Digital Transformation Requires a Comprehensive Cybersecurity Strategy

Digital transformation is in focus today for organisations across various industries, but the process can bring a new level of risk. Firms must reduce these cybersecurity risks in order to seize the true benefits of new technologies.  

The consultancy McKinsey & Company has produced a blueprint for a digital transformation framework which covers 10 guiding principles under three broad stages: defining value, launch and acceleration, and scaling up.

Jim Boehm, a partner in the firm’s digital and cybersecurity practices and the new cybersecurity lead for Europe, said it is important to place cybersecurity in a digital transformation within the broader category of digital resilience.

“When companies are undergoing digital transformation, there is large potential for data to be missed, or systems/applications not to be engineered to work with the new environment or new capabilities,” he said. “Of course, cyber is one of the things that fits under that.”

A common mistake is when companies bring in new digital capabilities without ensuring the cybersecurity or information security team is at the table, Boehm warned. This means they could introduce new technologies, for instance, without building the right skills and capabilities within the security team to manage the risk.

“This is particularly true of companies that are migrating to cloud,” he said. “We’ve concluded that cloud is more secure overall for most companies than on-premise [capabilities], but one of the big caveats is that they must transform the way they do security operations as well, because security operations in the cloud are very different to on-prem environments.”

Kirsten Newcomer, director of cloud and DevSecOps strategy at open-source software provider Red Hat, agreed that there needs to be a focus on cloud-native security solutions, including a DevSecOps approach.

“That is, a focus on selecting and implementing security tools that provide feedback and guardrails in the CI/CD application pipeline and the infrastructure pipeline,” she said. “Organisations need to plan for this transition as part of the transformation project.”

For those new to digital transformations, the key cyber risks will usually fall under normal infosec properties, said Steve Sands, chair of the Information Security Specialist Group (ISSG) at BCS, The Chartered Institute for IT. A key example is ‘confidentiality’, he said, meaning risks associated with unauthorised access to or loss of data.

“The ones which grab headlines are the large breaches which are perpetrated by external hackers. But they can also be caused by insiders (within the organisation or a third-party provider), either maliciously or inadvertently,” he noted.

Second, he pointed to risks associated with ‘integrity’, meaning data corruption. And third, he noted the risk from ‘availability’. While this is often seen as an operational IT issue, “it can be the most vital security consideration for some critical systems and processes.”

Jacky Fox, European lead for security at Accenture, said one of the biggest risks in a digital transformation is introducing security too late. Accenture produced its State of Cyber Resilience report in 2021, a survey of about 5000 large organisations internationally. This found that around 30% that were pursuing digital or cloud transformations had not considered security to be a part of it.

Many had attempted to bring in security later, but “it costs a lot more money to build security in at the back end than it does at the front end,” she added. 

Sands said it is crucially important to choose the appropriate technology at an early stage when implementing digital transformations. The security architect must understand the key risks associated with each discrete transformation project, he said, to ensure they design a system that reduces those risks to acceptable levels.

“Threat modelling is an often-used approach within security architecture to ensure these are addressed at the design stage,” he added. “Retrofitting security into a poorly designed architecture is extremely difficult, and usually more expensive than getting it right in the first place.”

He also pointed to the growing popularity of no-code and low-code system designs. “The easy access to no-code tools means that projects are often undertaken without any traditional project methodology, governance or cyber security and privacy consideration,” he said.

However, it would be wrong to categorise digital transformations as simply increasing the risk level. If conducted correctly, they should boost a company’s cybersecurity and wider resilience.

For example, Sands said one of the major benefits of adopting many cloud-native services is the reduced requirement to constantly upgrade the underlying software systems. “Traditional IT systems require regular patching to mitigate against newly discovered threats and vulnerabilities,” he said. “This becomes a huge drain on IT resources.  For systems that aren’t built as ‘high availability’ it also means regular system downtime.”

Newcomer said that other typical aspects of digital transformations, such as containerised applications, can provide better security. Container images include the runtime and system dependencies required by the application, she noted.

“Treating the image as immutable and signing the image to ensure its integrity, as well as validating the signature at deploy time, ensures that the content in the image has not been tampered with. This means that you don’t have to worry about someone making changes to the host operating system which might impact the container.”

Sands identified a range of key tips for organisations to consider before embarking on a digital transformation project. Among other priorities, they might define essential security requirements at the earliest stages of the project; consider a threat modelling exercise; consider penetration testing, particularly if the system includes sensitive information and is externally accessible; and consider standards and certifications along with relevant frameworks.

Boehm said organisations should include risk management and risk reduction targets as part of the outcomes and key results (OKRs) they use to measure the success of the digital transformation. He said it is vital to focus on upskilling, reskilling and retraining staff members.

“Go into your digital transformation from the very beginning, from the executive down to the product owners, talking about how security and risk management and resilience is a key part of the value proposition of this digital transformation,” Boehm added.

This is important at a time when the sector is unlikely to be able to develop enough new cybersecurity professionals to close the gap, he said. “The only way we're going to close that gap is by training technologists to be able to do the 80% of security tasks that they should be doing anyway as part of their job,” he said. “A digital transformation is a perfect opportunity to do that.”

Enjoyed this article? Make sure to share it!

Looking for something else?