Getting Digital Transformation Right: The Fundamental Three

Emerging technologies – such as machine learning, artificial intelligence (AI), blockchain, Internet of Things (IoT), augmented reality, and 3-D printing – are swiftly disrupting several industries. To paraphrase Klaus Schwab, co-founder of the World Economic Forum, these mind-boggling innovations are redefining humanity, pushing the thresholds of lifespan, health, cognition, and capabilities in ways previously considered to be preserves of science fiction.

The possibilities presented by digital transformation are indeed captivating. The uses are as varied as the organizations putting them to use. Sensors attached to jet engines are transmitting signals mid-flight, enabling airlines to promptly detect sub-optimal performance and conduct pre-emptive maintenance, boosting safety and minimizing downtime. Physicians are replicating flesh and bones using 3-D technology to simulate high-risk surgical operations, lifting patients’ confidence and shortening their anaesthesia durations. Meanwhile blockchain – an open source, distributed ledger of everything – is being used to develop self-executing contracts, eliminating record labels and enabling artists to interact directly with consumers, maximizing their ingenuity rewards.

The benefits of digital transformation are unquestionable, but enterprises must manage these programs carefully. Here are three key recommendations:

Drive cultural change
Digital transformation transcends IT – it’s an enterprise-wide matter that requires unwavering commitment from the C-suite to front-line staff. To succeed, enterprises must place cultural change, not technology, at the core of their strategies. This requires eliminating unnecessary barriers to innovation, agility and change that exist within organizations, including breaking down functional silos and revising bureaucratic governance structures. As Jeffrey R. Immelt, CEO of General Electric, said, “You can’t have a transformation without revamping the culture and the established ways of doing things.”

Leadership from the top is essential to establish vision, institute appropriate governance structures and drive cultural change during any major change, and digital transformation is no exception. Executive messages must be clear and consistent, persuading employees that creating a nimbler enterprise that can swiftly respond to market needs is an existential matter; status quo is untenable. This fosters an environment of trust and spurs employee engagement, prerequisites for success.

On the contrary, inconsistent messages fuel doubts, forcing employees to work in silos and resent change. This risk looms large when transformation is perceived as a threat to people’s jobs. Consistent with this view, the majority of respondents to the ISACA’s Digital Transformation Barometer rated AI and public cloud as top candidates to face organizational resistance. While initial reservations about public cloud are waning, migration efforts and radical process changes can pose such organizational challenges.

Embed security
In the race to keep up with competitors, enterprises often have a disproportionate emphasis on the pace of transformation. Often, security and infrastructure considerations are afterthoughts, but such missteps can have lasting business repercussions.

Emerging technologies are exerting enormous pressure on traditional security models. For instance, billions of IoT devices with glaring vulnerabilities are integrating with critical infrastructure, creating numerous backdoors for malefactors to exploit. Cloud is enabling employees to bypass IT governance processes and export volumes of sensitive data to unsanctioned environments, aggravating the enduring shadow IT problem. At the same time, location-based applications collect troves of personal data, raising safety and privacy concerns. Each emerging technology presents new security issues, many of which have not been sufficiently evaluated nor understood.

To thrive, businesses need to make security an inescapable facet of digital transformation programs, considering implications early during business case evaluations. Enterprises also must have a nuanced understanding of each technology, carefully balancing pace of adoption, security and convenience.  Traditional one-size-fits-all models don’t cut it anymore. Securing an implanted cardiac pacemaker that can resuscitate a faltering heart, for example, requires more rigor when compared to securing a wearable device that tracks steps.

As this revolution unfolds, several jurisdictions are also tightening privacy laws. For instance, the EU’s General Data Protection Regulation (GDPR) will impose fines up to $20M EUR or up to 4% of the annual worldwide turnover, whichever is greater. Businesses must have a strong grasp of applicable privacy laws to ensure compliance and retain customers’ trust.

Consider the impact of legacy applications
As digitization gains pace, several enterprises are finding themselves saddled by jumbles of complex, aged and proprietary applications, referred to as “legacy spaghetti.” Several of these decades-old digital workhorses have developed a reputation for reliability and still underpin vital operations. But they can also be daunting obstacles to digital transformation. Specifically, they are not designed to handle the flexibility, speed and performance demanded by today’s digital enterprise. Furthermore, they don’t have well-defined interfaces, sufficient documentation and available subject matter experts.

To manage this risk, business leaders should ask the following questions:

  • Which legacy applications can be cost-effectively modernized as part of the transformation program?
  • Which applications must remain untouched to mitigate risks to the stability of core operations?
  • Which skillsets are required to seamlessly integrate novel applications with existing infrastructure and support mission-critical applications that cannot be feasibly decommissioned?

An effective digital transformation strategy, therefore, carefully balances the need to rejuvenate customer experiences with the steadiness of core processes. None of these can be dealt with in isolation.

Looking ahead
This wave of digital transformation calls for enterprises to deeply rethink their strategies. Those that stick their heads in the sand may soon be irrelevant to their customers.

About the authors
Phil Zongo is a head of cyber security for an Australian investment management firm. He is the 2016-17 winner of the ISACA’s Michael Cangemi Best Book/Article Award, a global award that recognizes individuals for major contributions to publications in the field of IS audit, control and/or security. Phil has more than 13 years of technology risk consulting experience, advising executives on how to manage critical risk in complex technology transformation programs across multiple industries.

Natasha Barnes, CISA, is a manager with a global consulting firm, based in the Washington D.C. metro area. She has provided IT risk and compliance consulting services within both public and private sectors for more than seven years. Natasha helps her clients to optimize their control environments and address evolving cyber security challenges. Natasha is also a member of ISACA and a career coach with Careerly, where she mentors aspiring cyber security professionals by providing students with practical guidance to make informed career decisions.

Phil Zongo, Head of Cybersecurity, Author and Public Speaker; and Natasha Barnes, CISA, IT Risk and Compliance Consulting Manager

[ISACA Now Blog]

Research Shows ‘White Male Effect’ Can Impact Risk Communications

This is a story about researching a simple question: Why are there so many vulnerabilities in information systems? One answer that might strike a chord with ISACA members is: “failure to listen to experts.”

Many of us have spent years advising companies to adhere to the principles of security by design and privacy by design, yet some still ship products with holes in them, vulnerabilities that leak sensitive data or act as a conduit to unauthorized system access. We’ve been teaching cyber-hygiene to end users since before it was called that, and we’ve all encountered organizations that don’t listen to our warnings about the risks inherent in their deployment of digital technologies.

But why do some people not listen to experts? I decided to study this question with help from my research colleague at ESET, Lysa Myers. We found an established body of research that examines the way people perceive risk and explores the ways in which risk communication can become more effective. Many of these studies centered on the rejection of warnings about risks inherent in successive waves of technology. For example, some were funded back when people argued about the risks from nuclear power and radioactive waste disposal. More recent research has explored why so many people don’t heed the warnings of climatologists.

Many studies used survey questions phrased like this: “How much risk do you believe [this hazard] poses to human health, safety, or prosperity?,” where this hazard might be global warming, genetically modified foods, and so on. Responses to these questions revealed interesting patterns when subjected to demographic analysis, particularly when that analysis included profiles derived from the cultural theory of risk perception (CT for short). According to this theory, we tend to perceive risk in a way that affirms our understanding of social structures and our place within them.

People who see society as a hierarchy of individuals rather than as a community of equals typically rate global warming less risky than folks who are more egalitarian and communitarian. Studies also found that, as a group, white males rated risks from a variety of technologies lower than white females, non-white males, and non-white females. Dubbed “the white male effect” by researchers who first observed it in 1994, this phenomenon appears to be caused by a subset of white males drastically under-rating risk relative to the mean (these men are predominantly hierarchical individualists with above average education and income).

What we didn’t find in our literature review was comparable surveying around risks arising from digital technology, so we conducted our own. We mixed six digital hazards in with nine risks unrelated to information systems, like air pollution. Using Survey Monkey, we polled more than 700 adults in the US. Our first surprise when analyzing responses was that “criminals hacking into computer systems” rated higher than any other risk, ahead of air pollution and hazardous waste disposal. A second digital hazard, theft or exposure of private data, rounded out the top four.

These results suggest that a significant portion of the American public now “gets” that digital technology brings serious risks, but what did our survey tell us about communicating with those who don’t “get” it? We did find a white male effect in our sample, but it was less pronounced for digital risks. The cultural alignment of respondents followed earlier studies for global warming, but looked quite different for digital risks. That tells me there is more work to do in this field, but we can improve our risk communication skills by learning from the work of those studying how cultural theory informs the science of science communication.

I encourage you to read Dan Kahan’s articles on this at CulturalCognition.net, and hope to see more people studying why the advice of information security experts is not universally embraced.

For more of our results, see our slides on SlideShare: https://www.slideshare.net/secret/j6a7vyrtlEgzOf.

Stephen Cobb, CISSP, MSc., Senior Security Researcher, ESET

[ISACA Now Blog]

The Role of Certifications in the Hiring Process

Without a doubt, the information security space is experiencing a dramatic increase in hiring. Finding qualified candidates is continuing to get more difficult, and the duties of managers are steadily increasing. As a result, hiring managers and human resource recruiters are looking for ways to make the process more efficient. Because most certifications in the information security industry come with experiential requirements, the search for candidates possessing industry credentials is seen as a good way to achieve this goal. However, other challenges begin to surface if the proper value of certification is not considered, which I explore in further detail in my recent Journal article.

I personally value certification in the hiring process and use this as a tool to screen potential employees before evaluating their resumes. Some scoff at this idea, as there are many qualified candidates without certification. While these candidates will almost certainly be filtered out, there are few better qualifiers to help parse through resumes and candidate requests in an efficient manner.

Whether it be on Internet forums or in discussion with industry peers, there are widely varied opinions about requiring certification as part of a job search. It appears that this practice is taking place in many organizations—glancing through job postings recently, I have seen many job postings requiring certification. Pushback from a few of my peers in the industry caused me to reevaluate my stance and to dig deeper into understanding the value certification brings to the process, the person and the organization. While my evaluation was not scientific in nature, it highlights many experiences I have had over the years as a hiring manager and is an aggregation of conversations I have had with many of my peers over the past year.

I suspect that some may feel that certification is becoming irrelevant or that candidates do not possess the skills that are expected, but if you put certification in the proper context, I truly feel that it helps in the hiring process and also helps identify a great employee with some of the positive characteristics I mention in my Journal article.

Read Thomas Johnson’s Journal article:
The Value of Certification,” ISACA Journal, volume 6, 2017.

Thomas Johnson

[ISACA Now Blog]

IoT Security and Privacy: Exploring Technology Solutions Aligned to Regulatory Needs

In my last post, I spoke about the Internet of Things (IoT) in terms of trust, security and privacy at a high level. Here, I will take a deeper dive in terms of how IoT security and privacy can impact an ecosystem interconnect.

When we talk about IoT, we think about the process we implement as we migrate to sensor-driven infrastructure for automated processes.

Looking at economies and technology ramp-up trends from a financial perspective, we will expect that there with be standardization around policies and processes, as well as implementing interfaces that are expected to connect sensors to networks, platforms, and application systems, or a combination of services.

It can all appear to be complex and large scale, especially in the borderless world of IoT. However, if as security and privacy professionals we ask ourselves, “What are the major areas we should focus on?,” my perspective is that we will have to look at:

  1. Device security and settings
  2. Security device and system physical access (IAM)
  3. Securing our communication network systems
  4. Dealing with the large volume of data we will have to process, leveraging big data analytics, risk scoring and criticality metrics aligned to a system, user privilege, and the business functionality.

IoT PriSec Model
The team at The Cyber Policy and Security Governance Institute have been developing an IoT PriSec Model. This model:

  1. Combines best of breed practices based on network, system and application security, which integrates functionality to meet data security lifecycle expectations as well as data privacy requirements for in-border and cross-border migrations.
  2. Is built on the premise that an IoT infrastructure ecosystem consists of a self-healing, secure network infrastructure and systems that exfiltrates data for analysis from system-system connects and sub-system interactions. This system will have a big data capability to build an analysis of permitted, potentially dangerous and malicious activities, allowing for event-driven capabilities, driving a mindset of adaptive security.
  3. Will be further enhanced to adapt to blockchain technologies.
  4. Integrates privacy definitions that are tied into the IAM and privilege access management which is tightly tracked and auditable.
  5. Promotes an effective combination of cryptography and smart analytics integrated into sensor security mechanisms which can quickly assess, measure and score attack attempts and attack paths for smart attack detection.

One area that will have an impact on IoT environments, given that the growth of cloud and big data are enablers of IoT, is that of unikernel security.

In the paper “Unikernels: Library Operating Systems for the Cloud,” A. Madhavapeddy and team describe a unikernel as follows: “In the context of virtual machines and cloud computing, it makes sense to describe the whole virtual machine as a unikernel.”

Bratterud, Happe and Duncan presented a paper on “Enhancing Cloud Security and Privacy: The Unikernel Solution,” which lists six observations exhibited by Unikernel systems as follows:

  1. Choice of service isolation mechanism
  2. The concept of reduced software attack surface
  3. The use of a single address space, shared between service and kernel
  4. No shell by default, and the impact on debugging and forensics
  5. Microservices architecture and immutable infrastructure
  6. Single thread by default

In a following piece, I will present further details on this aspect, as well as other areas that we are seeing leading IoT vendors focus on from a security and privacy best practice perspective.

Jon Shende, MSc., FBCS CITP, CISM

[ISACA Now Blog]

English
Exit mobile version