Safety First? Delivering digital transformation
At a Glance
Adopting a new technology is challenging, but if organizations want to remain competitive and relevant, they need to continually adapt to demands from customers. Vasco Gomes and Dan Schaupner explore how and why organizations need to place cybersecurity at the heart of their strategy before embarking on any digital transformation.
8 Minute Read
Adopting a new technology is challenging, but if companies want to remain competitive, they need to adapt fast to keep their business model innovative — or at least at the same level as the competition.
Often, this requires adopting new technologies early on, long before we know everything about them. Specifically, before knowing the vulnerabilities or the best practices for designing, deploying, configuring and maintaining those new technologies.
This creates risk, yet is absolutely vital for the business.
The Chief Information Security Officer (CISO) and their team are expected to solve problems, quickly assessing how to mitigate a new technology’s risks without impacting its value.
Sounds difficult? Yes, but business leaders naturally expect them to deliver. After all, that’s what they are employed to do.
However, we often underestimate the complexity facing these teams.
Technologies are piling up because digital transformation adds to — but does not always replace — enterprise legacy applications. 5G is deployed in parallel with Wi-Fi, IoT and cabled networks. Mobile devices function alongside workstations. Even as business application teams implement DevOps, redesign applications into microservices and deploy infrastructure as code, other enterprise applications are still monolithic, deployed manually on virtual machines or physical servers. Legacy doesn’t disappear — it shrinks.
For a CISO, the legacy vulnerabilities and misconfigurations remain a concern as important as new technologies. Because cybersecurity is only as strong as its weakest link, we cannot overlook one application, one scope, or one technology. It could be used as the entry point for an attack. Addressing the cybersecurity skills gap.
Addressing the cybersecurity skills gap
So say you are a CISO facing a multi-technology risk landscape. Surely, the answer must be to recruit more specialists to build up your teams through a technology focus. Unfortunately, it’s not that simple, because this area is facing a shortage of skilled resources. In its 2021 cybersecurity workforce study, (ISC)2 estimated the cybersecurity workforce gap at 2.72 million professionals worldwide. These estimates seem to be confirmed by a jobs report by Cybersecurity Ventures, which also pointed out the nearly non existent unemployment rate in the cybersecurity sector. The demand for cybersecurity professionals is indeed outstripping the supply, despite the efforts of governments and businesses. According to (ISC)2,
“the global cybersecurity workforce needs to grow 89% to effectively defend organizations’ critical assets.”
cybersecurity workforce gap in 2021
* (ISC) Cybersecurity Workforce Study
Cybersecurity is siloed and manual
Perhaps the solution to the skill shortage is to employ a common set of simple, effective tools that will help cybersecurity professionals do more with less. Here again, I’m sorry to be the bearer of bad news. According to Dr. Sridhar Muppidi, IBM Fellow and CTO for IBM Security Systems,
“cybersecurity is among the most siloed disciplines in all of IT… The average enterprise uses 80 different products from 40 vendors.”
In the cybersecurity field, critical tasks like identifying the risk exposure of an environment, implementing preventive protections and recovering normal operations after a security incident are still largely performed manually.
Making matters worse, cybersecurity suffers from a lack of available standards. This is obviously an issue for automation, as most cybersecurity solutions require their own proprietary implementation.
Finally, although there has been progress using artificial intelligence (AI) to improve incident detection and response, AI for cybersecurity is still in its infancy. Here too, cybersecurity finds itself on the back foot, as hackers and other adversaries employ AI in their attacks.
Cybersecurity for the Olympic and Paralympic Games
Are all new technologies good technologies?
Given the situation, it’s fair to wonder if we are adopting technologies too fast, if the technology is mature enough, and if we’re trying to run before we can walk. These questions obviously need to be asked and considered carefully.
Ultimately, new, immature technologies will always need to be adopted — they are what makes a transformation possible.
With that fact in mind, how can we put CISOs in a better position?
Half the solution is understanding the problem, so the more closely you examine the conundrum we have outlined above, the closer you are to solving it.
Here are some of the key reasons why you should consider cybersecurity risks and their mitigations before adopting new technologies or undertaking any new digital transformations. They will go a long way to solving this conundrum.
1 Lower the cybersecurity landscape complexity
Recognize that a large number of cybersecurity tools creates a risk, and accept that one solution covering 10 controls could, in some situations, be better than 10 specialized tools covering one control each — even if they are individually stronger. Adopt global standards rather than vendor-specific implementations. Although the cybersecurity domain has improved in the last decade, there is still a lack of globally defined and adopted standards. The Organization for the Advancement of Structured Information Standards (OASIS) is doing incredible work in this regard, and enforcing standards such as SAML, KMIP, PKCS#11, STIX, TAXII and many others.
2 Enforce cybersecurity automation
Use AI to alleviate cybersecurity analysts from lower-level tasks. This must be driven from different angles:
- Cybersecurity vendors can adopt AI to improve tool efficiency and management overload, which includes reporting, configuration and alerting
- Cybersecurity services can use AI to automate their service and orchestrate interaction between solutions
- Customer CISO teams can effectively manage the entire enterprise cybersecurity posture through an AI-powered global enterprise security dashboard
Use infrastructure-as-code (IaC) to your advantage, ensuring cybersecurity is also implemented as code. We’ve seen enterprises shrink production integration and deployment cycles down to a few minutes, but cybersecurity is an afterthought — still requiring several days to allow new communication flows or deploy cybersecurity agents on workloads.
Cybersecurity changes should be embedded in the IaC approach, with cybersecurity agents and communication flows embedded in the deployment templates. This could be extended to compliance reporting, encryption activation, provisioning of access rights and many other controls.
Accordingly, the cybersecurity team can focus on the deployment templates to verify cybersecurity compliance and ensure that production workloads have not deviated from it.
3 Increase available cybersecurity skills and improve work organization effectiveness
Train new cybersecurity analysts. At the same time, remember to upgrade and enhance the skills of cybersecurity experts to keep pace with the dynamic market. Train non-cybersecurity teams on the cybersecurity domains closest to their responsibilities. Most enterprise cybersecurity efforts are too heavily concentrated in the CISO office — responsible for watching the environment, but often called into sitting on design meetings and included very late in the secure software development lifecycle (SDLC). The digital transformation environment should have security engineering and design functions woven into the SDLC. It securely reduces the time-to-operate, mitigates risks and costs of rework, and ensures proper separation of duties among the stakeholders.
Embrace the power of collaboration, acknowledging that we cannot cover everything alone. The Charter of Trust initiative, of which Atos is a founding member, includes more than a dozen large corporations such as IBM, Siemens, NEC and others, who confidentially share information on cyberattacks with each other. This is a unique representation of this new age of cybersecurity, fostering dynamic protection and cooperation.
4 Do not hesitate to kill or zap a legacy technology
Question the continuation of legacy technologies. If it is confined to just a few small applications, consider that the cost of a complex migration or evolution might be worth the reduction of the above-mentioned negative impacts.
Don’t believe the hype. At least, not blindly. Calculate the risks that any new technology may create and weigh them against the rewards it will bring to your business. Identify possible risk mitigations before adopting any buzzy new technology.
Cybersecurity and digital business risk management: Two sides of the same coin
Organizations are investing significantly in digital transformation. This is a prudent decision, considering the business value implications and the benefits to stakeholders.
As they transform, these organizations have the option of integrating security prior to implementation, or to fail to do so and repeat the mistakes of the past. The effectiveness of transformation is limited by how resilient its structure is against the threat environment. From the board and C-suite to line managers, all business leaders are responsible for managing risks and protecting next-generation information systems. While they may not need to know how to configure a secure cloud, they do need to know how to keep the enterprise accountable for expectations, and that includes all the considerations discussed here. The question is, who and what will be ready to help them navigate through these complexities?
Ultimately, cybersecurity should be a strategic consideration, discussed at the board level prior to considering a digital transformation
Digital Vision: Cybersecurity 3 – Further Insights
From across Atos and beyond, find out more about cybersecurity challenges and how organizations can respond to cyber threats