Focusing on security in digital transformation

January 4, 2023
John Bruggeman
Consulting CISO

When your company starts to think about a digital transformation, they must consider how they will secure the data that is critical to the business. The strategic benefits of a digital transformation can quickly be lost if the data you are storing in the Cloud or on mobile devices is lost, stolen, or compromised.

Just as the move from mainframes to minis to PCs transformed how businesses operated in the 80s and 90s, the opportunity to enhance and upgrade your business using the best technology platform can transform your business and prepare it for exponential growth. At the same time, using the best security technology during a digital transformation ensures that you can focus on that growth and not persistent threats to your data and systems.

What does it mean to go through a digital transformation?

For most companies, digital transformation has three main components—resiliency, scale, and speed to market—and involves re-writing, re-architecting, and re-platforming legacy and traditional applications into cloud-native modern apps. These new applications allow for a mobile-first design that pushes data and security out to the edge device.

A sample of transformative steps a company can take are:

  • Transform and move back-office processes to a cloud-hosted solution.
  • Shift to a mobile-first philosophy and leverage IoT devices.
  • Allow your products or services to be consumed on a subscription basis.
  • Move to an agile software development process focused on the customer.
  • Permit staff to work from anywhere, on any device.

To ensure success of these steps and the value they can bring, information security must be part of the discussion as key strategic decisions are made. Furthermore, knowing the exact location of the data on which these systems rely can help protect your company’s data and long-term health of the organization.

Digital transformation security will require a culture change

As companies compete with innovative ideas and first-to-market tools, the security team supporting these advances also must adapt and change. However, a sticking point for innovation is the ongoing support of legacy applications. A report by Deloitte in 2020 noted that the average IT department devoted 50% of their budget to maintenance and only 19% to innovation. A 2020 survey conducted by the Ponemon Institute reported that 82% of the respondents believe their organization experienced a data breach because of the company’s digital transformation. Clearly, innovation and security must happen simultaneously.

CIOs investing in a digital transformation strategy know that integrating a new culture of security at the beginning of the digital transformation will create a sound foundation for a transformed company. No single security tool or policy or procedure can protect all the data. What will protect the data is a mindset that says, “I am as responsible for security as much as the CISO is.”

Ultimately, it is all about the data

Before a digital transformation, information security teams could expect to have firewalls at the edge to protect the internal network. All work was conducted on company-owned hardware connecting to the internal network where centralized data centers protected the crown jewels of your data 24×7.

As legacy systems are transformed and updated, however, new security tools and controls are needed to protect and monitor who can access the data and what they can do with it. Accordingly, security tools need to move up the stack with legacy security tools that are focused on the network and host moving up to the application layer to focus on the data. The goal is to protect the data, not the device or the network.

The four must-have modern security areas for your digital transformation security plan

Zero Trust Network Access

Zero Trust Network Access is not a product or an SKU you can buy, but a mindset that starts with the expectation that no device is trusted, and no user is trusted. Instead, trust must be demonstrated and verified before access is granted to an object or system or service. Read more about ZTNA here: https://www.cbts.com/blog/zero-trust-networks/

Third-party risk management

When you move applications to a cloud-hosted solution, you are trusting your data and systems to a third party. You now need to manage the risk that exists with that third party on a regular basis and confirm that the provider you are using has the same, or better, security posture as your own. Learn more about ZTNA: https://www.cbts.com/blog/how-do-you-ensure-the-security-of-your-supply-chain/

IoT device management

During a digital transformation, a myriad of devices will interact with your systems and data. While your transformation will initially focus mobile devices with people making the requests, you also want to design for IoT devices—like Alexa or Siri—and how they can interact with your cloud-hosted applications, and what security concerns arise. See how IoT impacts the medical field: https://www.cbts.com/blog/digital-transformation-in-healthcare-begins-in-the-cloud/

Cloud security controls

As your new cloud-native applications are brought into production, your security team will need to use cloud security controls, like CASB, CSPM, and CWPP. Cloud access security brokers (CASB) are cloud-native security tools that ensure users in your environment can access only the cloud services that they are allowed to access. Cloud security posture management (CSPM) monitors your cloud environment and alerts you when security permissions are not set correctly for a system or data. Cloud Workload Protection Platform (CWPP) is a security tool that makes sure that the applications running in your cloud environment are protected from malware and viruses. Read more about these controls: https://www.cbts.com/blog/cloud-security-controls-mitigate-risk/

In conclusion

Plainly, security must be part of the conversation as you plan your digital transformation. Whatever plan you make, security is at least as important as the reasons your company pursues its transformation. If you have questions about how to integrate security into your plan, contact our security team.

Subscribe to our blog