Reducing risk in digital transformation

Digital transformation and enterprise risk management can be thought of as parallel highways. That’s because any transformation effort will introduce new risks and change to the organization’s overall security posture.

As organizations continue their digital transformations, the transformation of security and risk management must be an integral part of that journey. Organizations must integrate security and risk management into DevOps and Continuous Delivery (CD) processes. The ultimate goal is to have resilient systems that can not only withstand cyber attacks, but also carry out mission-critical business operations after an attack succeeds.

Taking the analogy further, imagine that each of these highways has three lanes: one for people, another for process, and a third for technology.

People in an organization form its culture. For digital transformation to succeed, many organizations will need to transform the culture around risk. That might include inculcating respect for personal information, and organizations consciously building digital services with privacy in mind. The workforce needs to be adept in using digital tools such as cloud, APIs, big data and machine learning to automate and orchestrate the management of a digital security threat response.

Process relates to how an organization overhauls its business processes to be agile and yet secure at the same time. This might involve moving from ITIL behaviour to DevOps or other proactive operational approaches. Prevention is important, but the ability to respond to manage digital threats is much more relevant, as this proactive behavior coincides with DevOps principles.

Technology can present new risks, but can also help address risk. Many top technology companies, for example, are using technologies to automate processes in a way that’s secure. Some common best practices include building loosely-coupled components wherever possible on a stateless/shared-nothing architecture, using machine learning to spot anomalies quickly, and using APIs pervasively to orchestrate the security management of digital entities in a scalable manner.

Three paths — people, process and technology — are changing how enterprises reduce risk. Click image to expand.

From a CIO’s perspective, each new digital entity and interaction adds risk: Who is this user? Is this device authorized? What levels of access should be allowed? Which data is being accessed?

Leading organizations will securely identify these users, devices and other entities — including software functions and internet of things (IoT) endpoints — and they’ll do so end-to-end in an environment where services are widely distributed.

Read more in the position paper, Rethink risk and enterprise security in a digital world.


TM Ching is security chief technologist for DXC Technology in Australia and New Zealand. He is responsible for DXC ANZ’s cyber security strategy, vision and execution across the region.

Comments

  1. In my experience it is not about that your topics are not thought of, it is more about getting people to manage risk, with or without a management system. Often it is all about going bac to drawingboard and set collaboration and eduation in first room to come to an agreement on how to go forward.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: