Digital transformations is a top-of-mind task on every company's agenda. Recent data from proves it: last year 70% of organizations either pursued a digital transformation strategy or are crafting one. Tech Pro Research survey Indeed, the pressure to make legacy processes more effective; to meet shifting customer demands; embrace new technological advancements, is mounting. Failure to seek digital transformations in the first place was highlighted as the by North Carolina State University’s research. top business risk for enterprises in 2019 Scientists from take this point even further and quantify how large the gap between digital leaders and digital laggers has grown lately: Harvard Business School ●      Leaders generate a 3-year average gross margin of 55% vs. 37% made by the laggers. ●      Leaders are earning 16% more compared to 11%, and secure the average net income of 11% to 7%, compared to the laggers. The race is tough, and a lot of executives place their bets on execution speed – the faster we push through, the sooner we’ll start reaping the benefits. However, it seems that the overzealous leaders forget about the good old : project management triangle Source: Project Management Times You may argue that laggers would be throwing in more money into the problem, but HSB study estimated that leaders and laggers have similar IT budgets: for their counterparts. 3.5% vs. 3.2% Clearly, compromises are made elsewhere, and in most cases that “where” ends up being cybersecurity. Gartner’s staggering prediction is that by 2020, will experience a major service failure due to their IT security team’s inability to mitigate digital risks. 60% of digital businesses Whether their worst-case scenario ends up being true or not, that staggering number must be a wake-up call for organizations who are treating digital security risks as an afterthought. More specifically, it's time to pay more attention to several key areas of emerging cybersecurity challenges that must be addressed in the scope of digital transformations. Threat: Evolving Distributed Infrastructure Hybrid cloud setups, microservices architecture, multi-cloud portfolios, cloud data storage – all of these are common elements of the digital transformation initiatives. The wrinkle? Such expanded ecosystems also increase the number of digital security controls that must be put in place to ensure utmost security at larger attack surfaces. Case in point: hybrid cloud users were to have incurred a data breach over the past 12 months. twice as likely What’s more, organizations will need to account for inherent risks of relying on technologies and assets they do not own or fully control. That means ensuring that: ●      Sensitive business data is stored in a compliant manner. ●      All the cloud security requirements are met to the T. ●      Regular penetration tests are executed to address newer threats. Counter Action: Switch from DevOps to DevSecOps DevSecOps means introducing the "security-by-design" approach to your CI/CD pipeline. Security-by-design paradigm is based on the : following 10 principles When adding new features, always analyze how they will impact the overall product security, and what mechanisms can be added to minimize risk exposure. Minimize attack surface area. Top security must be the default mode for users. However, they can be given controls for reducing their security, as well as being informed about the possible risks of doing so. Establish secure defaults. Every account should be provided with the least amount of privilege required to run a business process. Least privilege. Keep different user types – entities that grant action approval, entities that carry it out, and entities that monitor that action – separate. Separation of responsibilities. one control is good, but more controls that tackle risks in a more diversified manner is even better. The "deeper" your security runs, the harder it becomes to exploit any vulnerability. Defense in depth: Applications will inevitably fail at some point. But it’s your job to ensure that those failures cannot be exploited. Fail securely. Do not warrant implicit trust to externally run third party services. Introduce a transparent process for establishing that trust. Don’t trust services. Don't go for a more complex approach and unnecessary features when a simpler solution is available. Opt for the simplest solution possible. Record and analyze all security-significant events. Audit sensitive events. Hiding something is difficult, but uncovering the hidden is much easier, especially for an experienced attacker. Do not over-rely on obscurity. Finally, continuously test your systems to uncover the weakest security links and upgrade those. Woods in at ACCU 2019 offers even more insights on the matter. Eoin his speech Threat: Increasing Scope of Customer Data Privacy Regulations The notorious GDPR is just another regulation burden organizations now need to proactively tackle. Depending on your industry, you may be subject to comply with: ●      The new California Consumer Privacy Act (CCPA) ●      The Foreign Account Tax Compliance Act (FATCA) ●      Common Reporting Standard (CRS) ●      The Anti Money Laundering Directive 5 (AMLD5) ● ISO 27001 ●      EU Directive on Mandatory Disclosure for Intermediaries DAC 6 ●      ….and a variety of other regulations, being devised by global legislators as we speak. Compliance has become a complex and costly area for businesses, especially those who are eager to introduce new technology solutions for customers. However, EU general data protection regulations and other provisions should not necessarily be seen as a major roadblock to digital transformations. On the contrary, they may end up being a hidden opportunity for your company. As much as agree that stricter data management regulations will eventually benefit their companies. Here's why: 80% of IT professionals and data experts One of GDPR demands for businesses is to “maintain a detailed record of all data processing and operations”.  “Breaking the silo” and gaining better access to insights is one of the key reasons why companies pursue digital transformation. But to become truly “data-driven”, your organization will need to determine where different data is stored; who has access to it and how it’s being used (or not). In particular, this requirement can be seen as a big nudge to get rid of the data lakes and move to a more sustainable and effective data management process: ●      Process and transfer the data cross-organization in a more agile way ●      Collect and operationalize only the data your business needs ●      Drain those data lakes and slash data storage costs ●      Enforce better data security practices for different types of customer data. Another GDPR regulation: –“data protection by design and by default” – strongly correlates with " that is integral for secure digital transformations. security-by-design" approach The bottom line: most customer data privacy laws and regulations do not hinder businesses to use such data per se. Regulators are not prohibiting analytics, innovations, and so on. They are just pushing companies to do so in a secure, transparent and sustainable manner. Hence, new security best practices and should be leveraged when undergoing digital transformations. innovative approaches Counter Action: Adopt a Compliance Management Solution The main purpose of (or any of its modules) is to automate most workflows associated with reporting, monitoring and document flow. Governance, Risk and Compliance (GRC) software As already mentioned, the scope and volume of regulatory requirements keep expanding. Thus, to innovate in a compliant manner, you'll need to be able to respond quickly to the emerging requirements. Compliance management software can give you that "need for speed". Modern solutions can proactively highlight most relevant security and data privacy requirements for a specific asset, along with appropriate security and policy best practices. Also, you can gain a real-time view into the current state of your compliance and track progress. Some SCM tools are also more geared towards mitigating security risks and contain features such as: ●      Threat and system modelling ●      Security system design ●      Security assessments ●      Compliance verification with domain-specific regulations such as ISO, IT-Grundschutz, ASPICE, etc. Wrap Up Saying that business transformations are hard is a major understatement. However, it’s even more challenging to sustain that hard-forged change. According to , only 14% of company leaders said that their digital transformation efforts led to sustained performance improvements. The lucky 3% managed to achieve full success at sustaining changes. McKinsey’s last year survey Security and compliance are the two major ingredients for ensuring that your initiative does not fail. That means switching to a new IT security paradigm that would include: ●     A comprehensive data security governance framework (DSGF) ●     DevOpsSec practices ●      Adoption of Secure Software Development Life Cycle (SDLC) ●      New passwordless solutions for authentication

Flow

Read my new ebook: overview of innovative security approaches

How to Solve the Security Challenges of Digital Transformations

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Enhanced Security with Policy Management: Cloudsmith's Perspective

How to Build a Compliance Culture by Improving Employee Engagement in Your Company

5 Tips for Integrating Security into Development - Part 1

5 Tips for Integrating Security into Development: Part 2

63 Stories To Learn About Devsecops

7 Best DevOps Security Practices: DevSecOps and Its Merits

Enhanced Security with Policy Management: Cloudsmith's Perspective

How to Build a Compliance Culture by Improving Employee Engagement in Your Company

5 Tips for Integrating Security into Development - Part 1

5 Tips for Integrating Security into Development: Part 2

63 Stories To Learn About Devsecops

7 Best DevOps Security Practices: DevSecOps and Its Merits

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps