various microservices, or front-line business workers developing some of their applications with low code/no-code development platforms, there the amount of change is relentless. With environments moving so quickly, security teams are kidding themselves if they think they know what applications are in use at any given time and where all of the corporate data is hiding.

This is why security teams must monitor their environments for new applications and systems that arise and where their data is moving. They must look for new applications that manage data, new web apps that come online, new third-party service providers accessing the organization’s data. And they also need to monitor the changing nature of the threats that could be targeting their systems. And they need to monitor their systems for indications of compromise.

According to IDC, more organizations are seeking managed detection and response services for a handful of reasons. These include faster detection and response (66%), providing consistent threat management across on-premises and cloud domains (64%), access to threat intelligence (62%), accelerate time to detect security breaches through proactive threat hunting (59%), providing incident response capabilities (58%).

Build adequate response capabilities. One of the most surprising things today is how few organizations have an indecent response plan in place that is both tested and up to date. It’s impossible to respond effectively to any type of breach without a tested and proven incident response plan.

Without such capabilities, the result will be higher-cost breaches and successful attacks that are more devastating with longer response times and more complex forensic investigations. All of that leads to less confidence in information security from partners, suppliers, regulators, and customers. These are all constituents who need to know that organizations are doing everything they can to secure their organizations. If they do get breached, what steps are in place to detect and mitigate that breach, and how customers are helped when such a breach occurs.

There is no way organizations can have everything they need to identify, investigate, respond to, and mitigate the damage of successful breaches without having an adequate plan in place. But they need to have such a plan in place, and unfortunately, the response is one of those areas where many medium and even large businesses don’t have the response abilities they need in place. This is an unfortunate oversight because the ability to respond quickly can stop ransomware attacks from getting too far out of control, or system downtime can be significantly reduced, as can the amount of data exposed.

It’s a simple equation: The more quickly enterprises can identify and respond to breaches, the more It and security teams can mitigate damages.

Constantly reevaluate your security posture. Finally, as new technologies are deployed, whether new mobile apps, IoT devices, new remote offices, and new customer web portals, it’s critical that those applications and initiatives be threat modeled and evaluated for risk. How could these initiatives affect the risk posture of the organization? How are data newly exposed? What types of attackers may try to breach those services and why? How are the risks mitigated? Is the application secure and free of software defects?

While it’s challenging, if not impossible in some ways, for security to innovate in ways enterprises can immediately adapt, it’s much more achievable for protection to position itself to keep pace with the tremendous changes underway in both business and the technology — and help keep the organization secure as it does the transformation it needs to perform to compete successfully.