Digital Transformation Must Start with Security
By Ed Moyle, Director-Thought Leadership & Research, ISACA
I’ll confess that I was initially skeptical when I first heard about digital transformation as a new trend. It seemed to me like a given: show me a company that hasn’t transformed because of technology and I’ll show you a company that’s either out of business or on its way to becoming so. For example, can you imagine a company that doesn’t use email or computers? It’s possible that one or two niche companies like this still exist, but for the most part, the workplaces of today would be literally unrecognizable (because of technology) from the workplaces of just a few decades ago. When viewed that way, discussion about the importance of digital transformation seemed akin to two employees of an online bookseller advocating the virtues of the Gutenberg printing press: not only is it obvious given the circumstances, but the conversation itself seems like a solid waste of time.
As I started to learn more about the “digital transformation” trend though, I started to understand that it’s not about how organizations transform (i.e. when, if, or the specific mechanics of doing so) but instead it refers to a shift in mindset in which organizations embrace a willingness to adapt–where they employ technology rapidly, flexibly, and make changes to incorporate it on a continuous basis. Under this model, technology is not static or incorporated piecemeal; it’s instead an evolving, changing, adaptable fabric that’s continually evolving. From that angle, the hype makes a lot more sense–it also changes how we manage it.
Why security matters for transformation
There are a few implications of this shift that aren’t immediately obvious, but are absolutely critical to success. First among them is security. Not only must security be viewed differently, it also must be practiced differently: under a model of continuous adaptation, security itself needs to be flexible and continuous. This bears saying because many of the legacy models we have for governing and securing technology are neither.
For example, consider a risk management process that starts with annual review of an environment.
The mindset of security teams must change to incorporate flexibility and adaptability
How useful is that when new technologies are introduced on a continuous basis? If this year’s environment is unrecognizable from last year’s (because of the pace at which the underlying environment adapts), an annual review cycle just won’t cut it. New models must instead be introduced to ensure that the same goals are met (i.e. systematic and workman-like analysis and mitigation of risk) in a way compatible with the new mindset.
While that might seem obvious to some, it bears saying explicitly for two reasons: first, because it will take a bit of legwork to get existing security teams (and individual practitioners) to embrace that, and second because the specific mechanisms of security will require modification to support the new paradigm.
Specifically, the mindset of security teams must change to incorporate flexibility and adaptability. While this is certainly doable, it can be a larger “ask” from a security team than it might seem on the surface. Why? Because answering the question “Is something safe to operate?” is harder (requiring more research and supporting data) than answering “How do I use it?”
As an example of what I mean, consider an automobile. What do you need to know to operate a car? At a minimum you need to know how to drive (e.g., how to steer and operate the brakes) and the rules of the road. Compare that to the data you need to answer, “Is this particular car safe to operate?” To answer that question, you need to know the rules of the road and the basics of driving, but in addition you also need to know a bunch of other information as well: the vehicle’s maintenance history, the status of safety mechanisms (seatbelts, airbags, anti-lock brakes), the weather conditions in which it will be driven, the route that the driver will take, the tire pressure, the condition of the brake pads, along with a whole host of other details too numerous to list individually.
The bottom line is that some security teams will (perhaps justifiably) find the digital transformation mindset daunting. This doesn’t mean that they can’t or won’t come around, but it does mean that for them to do their job well, they’ll need to work in lock-step with business teams and technology partners to be maximally efficient in how they spend their time. It may also mean that the organization might choose to bolster the resources spent in this area to help bolster this internal skill set.
In addition, the mechanics of how security is implemented will likely need some refinement as well. There are absolute strategies that are advantageous for the implementation of security under this paradigm: for example, intelligence-driven strategies that rely on a solid and workman-like understanding of the threat environment (i.e. attacker motivation and tradecraft) and that marry that to detailed knowledge of internal business processes. Techniques like active defense that use attackers’ actions against them to assist in attribution or to divert their attention from high value targets.
The key to harnessing these techniques isn’t rocket science. It starts with setting the expectation with internal security resources about the need for creativity. By explaining to them– candidly and openly–about the changing expectations, their role in the transformation process, and the “new normal”. Note that it is about getting them to espouse any particular approach to securing the environment; each environment is different, so there are a near-infinite array of strategies that could be employed (the most appropriate of which will vary according to organization-specific factors). Instead, the goal is to make sure that those tasked with securing the environment in the organization are kept in the loop, and understand what is expected of them, so that they can support you.