Digital transformation needs security built-in – five steps to succeed

(Image credit: Image Credit: Wichy / Shutterstock)

Change is a constant. As humans, we replace every cell in our body every seven years. Similarly, in IT, we have to keep up with new technology options and more competition than ever before. For enterprises, digital transformation is how to keep up with this constant change.

Digital transformation involves rethinking how your company delivers its services – from developing new online services through to redesigning the kinds of products that the company offers. The important element is that digital transformation covers more than IT – it involves areas like business process, culture and workflow just as much as it does technology.

Managing this kind of profound change – which digital transformation should involve – means looking at things more deeply. At the same time, these large-scale changes have to be completed with security in mind.

Digital transformation and change – why it is hard to make security stick within this?

For customers, digital transformation should happen behind the scenes with very little visibility beyond the service being delivered. They don’t need to build or understand the backend infrastructure at all – instead, they should get useful services that deliver more value to them.

For enterprises, the value proposition is a similar one – get data faster and from more places, then use that data as part of new services that keep customers engaged and satisfied. The development of new technology like the Internet of Things can provide more data on how the business is performing – from where products exist within the supply chain through to how they are bought. This data can be analysed and used to streamline what products are offered, where they are shipped to and how they are offered to customers, all with the aim of increasing sales and keeping customers happy.

For companies going through digital transformation projects, the emphasis is on how to deliver better services. However, while these projects focus on ease of use, speed of delivery and increased adoption, they often overlook security. Aside from the data that these sensors and services create and store, any new software services or Internet-connected devices can be vulnerable to attack.

For instance, too many smart devices have been developed with poor or non-existent security and with no thought to updates. As a result, these devices can be vulnerable to hackers that can access the embedded cameras and microphones. Without stronger security, these devices potentially allow attackers to spy on your activities, or access information that would identify when you’re home and when you’re not. 

For those involved in digital transformation, security has to be just as important as new service design. However, this is not about blocking new implementations or stopping innovation; in fact, security in this environment has to be both frictionless and transparent. The issue is that many digital projects have focused on functionality and either ignored or overlooked security.

This is a cultural issue, rather than a technology problem. There are multiple security frameworks and best practice guides available that can be applied to digital transformation. From OWASP’s guidance on web applications through to new suggestions for standards around IoT device security, there are multiple resources available to support better security by design. Enterprises have to demand more security is embedded within any new devices or applications that they choose to use within their digital transformation approaches, while customers must become more concerned about the security of their data over time as well.

(Image credit: Pixelcreatures/Pixabay)

Building security into digital transformation

So, how do you remain compliant in this ever-changing world? The tenets for digital transformation security are accuracy, visibility, scalability, immediacy and transparent orchestration:

1. Accuracy – to make security and compliance easier, you need comprehensive asset visibility and control. For enterprises, the plethora of devices that can be connected to your network can all represent new potential entry points. Alongside anything directly connected to your corporate environment, you may also have to consider devices connected to remote workers’ machines as well.

To manage this, you will require a complete, accurate and detailed inventory of all your IT assets wherever they are located, on premises, cloud instances or mobile endpoints. This should include those assets that are known as well as those that are unknown or “shadow IT” devices.

To deliver this, you have to combine multiple ways of detecting IT assets. Your asset data should include information from existing vulnerability management and continuous scanning services, through to new passive scanning that can spot unauthorised or personal devices on the network. This combination should show up all the Internet-connected devices and assets that exist. If this is not in place, your vulnerability management plans and your threat intelligence decisions will be based on incomplete, inaccurate and outdated information. This puts your organisation at a greater risk.

2. Visibility – this goes hand in hand with accuracy, because without the two working well together, you don’t have a complete picture of what’s going on across all your IT services, including those hosted outside your corporate network.

As more software and more data moves to the cloud, the volume of IT infrastructure has grown significantly. For enterprises, IT now includes assets in on-premise data centres, endpoint machines, Internet of Things devices, mobile devices like phones and tablets, and new services implemented in the cloud. You cannot secure what you don’t know about. Visibility across all these services and pulling that data into one place helps ensure that all your assets are secure.

3. Scalability – one of the essential requirements for digital services is that they can scale up effortlessly in response to changes in demand. New digital services should cope with rapid increases in user requests at peak times so that there are no interruptions for customers. Enterprises that are growing rapidly should pay special attention to scalability when looking at how these services are implemented.

Similarly, the security infrastructure should be able to cope with these rapid expansions in infrastructure. For modern applications build on new technologies like microservices and containers, putting security and vulnerability management support into the infrastructure from the start will ensure that scale does not affect security management or lead to gaps in policy. By thinking about scale and security at the start, digital transformation projects can avoid problems in the future.

4. Immediacy – digital services are designed to provide fast and frictionless responses to customers. That is their nature. However, it’s important that this speed of service is matched by speed of security as well. Security teams need to be able to react to potential issues as fast as potential risks start to develop.

In order to deliver this, security teams have to be engaged within projects to ensure that security is built in from the start. Trying to retrofit security into digital transformation projects will quickly become problematic for those involved – at best, it will slow down the progress of projects before they hit production; at worst, it may lead to halts in service while those services are taken down and fixed. Either way, the perception of security will be as a blocker to innovation, rather than being a necessary part of delivering those new digital services. Instead, getting involved earlier in the process allows security to stop issues before they start.

5. Transparent orchestration – alongside the other criteria, transparent orchestration involves how you manage all the data that you are creating as a business. As part of digital transformation, you should look at how you can ingest data, correlate multiple sources and analyse that data in real time.

A major benefit of this automation and orchestration is the ability to aggregate and consolidate a variety of information from multiple sources in a single console. That way, you can easily see your security and compliance posture at a glance in one place. Based on this combination of multiple data sets from across the business, you should be able to manage any response to an issue before it affects customers.

Changing security for digital transformation

Just as more companies are implementing digital transformation projects, so too IT security departments are changing their own approaches to keeping processes and policies around data. The increased pace of life and the move to more Internet-connected services has combined, leading more companies to move over to digital channels to remain competitive.

However, good security practices should not be ignored in the rush to digital. Instead, security teams can help developers and business teams collaborate on getting these new digital services launched without issues. By embedding the values of accuracy, visibility, scalability, immediacy and transparent orchestration into digital transformation projects, security teams can ensure these efforts are successful.

Darron Gibbard, Managing Director, Qualys, EMEA North

Darron Gibbard
Darron is a former CTSO and now Managing Director of Qualys, EMEA North. He has over 25 years’ experience across payment services, media and telecoms organisations covering IT and Information security.