By 2020, 60 percent of enterprises will be implementing a digital transformation strategy as they seek to leverage technologies such as cloud and software-defined infrastructures. However, as they embark on a digitization journey, too many are ignoring security risks that could bite them back later.
Earlier this year, telecommunications giant AT&T developed a cybersecurity report based on interviews with 15 subject matter experts, including several (ISC)² members, to determine who holds responsibility for this transformation process. The report cautions organizations to be sure they evaluate and update their defense systems before implementing digitization plans. “Security models are changing as infrastructure goes virtual. If the number of cyberattacks in the news points to any one pattern, it’s that companies are grappling with how to secure their businesses from ‘edge-to-edge,’ across their endpoints, networks and cloud services,” the report says.
Some companies are taking a short-term approach to cybersecurity by overly relying on cyber insurance. “More than a quarter (28 percent) of organizations see cyber insurance as a substitute for cyber defense investment, rather than as one component of a multi-layered cybersecurity strategy.”
While cybersecurity can address the immediate impact of a breach, it cannot prevent long-term reputational damage. Instead, organizations should take a more balanced, comprehensive approach that includes layered security implementations and help from third parties where appropriate.
The report points out that U.S. companies are the least confident in their in-house security, according to the AT&T 2017 Global State of Cybersecurity survey, with 56 percent of U.S. respondents expressing confidence, compared to 70 percent in EMEA and 72 percent in APAC.
Properly planning for digital transformation requires several steps. The first is to gain an understanding of all security implications and then come up with a plan to address them. Organizations need a solid understanding of the security controls they have in place to determine if they are appropriate as their infrastructures evolve to include software-defined systems and Internet of Things (IoT) devices.
Then they should address whatever gaps they identify through a multi-layered security strategy and advanced security measures. For instance, it makes sense to virtualize security to replace simple firewalls with advanced web filtering and data loss prevention, the report suggests.
Another recommendation is to get buy-in not only from the top but also across the entire enterprise. For one thing, it’s important to recognize that the CFO is often the executive in charge of digital transformation, which means the CFO needs to be part of the team in charge of cybersecurity.
“This might seem counterintuitive for a technical project, but the CFO’s compliance and risk management responsibilities and their budget-allocation powers make them an obvious leader,” the report says. But because of the CFO’s “traditional lack of technical expertise,” the cybersecurity team also needs to include the CISO, CTO or whoever else is responsible for security.
To ensure everyone within the organization is invested in digital transformation and security, it makes sense to run training programs and workshops explaining how the new infrastructure will affect day-to-day operations. Cybersecurity awareness training should be ongoing, the report says.
The better a company’s employees understand security risks, the more likely they are to avoid doing something that could cause a breach. As companies become more reliant on digital and automated processes, this will become more important than ever.