Digital Transformation is sweeping across the globe as business leaders recognise the many benefits it offers. But it’s important that security is not disregarded in the process. Chris Miller, Regional Director UK and Ireland, RSA Security, looks at the dark side of Digital Transformation and the cocktail of unseen risks created as IT infrastructure becomes more complex and interconnected.
Everyone’s talking about Digital Transformation. It’s a market predicted to hit US$800 billion by 2025, as organisations around the world look to emerging technologies to drive revenue, enhance process efficiencies and get closer to their customers. Modern CIOs are increasingly viewing Digital Transformation not as a ‘nice-to-have’, but an essential business driver. Nearly half (45%) of senior decision makers worldwide claimed they were concerned about becoming obsolete within three-to-five years, while three-quarters (73%) said they need to be more ‘digital’ to succeed going forward, according to Dell’s 2018 Digital Transformation Index.
But the truth is that every new project can potentially expose an organisation to new digital risk. This can’t be addressed by siloed teams. Instead, IT needs to understand threats in a business context in order to accurately quantify the organisation’s risk appetite and prioritise its response. That’s the value of the business-driven approach to IT security we call digital risk management.
The future’s bright, the future’s digital
Digital Transformation is changing the role of IT, moving it beyond ‘have you turned it on and off again?’ to understanding business dependencies and impact. Digital technologies are radically reshaping the way organisations do business – from enabling third party integrations and interdependencies, to delivering new customer facing applications and services. This pressure is forcing IT teams to work in new ways, adopting agile and DevOps in order to meet the business’ hunger for speed.
The combination of complexity, interconnectedness, novelty and speed is a risky cocktail. If something goes wrong, the consequences are amplified, cascading through the organisation and ricocheting down the supply chain at speed. All businesses use third parties in the supply of critical services and it is often the additional risk introduced by these third parties that can cause problems. The resulting impact can range from severe operational disruption, to revenue leakage and reputational damage and even regulatory non-compliance, which means maintaining business continuity is essential. Unfortunately, shadowy forces are conspiring to make this even more challenging.
The devil’s in the digital
As our IT world grows in complexity, with a broadening range of supply chain partners, digital channels and connected devices, the attack surface widens. Cybercriminals have quickly taken advantage of this; for example, by using the infamous Magecart digital skimming code to infect supply chain firms. In doing so, they’re able to use a domino effect to reach a wider pool of victims with minimal effort.
With so much complexity, it is harder than ever for security teams to identify and respond to threats in a timely manner. Tool bloat, technical complexity, supply chain risk and skills shortages are heaping added pressures onto security teams – teams that are already more than aware of the business imperative to keep data safe and lights on. The industry as a whole is short of nearly three million professionals globally, including 142,000 in EMEA. Security teams are drowning in alerts, in constant fire-fighting mode, meaning they are unable to take a proactive approach to managing digital risk.
Breaking down the walls
IT risks are now intertwined with security risks, but they are also impacting traditional governance, risk and compliance, and organisations are under pressure to invest in integrated risk management (IRM) including third party risk. Traditionally, risk and compliance teams have operated at arms’ length from IT and security, focusing more on organisational process and regulatory commitments. However, we are seeing the reach of digital spreading into the world of risk and compliance. Previously, this impact has been greatly felt with regulated industries such as banking, retail and pharmaceuticals, but the introduction of GDPR last year put digital risk firmly on every functional and organisational leader’s plate.
However, many organisations still operate in siloes, with risk teams in one corner, IT teams in another and security in another. Each works to their own set of priorities and fail to communicate these priorities effectively, in a way the other teams will understand. As a result, things inevitably fall through the cracks because each party has a lack of context.
The need for a united front when managing digital risk
What is becoming increasingly evident is that these teams can no longer work in isolation. As digital risks converge, a multi-dimensional threat requires a holistic approach that incorporates IT, security and IRM. This won’t be easy, as siloes have often been built up over years and require major cultural change to break down. But it’s essential if digital risk management strategies are to be a success.
Getting there will require visibility, insight and action across all three functions. Visibility means ensuring you have the right information and business context. From there, you can draw insights – joining the dots between seemingly unconnected events to see the bigger picture. Then you’re ready to act; prioritising specific areas based on the value of the assets involved, potential business losses and your risk appetite. Automation can help the organisation here, especially if staff are in short supply and time is of the essence.
Enabling innovation, without sacrificing security
Ultimately, no organisation is bulletproof. It’s all about putting the right people, processes and technologies in place to ensure you mitigate digital risk striking a balance between innovation and security. That’s the way to unlock value from Digital Transformation and provide a secure foundation on which the business can innovate its way to success. Taking a business-driven approach to digital risk management that enables cross-team collaboration will allow businesses to continue to innovate, while managing new and unprecedented risks.