Digital transformation is revolutionising business, with technologies such as mobile computing, big data analytics and the internet of things (IoT) entering every aspect of an organisation from customer service to high-level decision-making.
However, Gartner predicts that by 2020, 60 per cent of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk.
The more connected devices an organisation uses and the more data it collects, the greater the possibilities for a breach and the bigger the incentive for hackers.
When undergoing a digital transformation project, always involve security people from the very start
Meanwhile, by its very nature, transformation is ripe with the possibility of unforeseen effects, so security should be central from the outset. It’s not something that project teams will necessarily be keen on, as there’s a common perception that focusing on security too early can cause delays and put too many constraints on a project.
In fact, though, the opposite is more likely to be true, as an early focus on security can save project teams from going down the wrong path.
“When undergoing a digital transformation project, always involve security people from the very start – it saves a lot of pain and backtracking later on,” says Owen Connolly, Europe, Middle East and Africa vice president at research firm IOActive. “We really do like to do the blue-sky thinking too and we actually have ideas to contribute.”
As Simon Leech, chief technologist on Hewlett Packard Enterprise’s digital solutions and transformation team, points out, the widespread adoption of IoT has already provided examples of what can happen if security isn’t properly considered in the design phase.
“The recent Mirai botnet preyed upon IoT devices, including IP cameras and home routers, infecting those with default passwords and outdated Linux kernel versions. Infected devices were added to a botnet which was then controlled to launch DDoS [distributed denial-of-service] attacks,” he says.
“It would have been fairly trivial to include controls at the design stage to enforce users to change default passwords and deliver system updates, but alas these devices are typically built to a budget and too often there is not enough budget to take a mature approach to risk assessment.”
Gartner predicts that 8.4 billion connected devices will be in use worldwide in 2017, rising to 20.4 billion by 2020. And according to Cisco, these devices will generate more than 400 zettabytes – 400 trillion gigabytes – of data every year by 2018.
It’s a huge challenge for security professionals, for whom traditional perimeter protection is no longer enough.
“Digital transformation inevitably adds more devices and ways to attack the business,” says Piers Wilson, head of product management at Huntsman Security. “Blocking every possible attack route is impossible. Instead, concentrate on knowing what ‘normal’ behaviour looks like, so security teams can spot and address suspicious activity instantly.”
Adaptive, self-defending systems are coming into their own, exploiting machine-learning and real-time analytics capabilities. They can autonomously identify intruders and detect unusual access to data and systems from inside the network. Role-based controls limit the user’s access to data by job role and two-factor authentication double-checks identity.
But it’s important to note that effective security is a continuous process, and this is particularly the case in a digital organisation, which is far more likely to be making business changes rapidly and all the time.
“To really address the security risks in business transformation, it’s necessary to consider the organisational risk position throughout the life cycle of the transformation exercise,” says Mr Leech.
New risks need to be identified on an ongoing basis, and agile systems put in place for patching and remediation, as well as monitoring that systems are working swiftly and effectively.
Partly for this reason, digital transformation must bring with it a changed business culture, with cyber security, applications security and IT teams working more closely with operations staff, and often this will mean accepting a certain level of risk.
“Organisations will learn to live with acceptable levels of digital risk as business units innovate to discover what security they need and what they can afford,” says Paul Proctor, vice president and distinguished analyst at Gartner. “Digital ethics, analytics and a people-centric focus will be as important as technical controls.”