Digital transformations is a top-of-mind task on every company's agenda. Recent data from Tech Pro Research survey proves it: last year 70% of organizations either pursued a digital transformation strategy or are
crafting one.
Indeed, the pressure to make legacy processes more effective; to meet shifting customer demands; embrace new technological advancements, is mounting. Failure to seek digital transformations in the first place was highlighted as the top business risk for enterprises in 2019 by North Carolina State University’s research.
Scientists from Harvard Business School take this point even
further and quantify how large the gap between digital leaders and digital
laggers has grown lately:
● Leaders generate a 3-year average gross margin of 55% vs. 37% made by the laggers.
● Leaders are earning 16% more compared to 11%, and secure the average net income of 11% to 7%, compared to the laggers.
The race is tough, and a lot of executives place their bets on execution speed – the faster we push through, the sooner we’ll start reaping the benefits. However, it seems that the overzealous leaders forget about the good old project management triangle:
Source: Project Management Times
You may argue that laggers would be throwing in more money into the problem, but HSB study estimated that leaders and laggers have similar IT budgets: 3.5% vs. 3.2% for their counterparts.
Clearly, compromises are made elsewhere, and in most cases that “where” ends up being cybersecurity. Gartner’s staggering prediction is that by 2020, 60% of digital businesses will experience a major service failure due to their IT security team’s inability to mitigate digital risks.
Whether their worst-case scenario ends up being true or not, that staggering number must be a wake-up call for organizations who are treating digital security risks as an afterthought.
More specifically, it's time to pay more attention to several key areas of emerging cybersecurity challenges that must be addressed in the scope of digital transformations.
Hybrid cloud setups, microservices architecture, multi-cloud portfolios, cloud data storage – all of these are common elements of the digital transformation initiatives. The wrinkle? Such expanded ecosystems also increase the number of digital security controls that must be put in place to ensure utmost security at larger attack surfaces. Case in point: hybrid cloud users were twice as likely to have incurred a data breach over the past 12 months.
What’s more, organizations will need to account for inherent risks of relying on technologies and assets they do not own or fully control. That means ensuring that:
● Sensitive business data is stored in a compliant manner.
● All the cloud security requirements are met to the T.
● Regular penetration tests are executed to address newer threats.
DevSecOps means introducing the "security-by-design" approach to your CI/CD pipeline.
Security-by-design paradigm is based on the following 10 principles:
Finally, continuously test your systems to uncover the weakest security links and upgrade those. Eoin Woods in his speech at ACCU 2019 offers even more insights on the matter.
The notorious GDPR is just another regulation burden organizations now need to proactively tackle. Depending on your industry, you may be subject to comply with:
● The new California Consumer Privacy Act (CCPA)
● The Foreign Account Tax Compliance Act (FATCA)
● Common Reporting Standard (CRS)
● The Anti Money Laundering Directive 5 (AMLD5)
● EU Directive on Mandatory Disclosure for Intermediaries DAC 6
● ….and a variety of other regulations, being devised by global legislators as we speak.
Compliance has become a complex and costly area for businesses, especially those who are eager to introduce new technology solutions for customers. However, EU general data protection regulations and other provisions should not necessarily be seen as a major roadblock to digital transformations. On the contrary, they may end up being a hidden opportunity for your company.
As much as 80% of IT professionals and data experts agree
that stricter data management regulations will eventually benefit their
companies. Here's why:
One of GDPR demands for businesses is to “maintain a detailed record of all data processing and operations”. “Breaking the silo” and gaining better access to insights is one of the key reasons why companies pursue digital
transformation. But to become truly “data-driven”, your organization will need to determine where different data is stored; who has access to it and how it’s being used (or not). In particular, this requirement can be seen as a big nudge to get rid of the data lakes and move to a more sustainable and effective data management process:
● Process and transfer the data cross-organization in a more agile way
● Collect and operationalize only the data your business needs
● Drain those data lakes and slash data storage costs
● Enforce better data security practices for different types of customer data.
Another GDPR regulation: –“data protection by design and by default” – strongly correlates with "security-by-design" approach that is integral for secure digital transformations.
The bottom line: most customer data privacy laws and regulations do not hinder businesses to use such data per se. Regulators are not prohibiting analytics, innovations, and so on. They are just pushing companies to do so in a secure, transparent and sustainable manner. Hence, new security best practices and innovative approaches should be leveraged when undergoing digital transformations.
The main purpose of Governance, Risk and Compliance (GRC) software (or any of its modules) is to automate most workflows associated with reporting, monitoring and document flow.
As already mentioned, the scope and volume of regulatory requirements keep expanding. Thus, to innovate in a compliant manner, you'll need to be able to respond quickly to the emerging requirements. Compliance management software can give you that "need for speed".
Modern solutions can proactively highlight most relevant security and data privacy requirements for a specific asset, along with appropriate security and policy best practices. Also, you can gain a real-time view into the current state of your compliance and track progress.
Some SCM tools are also more geared towards mitigating security risks and contain features such as:
● Threat and system modelling
● Security system design
● Security assessments
● Compliance verification with domain-specific regulations such as ISO, IT-Grundschutz, ASPICE, etc.
Saying that business transformations are hard is a major understatement. However, it’s even more challenging to sustain that hard-forged change. According to McKinsey’s last year survey, only 14% of company leaders said that their digital transformation efforts led to sustained performance improvements. The lucky 3% managed to achieve full success at sustaining changes.
Security and compliance are the two major ingredients for ensuring that your initiative does not fail. That means switching to a new IT security paradigm that would include:
● A comprehensive data security governance framework (DSGF)
● DevOpsSec practices
● Adoption of Secure Software Development Life Cycle (SDLC)
● New passwordless solutions for authentication