Digital transformation and enterprise risk management can be thought of as parallel highways. That’s because any transformation effort will introduce new risks and change to the organization’s overall security posture.
As organizations continue their digital transformations, the transformation of security and risk management must be an integral part of that journey. Organizations must integrate security and risk management into DevOps and Continuous Delivery (CD) processes. The ultimate goal is to have resilient systems that can not only withstand cyber attacks, but also carry out mission-critical business operations after an attack succeeds.
Taking the analogy further, imagine that each of these highways has three lanes: one for people, another for process, and a third for technology.
People in an organization form its culture. For digital transformation to succeed, many organizations will need to transform the culture around risk. That might include inculcating respect for personal information, and organizations consciously building digital services with privacy in mind. The workforce needs to be adept in using digital tools such as cloud, APIs, big data and machine learning to automate and orchestrate the management of a digital security threat response.
Process relates to how an organization overhauls its business processes to be agile and yet secure at the same time. This might involve moving from ITIL behaviour to DevOps or other proactive operational approaches. Prevention is important, but the ability to respond to manage digital threats is much more relevant, as this proactive behavior coincides with DevOps principles.
Technology can present new risks, but can also help address risk. Many top technology companies, for example, are using technologies to automate processes in a way that’s secure. Some common best practices include building loosely-coupled components wherever possible on a stateless/shared-nothing architecture, using machine learning to spot anomalies quickly, and using APIs pervasively to orchestrate the security management of digital entities in a scalable manner.
From a CIO’s perspective, each new digital entity and interaction adds risk: Who is this user? Is this device authorized? What levels of access should be allowed? Which data is being accessed?
Leading organizations will securely identify these users, devices and other entities — including software functions and internet of things (IoT) endpoints — and they’ll do so end-to-end in an environment where services are widely distributed.