Oleg Diachuk

CSO at Infopulse focused on data privacy, compliance, risk mgmt., pentesting, SDLC, security audits

How to Solve the Security Challenges of Digital Transformations

Digital transformations is a top-of-mind task on every company's agenda. Recent data from Tech Pro Research survey proves it: last year 70% of organizations either pursued a digital transformation strategy or are
crafting one.
Indeed, the pressure to make legacy processes more effective; to meet shifting customer demands; embrace new technological advancements, is mounting. Failure to seek digital transformations in the first place was highlighted as the top business risk for enterprises in 2019 by North Carolina State University’s research.
Scientists from Harvard Business School take this point even
further and quantify how large the gap between digital leaders and digital
laggers has grown lately:
●      Leaders generate a 3-year average gross margin of 55% vs. 37% made by the laggers.
●      Leaders are earning 16% more compared to 11%, and secure the average net income of 11% to 7%, compared to the laggers.
The race is tough, and a lot of executives place their bets on execution speed – the faster we push through, the sooner we’ll start reaping the benefits. However, it seems that the overzealous leaders forget about the good old project management triangle:
You may argue that laggers would be throwing in more money into the problem, but HSB study estimated that leaders and laggers have similar IT budgets: 3.5% vs. 3.2% for their counterparts.
Clearly, compromises are made elsewhere, and in most cases that “where” ends up being cybersecurity. Gartner’s staggering prediction is that by 2020, 60% of digital businesses will experience a major service failure due to their IT security team’s inability to mitigate digital risks.
Whether their worst-case scenario ends up being true or not, that staggering number must be a wake-up call for organizations who are treating digital security risks as an afterthought.
More specifically, it's time to pay more attention to several key areas of emerging cybersecurity challenges that must be addressed in the scope of digital transformations.

Threat: Evolving Distributed Infrastructure

Hybrid cloud setups, microservices architecture, multi-cloud portfolios, cloud data storage – all of these are common elements of the digital transformation initiatives. The wrinkle? Such expanded ecosystems also increase the number of digital security controls that must be put in place to ensure utmost security at larger attack surfaces. Case in point: hybrid cloud users were twice as likely to have incurred a data breach over the past 12 months.
What’s more, organizations will need to account for inherent risks of relying on technologies and assets they do not own or fully control. That means ensuring that:
●      Sensitive business data is stored in a compliant manner.
●      All the cloud security requirements are met to the T.
●      Regular penetration tests are executed to address newer threats.

Counter Action: Switch from DevOps to DevSecOps

DevSecOps means introducing the "security-by-design" approach to your CI/CD pipeline.
Security-by-design paradigm is based on the following 10 principles:
  1. Minimize attack surface area. When adding new features, always analyze how they will impact the overall product security, and what mechanisms can be added to minimize risk exposure.
  2. Establish secure defaults. Top security must be the default mode for users. However, they can be given controls for reducing their security, as well as being informed about the possible risks of doing so.
  3. Least privilege. Every account should be provided with the least amount of privilege required to run a business process.
  4. Separation of responsibilities. Keep different user types – entities that grant action approval, entities that carry it out, and entities that monitor that action – separate.
  5. Defense in depth: one control is good, but more controls that tackle risks in a more diversified manner is even better. The "deeper" your security runs, the harder it becomes to exploit any vulnerability.
  6. Fail securely. Applications will inevitably fail at some point. But it’s your job to ensure that those failures cannot be exploited.
  7. Don’t trust services. Do not warrant implicit trust to externally run third party services. Introduce a transparent process for establishing that trust.
  8. Opt for the simplest solution possible. Don't go for a more complex approach and unnecessary features when a simpler solution is available.
  9. Audit sensitive events. Record and analyze all security-significant events.
  10. Do not over-rely on obscurity. Hiding something is difficult, but uncovering the hidden is much easier, especially for an experienced attacker.
Finally, continuously test your systems to uncover the weakest security links and upgrade those. Eoin Woods in his speech at ACCU 2019 offers even more insights on the matter.

Threat: Increasing Scope of Customer Data Privacy Regulations

The notorious GDPR is just another regulation burden organizations now need to proactively tackle. Depending on your industry, you may be subject to comply with:
●      The new California Consumer Privacy Act (CCPA)
●      The Foreign Account Tax Compliance Act (FATCA)
●      Common Reporting Standard (CRS)
●      The Anti Money Laundering Directive 5 (AMLD5)
●      ISO 27001
●      EU Directive on Mandatory Disclosure for Intermediaries DAC 6
●      ….and a variety of other regulations, being devised by global legislators as we speak.
Compliance has become a complex and costly area for businesses, especially those who are eager to introduce new technology solutions for customers. However, EU general data protection regulations and other provisions should not necessarily be seen as a major roadblock to digital transformations. On the contrary, they may end up being a hidden opportunity for your company.
As much as 80% of IT professionals and data experts agree
that stricter data management regulations will eventually benefit their
companies. Here's why:
One of GDPR demands for businesses is to “maintain a detailed record of all data processing and operations”.  “Breaking the silo” and gaining better access to insights is one of the key reasons why companies pursue digital
transformation. But to become truly “data-driven”, your organization will need to determine where different data is stored; who has access to it and how it’s being used (or not). In particular, this requirement can be seen as a big nudge to get rid of the data lakes and move to a more sustainable and effective data management process:
●      Process and transfer the data cross-organization in a more agile way
●      Collect and operationalize only the data your business needs
●      Drain those data lakes and slash data storage costs
●      Enforce better data security practices for different types of customer data.
Another GDPR regulation: –“data protection by design and by default” – strongly correlates with "security-by-design" approach that is integral for secure digital transformations. 
The bottom line: most customer data privacy laws and regulations do not hinder businesses to use such data per se. Regulators are not prohibiting analytics, innovations, and so on. They are just pushing companies to do so in a secure, transparent and sustainable manner. Hence, new security best practices and innovative approaches should be leveraged when undergoing digital transformations.

Counter Action: Adopt a Compliance Management Solution

The main purpose of Governance, Risk and Compliance (GRC) software (or any of its modules) is to automate most workflows associated with reporting, monitoring and document flow.
As already mentioned, the scope and volume of regulatory requirements keep expanding. Thus, to innovate in a compliant manner, you'll need to be able to respond quickly to the emerging requirements. Compliance management software can give you that "need for speed".
Modern solutions can proactively highlight most relevant security and data privacy requirements for a specific asset, along with appropriate security and policy best practices. Also, you can gain a real-time view into the current state of your compliance and track progress.
Some SCM tools are also more geared towards mitigating security risks and contain features such as:
●      Threat and system modelling
●      Security system design
●      Security assessments
●      Compliance verification with domain-specific regulations such as ISO, IT-Grundschutz, ASPICE, etc.

Wrap Up

Saying that business transformations are hard is a major understatement. However, it’s even more challenging to sustain that hard-forged change. According to McKinsey’s last year survey, only 14% of company leaders said that their digital transformation efforts led to sustained performance improvements. The lucky 3% managed to achieve full success at sustaining changes.
Security and compliance are the two major ingredients for ensuring that your initiative does not fail. That means switching to a new IT security paradigm that would include:
●   A comprehensive data security governance framework (DSGF)
●     DevOpsSec practices
●      New passwordless solutions for authentication

Tags

Topics of interest