Anmerkung des Kurators:
In diesem Artikel geht es um die Beziehung zwischen digitaler Transformation und Security. Eingangs wird festgestellt, dass bislang bei Unternehmen im Rahmen einer digitalen Transformation mit agilen Abläufen und DevOps „Sicherheitsbelange auf die lange Bank geschoben wurden“. Ich sehe das anders. Meiner Meinung nach wurden Sicherheitsbelange unwirksam von außen statt von innen angegangen. Die Erkenntnisse, die im Rahmen solchen Vorgehensweisen (frühzeitiges Angehen, selbst aufbauen und betreiben) gemacht wurden, gingen vom engen Fokus auf Entwicklung und den direkten Abhängigkeiten von Infrastruktur und Bereitstellung aus. Der Security-Bereich wurde jedoch nicht als kritische Abhängigkeit betrachtet und von diesem Anstieg isoliert. Security wurde klassisch als geschäftliche Bremse betrachtet – und der geschäftliche Fokus lag nun auf einer hohen Geschwindigkeit. Diese Kluft hat zu den betrieblichen Fehlfunktionen geführt, durch die sich zahlreiche Datenschutzverletzungen ereignet haben.
Der Autor erläutert, dass Security-Teams sich besser an die geschäftlichen Aspekte des Unternehmens anpassen müssen, und welche Herausforderungen es dabei zu bewältigen gibt. Und komischerweise auch, wie der Security der Wechsel vom „kontinuierlichen Nein“ hin zu einer sicherheitsbewussten Förderung gelingt. Ich sage immer, dass Security nicht einfach ihrer selbst willen existiert, sondern zur Unterstützung des Geschäftlichen dient. Wenn Security unnötigerweise geschäftliche Innovationen und damit auch Umsatzmöglichkeiten unterdrückt, hat sie auf grundlegende Art und Weise versagt.
Ich stimme der Prämisse zu, dass Security-Teams sich auf eine Art und Weise verändern müssen, die es ihnen erlaubt, den Grundsätzen von „Agilität, Flexibilität und rascher Entscheidungsfindung“ zu folgen – das ist jedoch keineswegs einfach. DevOps-Teams können mit ihren Entwicklungs- und Innovationsprozessen scheitern und rasch zu etwas anderem übergehen. Im Security-Bereich hingegen darf es schlicht und einfach kein Scheitern geben.
Two years ago, digital transformations had kicked into high gear, with new processes and product development moving ahead at breakneck speed. As IT and business fast-tracked initiatives like agile and DevOps to improve speed to market, security considerations were often left in the dust. At the time, Gartner predicted that 60% of digital businesses would suffer major service failures by 2020 due to the inability of security teams to manage digital risk.
High-profile security lapses ensued as expected, although it’s hard to pinpoint that digital projects were the leading cause. “Regardless of whether highly publicized breaches were directly linked to digital transformation, they got business leaders thinking again about risk and solutions that minimize risk,” says Pete Lindstrom, vice president of security research at IDC.
Today, some 79% of global executives rank cyber attacks and threats as one of their organization’s highest risk management priorities in 2020, according to a Marsh & McLennan survey of 1,500 executives. Overall, security’s role in digital transformation has improved both in awareness and involvement in earlier stages of the design process, but CISOs are still grappling with visibility into the breadth of projects in their ecosystems.
Security’s challenge: keeping pace
IT decision-makers are not only including cybersecurity among their top considerations when it comes to digital transformation, but it is also their second biggest investment priority (35%), just below the cloud (37%), according to a recent Altimeter survey. Investments in transformative technologies can be meaningless if they can’t protect the business, its customers or other vital assets, and the complexity and speed of development continues to challenge even the largest security operations.
“The battle being fought is moving faster than our decision cycle. If you’re moving slower, then you’re irrelevant from a leadership perspective,” says Dr. Abel Sanchez, executive director and research scientist at the Massachusetts Institute of Technology’s Laboratory for Manufacturing and Productivity. Agility, flexibility and rapid decision-making are required in security, as well as in development, he adds.
At global energy solutions company Schneider Electric, cybersecurity is at the center of its transformation strategy. Global CISO Christophe Blassiau grappled with gaining visibility of the entire organization due to complex combinations of acquisitions and the many different activities of the company – from R&D to supply chain to services. IT and operational technology (OT) integration also brings new connectivity, data sources and potential vulnerabilities that need protecting, and his team must connect the dots between the company’s security and its ecosystem of partners and vendors.
I didn’t want to grow bigger teams because you give the impression that it will be fixed by someone else. Here, security is everyone’s responsibility. — Christophe Blassiau
“We didn’t have the right level of ownership or aptitude everywhere, so we started by designing and organizing the new governance set up across the company,” Blassiau says. "I didn’t want to grow bigger teams because you give the impression that it will be fixed by someone else. Here, security is everyone’s responsibility."
Instead, Schneider took a dual approach to cyber, creating a digital cybersecurity practice and embedding cyber professionals (digital risk managers and regional CISOs) in each practice and throughout the company to create a community of cyber leaders who are trained and focused on specific cyber risks. The move gave Blassiau “a sense of control in the digital space. There is a cyber leader reporting to every digital practice executive leader and reporting to me,” he says.
Security teams must transform, too
The challenge for security teams remains how to add security at the speed of digital transformation and ensure that security spans every new internal digital process and external product developed or internet opportunity created. Much of the solution comes down to the culture of the IT and security departments, Sanchez says. “Security teams have to go through a transformation, as well.” It’s not easy, he cautions, and many workers must be willing to learn new skills to be able to interact with the business organization.
Some of it can be accomplished through reorganization, Sanchez says. Testers in many practices, for example, are disappearing, and testing is now done by software engineers. “Who knows better how to secure this product than the one who created it?” The same can be done with other areas of development, he adds.
“You may also need different talent, or the talent that you have needs to change. You may lose a bunch of people, but they need to fit. You need that type of person that can do the innovation and introduce it,” Sanchez says. “The world is just moving too fast.”
The good news is that security teams as a whole are becoming more approachable and part of the business, leading to better relationships, says Matt Handler, CEO of Security for the Americas at NTT, a large global consultancy and managed security services provider that offers digital transformation services.
Instead of no, say ‘let’s see how can we do this as fast as possible and do it safely.’ That phrase alone, I think, changes the game for a CISO. — Matt Handler
“Security teams are learning that they can’t be the ‘Office of No’ all the time. They have to be agile, flexible and be seen as an enabler instead of a blocker,” Handler says. “This just happened in the last year or so.”
The CISO must evolve, too, and take on the role of internal advisor and collaborator to the departments that are deploying the applications or new technologies, Handler adds. “Instead of no, say ‘let’s see how can we do this as fast as possible and do it safely.’ That phrase alone, I think, changes the game for a CISO.”
Baking security in
CISOs have been touting for years that security needs to be inserted at the very beginning of the design process. Now, thanks to more nimble and dynamic components, this is easier to achieve. “With cloud in particular,” and the built-in security features that can be utilized, “we can play with that to address risks,” Lindstrom says, “and we’re working up the stack more – away from network and host-based security -- to application, to data layer security, and identity kinds of things.”
In addition, investors are predicting that cybersecurity companies that use machine learning are likely to stand out in 2020, as the number of niche cybersecurity vendors consolidates, although they will face a high level of scrutiny around precisely what they claim their technology can do. Companies with large pools of security data could combine algorithms, analytics and machine learning to identify and react to threats at lightning speed -- almost as quickly as they’re occurring. Machines can only be as good as the humans that curate them – and as good as the data they’re pattern-matching against, which will take time.
“From a CISO’s perspective, if you’re able to provide security at speed and help the business still achieve their milestones and goals, and security is baked into the process from the beginning, then you’ve got a homerun. But that’s definitely a future state,” Handler says.
Are we there yet?
When it comes to cybersecurity in digital transformations, Sanchez says that more organizations are “past the middle.” They’ve gone through the process of automation, and they’re starting to look to AI and predictive modeling.
“We are on the right track, but that doesn’t mean there won’t be compromises” in the meantime, Sanchez says. “Just like software development across the board had not been integrated (before digital transformation) and now it is, the same is true for security. All of these have to come together now. It just takes time.”