How Digital Transformation is Challenging Security

Digital transformation isn’t worth doing if it fails to disrupt business as usual. IDG research shows that nearly 90% of businesses plan to adopt a digital-first business strategy, though only 44% have reached that lofty goal. But not very much fuss has been raised about the downstream impact of digital initiatives on cyber security.

Yet, consider the traditional business network perimeter. The corporate network was behind a firewall and thought to be mostly secure while virtual private networks acted as a bridge to the outside world. But the processing that used to happen inside that fortified space is now mostly outside, thanks to IaaS Platforms such as AWS or Microsoft Azure, as well as SaaS, such as Office365, SalesForce, ServiceNow and countless other Cloud-based services. Managers today often prefer mobile apps to access corporate data or even to manage their enterprise activity from a mobile device rather than from a corporate-managed personal computer.

That’s a game changer for organizations and it’s a monumental challenge for most security teams. An organization today might decide to expand its operations into a new region of the world and rather than give IT a few months to set up a data center, it would be expected to virtualize your network and switch on new service in a day or two at most. And then you must defend this new digital outpost.

With digital transformation upending the traditional bounds of the enterprise, how are IT leaders grappling with the security challenges? The short answer is they’re overwhelmed. Just last year alone the average number of security breaches rose by 11 percent, according to Accenture and Ponemon Institute’s Ninth Annual Cost of Cybercrime Study. Hackers know that your available attack surface won’t be decreasing anytime soon.

Feeling Your Pain

On the whole, digital transformation promises to make organizations more customer focused, efficient and insightful. If the side effect is a bit of pain for the security team — should anyone lose sleep over this? Maybe not sleep, but here’s a few important considerations:

• Pain 1: Complexity- If you’re deploying old security tools, it’s going to be difficult to keep up with the pace of modern, agile environments. You either end up slowing down business growth or sidelining your career. Your competitors may already realize this. You must adapt to the increased complexity, and the reality that your perimeter stops being a ‘control point’ for applications, which could be located anywhere in the cloud.
• Pain 2: Security- Your organization is heading to the cloud because it’s key to its digital transformation plans, regardless of whether or not you take steps to improve security. If anything, expect management to say the priority is opening a new revenue stream – there’s no stopping that train. While you will certainly bake in security, the key is to avoid adding more vulnerabilities while you modernize your defenses.
• Pain 3: Costs- Has anyone baked the cost of higher security into the new digital business transformation plan? Unfortunately, you can’t float a plan stating that due to this increased complexity, you must employ 5x more IT specialists – then it won’t fly. The whole idea around digital transformation is it becomes accessible because it’s driving costs down.

Your Next Move

IT operations are experiencing a change we call ‘shift left’. When responsibility for business processes is placed in the hands of business unit engineering teams, that’s a shift from the days when a data center played host and the IT team deployed the app and managed access. Now, all of this responsibility may be decentralized, everything is software defined, and it works more effectively than before. Except, of course, that security responsibility also ‘shifts left’ — and must be baked into the development process.

This is the time to let go of the reactive approach to security that has been predominate in the traditional IT world, where organizations would think about how to secure apps late in the application deployment cycle. The shift-left approach, popularized in DevOps, effectively forces software testing much earlier in the software delivery lifecycle. In addition to reducing product defects, it serves as a force multiplier by giving application developers a familiar platform inside their existing processes to ensure the security of their deliverables, while processes are tied into it as well.

When you can embed security into your development process in an automated manner it greatly improves the business value of your SecOps operations. Once you have the tools that enable your developers to embed and automate the placement of security measures in business processes, you know that when you switch on a new app or a new data center, it’s already secure.

Unfortunately, organizations that fail to adopt new security tools or realign their thinking about mastering complexity will lose the alluring benefits of digital business transformation.