Pre-pandemic, most organizations had digital transformation projects in place for migrating their workloads to more modern, cloud-based infrastructures. When the pandemic hit, these digital transformation projects didn’t necessarily change. However, the onslaught of acute challenges brought on by the pandemic caused organizations to dramatically accelerate their digital transformation and infrastructure modernization plans. Suddenly grappling with the necessity of remote work, thinner operating margins and evolving customer needs, organizations recognized a savior in fast, nimble and relatively affordable cloud technology.
Accelerated infrastructure modernization is a positive side-effect of the pandemic. With rapid, widespread cloud adoption, more organizations gain the ability to bring new applications and services to market faster, reduce the cost and complexity of their database operations, and provide greater overall flexibility and accessibility. But it can also be a disaster if organizations, so motivated to accelerate their digital transformation projects as a result of the pandemic, neglect to also accelerate their security. Workload migration into the Cloud cannot be done without also migrating security controls and good security practices.
Today, organizations that modernized their infrastructure without also modernizing corresponding security, face chronic visibility, control, compliance and privacy issues. And these issues span beyond fundamental cybersecurity implications. When infrastructure modernization outpaces security, organizations’ risk and resiliency as a whole are impacted. Chief Security Officers (CSOs), Chief Information Security Officers (CISOs) and other security leaders have learned this the hard way over the past 20 years and, as an industry, we have finally got to a point that security and privacy are not left to the last minute; we just need to make sure that in our scramble to accelerate everything we don’t leave these controls behind.
4 best practices for closing the digital transformation security gap
To close the gap between digital transformation and security, cyber and physical security leaders (or a combination of the two) must work to make security an essential line item within their organizations. Below are four best practices for comprehensively improving enterprise risk and resiliency, and boosting security resource budgets:
- Understand who’s responsible for securing what. Security teams can’t monitor and protect their organization’s most valuable assets if they don’t know the assets exist and/or if it’s unclear where security responsibility lies. For example, nearly all cloud service providers follow an industry-standard shared responsibility model where service providers are responsible for securing the system and customer organizations are responsible for securing the data. If security teams are responsible for protecting their organization’s cloud-based data, then in addition to owning that responsibility, they’ll need to work closely with DevOps, a group who’s constantly spinning up new databases that require protection. It’s impossible for security teams to secure data they’re not aware of, so they’ll require regular updates from DevOps teams on every database currently in use (even off-the-radar ones) and where the most sensitive and valuable data is being stored.
- Create a unified set of security policies. To be able to quickly identify and respond to any unusual activity, security teams need to establish a baseline of what normal behavior looks like via a unified set of security policies. These policies should incorporate all facets of an organization’s security, including which employees are allowed to access what data, how customer communication is dispersed in the event of a security breach and even how visitors or remote employees are granted access to physical properties, for instance. In addition to alerting security teams when any out-of-policy activity occurs, unified security policies are vital for demonstrating compliance during audits.
- Establish security representation in the boardroom. The most direct way to rally greater support for security is to make sure security leadership is represented at all board meetings. Too often, security voices aren’t heard (or even present) when a board of directors meets and as a result, security teams miss out on the opportunity to offer guidance on where investments need to be made. To ensure executive advocacy, security teams should appoint their CSO, CISO (or closet equivalent) to regularly liaise with their organization’s board of directors. In particular, the CISO should make sure the board’s efforts are aligned with existing and new regulations and client requirements, and that there’s an appropriate level of urgency and funding to evaluate security risks around any new business project.
- Set expectations on security goals and ROI. Given the myriad of different components involved, validating the success of security is highly nuanced. It’s not nearly as straightforward as an auditor informing an organization that they’ve achieved compliance, so appropriate expectations and benchmarks need to be set. For example, in terms of data security, with unlimited time, budget and resources, any enterprise can achieve complete security coverage of all data sources and transform the raw data they collect into contextually rich information for security analytics. However, for most organizations, this is rarely reality or even a necessity. Security teams may want to set the goal of achieving 100% coverage of all databases and providing teams with ready-to-use data for analytics, however to bolster ROI and efficiency they should take advantage of automation tools and security controls orchestration. By starting small and gradually scaling their efforts to unify and secure all data sources, security teams can optimize their efforts and resources as time goes on.
Keeping pace with the risk climate
Too often, technological innovation, market disruptions and customer priorities take precedence over security. But the complexity and ubiquity of security risks in today’s business landscape demand that security no longer be viewed as secondary. Long-term viability requires organizations to make security an essential line item and collective priority. By assigning clear responsibility, creating unified policies, ensuring representation in the boardroom, and setting expectations for goals and ROI, security leaders can remediate pandemic-induced digital transformation security gaps -- and at the same time, prepare their organizations’ security for whatever infrastructure modernizations the future may bring.