This article exploring the relationship between digital transformation and security starts by noting that, historically, when digital transformation took hold within organizations as they adopted agile practices and DevOps, “security considerations were left behind”. I have a different take. I’d argue that security considerations were being ineffectively addressed from the outside, rather than the inside. The realizations that came with such methodologies (shifting left, you build it / you run it) grew from the narrow focus on development and it’s direct dependencies of infrastructure and delivery. However, the discipline of security was not viewed as a critical dependency, and it was siloed from this upswell. Security was classically seen as a drag on the business whose sights were now set on speed. This rift is what bred the operational dysfunction that allowed many breaches to occur.
The author details the necessity and challenges for security teams to transform to better align with the business. And comically, how security can move from the “Office of No” to a pattern of secure enablement. As I like to say, security does not exist for its own sake — it exists to support the business. If security is needlessly suppressing business innovation and revenue opportunities in the process, security has fundamentally failed.
I completely agree with the premise that security teams need to transform in ways that allow them to adopt the mantras of “agility, flexibility and rapid decision-making,” but this certainly isn’t easy. While DevOps teams can fail-fast with their development and innovation processes, failing with security is simply not an option.
Two years ago, digital transformations had kicked into high gear, with new processes and product development moving ahead at breakneck speed. As IT and business fast-tracked initiatives like agile and DevOps to improve speed to market, security considerations were often left in the dust. At the time, Gartner predicted that 60% of digital businesses would suffer major service failures by 2020 due to the inability of security teams to manage digital risk.
High-profile security lapses ensued as expected, although it’s hard to pinpoint that digital projects were the leading cause. “Regardless of whether highly publicized breaches were directly linked to digital transformation, they got business leaders thinking again about risk and solutions that minimize risk,” says Pete Lindstrom, vice president of security research at IDC.
Today, some 79% of global executives rank cyber attacks and threats as one of their organization’s highest risk management priorities in 2020, according to a Marsh & McLennan survey of 1,500 executives. Overall, security’s role in digital transformation has improved both in awareness and involvement in earlier stages of the design process, but CISOs are still grappling with visibility into the breadth of projects in their ecosystems.
Security’s challenge: keeping pace
IT decision-makers are not only including cybersecurity among their top considerations when it comes to digital transformation, but it is also their second biggest investment priority (35%), just below the cloud (37%), according to a recent Altimeter survey. Investments in transformative technologies can be meaningless if they can’t protect the business, its customers or other vital assets, and the complexity and speed of development continues to challenge even the largest security operations.
“The battle being fought is moving faster than our decision cycle. If you’re moving slower, then you’re irrelevant from a leadership perspective,” says Dr. Abel Sanchez, executive director and research scientist at the Massachusetts Institute of Technology’s Laboratory for Manufacturing and Productivity. Agility, flexibility and rapid decision-making are required in security, as well as in development, he adds.
At global energy solutions company Schneider Electric, cybersecurity is at the center of its transformation strategy. Global CISO Christophe Blassiau grappled with gaining visibility of the entire organization due to complex combinations of acquisitions and the many different activities of the company – from R&D to supply chain to services. IT and operational technology (OT) integration also brings new connectivity, data sources and potential vulnerabilities that need protecting, and his team must connect the dots between the company’s security and its ecosystem of partners and vendors.
I didn’t want to grow bigger teams because you give the impression that it will be fixed by someone else. Here, security is everyone’s responsibility. — Christophe Blassiau
“We didn’t have the right level of ownership or aptitude everywhere, so we started by designing and organizing the new governance set up across the company,” Blassiau says. "I didn’t want to grow bigger teams because you give the impression that it will be fixed by someone else. Here, security is everyone’s responsibility."
Instead, Schneider took a dual approach to cyber, creating a digital cybersecurity practice and embedding cyber professionals (digital risk managers and regional CISOs) in each practice and throughout the company to create a community of cyber leaders who are trained and focused on specific cyber risks. The move gave Blassiau “a sense of control in the digital space. There is a cyber leader reporting to every digital practice executive leader and reporting to me,” he says.
Security teams must transform, too
The challenge for security teams remains how to add security at the speed of digital transformation and ensure that security spans every new internal digital process and external product developed or internet opportunity created. Much of the solution comes down to the culture of the IT and security departments, Sanchez says. “Security teams have to go through a transformation, as well.” It’s not easy, he cautions, and many workers must be willing to learn new skills to be able to interact with the business organization.
Some of it can be accomplished through reorganization, Sanchez says. Testers in many practices, for example, are disappearing, and testing is now done by software engineers. “Who knows better how to secure this product than the one who created it?” The same can be done with other areas of development, he adds.
“You may also need different talent, or the talent that you have needs to change. You may lose a bunch of people, but they need to fit. You need that type of person that can do the innovation and introduce it,” Sanchez says. “The world is just moving too fast.”
The good news is that security teams as a whole are becoming more approachable and part of the business, leading to better relationships, says Matt Handler, CEO of Security for the Americas at NTT, a large global consultancy and managed security services provider that offers digital transformation services.
Instead of no, say ‘let’s see how can we do this as fast as possible and do it safely.’ That phrase alone, I think, changes the game for a CISO. — Matt Handler
“Security teams are learning that they can’t be the ‘Office of No’ all the time. They have to be agile, flexible and be seen as an enabler instead of a blocker,” Handler says. “This just happened in the last year or so.”
The CISO must evolve, too, and take on the role of internal advisor and collaborator to the departments that are deploying the applications or new technologies, Handler adds. “Instead of no, say ‘let’s see how can we do this as fast as possible and do it safely.’ That phrase alone, I think, changes the game for a CISO.”
Baking security in
CISOs have been touting for years that security needs to be inserted at the very beginning of the design process. Now, thanks to more nimble and dynamic components, this is easier to achieve. “With cloud in particular,” and the built-in security features that can be utilized, “we can play with that to address risks,” Lindstrom says, “and we’re working up the stack more – away from network and host-based security -- to application, to data layer security, and identity kinds of things.”
In addition, investors are predicting that cybersecurity companies that use machine learning are likely to stand out in 2020, as the number of niche cybersecurity vendors consolidates, although they will face a high level of scrutiny around precisely what they claim their technology can do. Companies with large pools of security data could combine algorithms, analytics and machine learning to identify and react to threats at lightning speed -- almost as quickly as they’re occurring. Machines can only be as good as the humans that curate them – and as good as the data they’re pattern-matching against, which will take time.
“From a CISO’s perspective, if you’re able to provide security at speed and help the business still achieve their milestones and goals, and security is baked into the process from the beginning, then you’ve got a homerun. But that’s definitely a future state,” Handler says.
Are we there yet?
When it comes to cybersecurity in digital transformations, Sanchez says that more organizations are “past the middle.” They’ve gone through the process of automation, and they’re starting to look to AI and predictive modeling.
“We are on the right track, but that doesn’t mean there won’t be compromises” in the meantime, Sanchez says. “Just like software development across the board had not been integrated (before digital transformation) and now it is, the same is true for security. All of these have to come together now. It just takes time.”