Understanding the Security Gap
According to a recent report by the Advanced Cyber Security Center, 91% of organizations say their boards believe cybersecurity presents some level of business risk. However, 64% of those respondents also agreed the role of their company’s board in digital transformation initiatives is an early-stage or maturing partnership. These numbers highlight a significant gap and demonstrate just how far many companies have to go to reach a full partnership, a finding also echoed in a recent survey by ZeroNorth.
The ACSC defines this relationship as being “well-versed in the digital agenda, cyber risks and priorities; informed about the overall IT and related investments required to move to next generation; the state of more secure systems and provides valuable feedback in their meetings with you.”
With cyber risk clearly on their minds, the question is, why are these companies slow to build a risk-aware culture? Certainly not because top executives aren’t tech-savvy. In fact, the 2018 Digital Transformation Index from Futurum Research found that almost half of companies report their digital transformation initiatives are, in fact, being led by the CEO or board of directors. So, it’s not a leap to assume these businesses understand the cybersecurity impact of digital transformation on their overall security and risk posture. What they may need is a reminder of the four key things necessary in closing this gap and building a transformative culture equipped to proactively manage cyber risk…
1. Create a consistent, organization-wide cyber risk framework.
Cyber risk, no longer contained within the IT realm, can hide almost anywhere in a digital organization, creating security vulnerabilities and regulatory compliance problems. That’s a lot of systems and data scattered across the company to monitor and protect. And, in many cases, there may even be different controls in place for different teams, functions and locations. Even if you could 100% bulletproof one part of the business, customers and the world at large won’t care if a breach happens in a different area.
Remember, the key to implementing consistent and comprehensive controls across an organization doesn’t require a complete overhaul or militant deployment of one single tool or approach—both are impractical. Instead, organizations need to create a standard framework for understanding and managing application and infrastructure risk throughout the organization. Rather than ripping and replacing, this effort is about orchestrating controls, providing visibility into vulnerabilities and maximizing required remediation. A standard cyber risk framework creates a consistent “language” that enables everyone across the enterprise to understand, communicate and address security and compliance risks.
2. Provide real-time visibility into cyber risk.
To manage cyber risk, you must be able to see it. Once a standard cyber risk framework is in place, a closed-loop process for discovering, prioritizing and remediating vulnerabilities in a timely manner is critical. Because IT and development architectures are complex—particularly where microservices are being used in a lightning-fast environment of innovation—“timely” means in real time. And visibility has to be provided to the right people at the right time. Development and IT teams need granular details to investigate and address issues within their purview; risk managers must be able to validate remediations made across the board and executives and boards demand a strategic view into the overall security posture and risk profile of their organization.
3. Integrate—don’t layer on—security across operations.
Many organizations have adopted a DevOps model to increase ability and flexibility while accelerating time to market, both of which are critical for supporting digital transformation. But security and risk can’t be considered a separate component of the effort—they must be fully integrated across the entire DevOps process. This type of secure DevOps, or DevSecOps, approach enables organizations to fuel innovation while still treating cyber risk as a priority. Again, orchestration is one of two key components to integrating security and risk controls in DevOps workflows without creating additional complexity or delays.
The second key component to agile DevSecOps that support delivery timeframes is automation. Continuous innovation and continuous delivery (CI/CD) require continuous application and infrastructure testing—and that testing is labor-intensive. Adding to the challenge is the fact that the different tools you employ across different parts of the business work differently and have their own way of categorizing and presenting results. Collecting, consolidating and correlating that data adds further delays and can even introduce errors into the process. When automation is combined with orchestration, DevSecOps can scale vulnerability testing across the entire enterprise to speed execution and centralize management of the disparate testing tools, thereby reducing complexity.
Factor Cyber Risk into Your Digital Transformation Efforts
Digital transformation can bring big business rewards, but it also increases your cyber risk; it’s just a fact of life. So, if digital transformation is a strategic, executive or board-level initiative at your company, then cyber risk must be a strategic, executive and board-level concern that’s operationalized throughout the entire organization.