In the latest part of the Atos Digital Security Magazine, we explained how digital transformation creates additional cybersecurity risks by layering new technologies on top of legacy ones. In turn, this creates a challenge to short-handed cybersecurity teams, who are facing a siloed cybersecurity landscape that is devoid of automation.
Here are some of the key reasons why you should consider cybersecurity risks and their mitigations before adopting new technologies or undertaking any new digital transformations. It will go a long way to solving this conundrum.
1. Lower the cybersecurity landscape complexity
Recognize that a largenumber of cybersecurity tools creates a risk, and accept that one solution covering 10 controls could, in some situations, be better than 10 specialized tools covering one control each — even if they are individually stronger.
Adopt global standards rather than vendor-specific implementations. Although the cybersecurity domain has improved in the last decade, there is still a lack of globally defined and adopted standards. The Organization for the Advancement of Structured Information Standards (OASIS) is doing incredible work in this regard, and enforcing countless standards such as SAML, KMIP, PKCS#11, STIX, TAXII and many others.
2. Enforce cybersecurity automation
Use AI to alleviate cybersecurity analysts from lower-level tasks. This must be driven from different angles:
- Cybersecurity vendors can adopt AI to improve tool efficiency and management overload, which includes reporting, configuration and alerting
- Cybersecurity services can use AI to automate their service and orchestrate interaction between solutions
- Customer CISO teams can effectively manage the entire enterprise cybersecurity posture through an AI-powered global enterprise security dashboard
Use infrastructure-as-code (IaC) to your advantage, ensuring cybersecurity is also implemented as code. We’ve seen enterprises shrink production integration and deployment cycles down to a few minutes, but cybersecurity is an afterthought — still requiring several days to allow new communication flows or deploy cybersecurity agents on workloads.
Cybersecurity changes should be embedded in the IaC approach, with cybersecurity agents and communication flows embedded in the deployment templates. This could be extended to compliance reporting, encryption activation, provisioning of access rights and many other controls.
Accordingly, the cybersecurity team can focus on the deployment templates to verify cybersecurity compliance and ensure that production workloads have not deviated from it.
3. Increase available cybersecurity skills and improve work organization effectiveness
Train new cybersecurity analysts. At the same time,remember to upgrade and enhance the skills of cybersecurity experts to keep pace with the dynamic market. Train non-cybersecurity teams on the cybersecurity domains closest to their responsibilities. Most enterprise cybersecurity efforts are too heavily concentrated in the CISO office — responsible for watching the environment, but often called into sitting on design meetings and included very late in the secure software development lifecycle (SDLC). The digital transformation environment should have security engineering and design functions woven into the SDLC. It securely reduces the time-to-operate, mitigates risks and costs of rework, and ensures proper separation of duties among the stakeholders.
Embrace the power of collaboration, acknowledging that we cannot cover everything alone. The Charter of Trust initiative, of which Atos is a founding member, includes more than a dozen large corporations such as IBM, Siemens, NEC and others, who confidentially share information on cyberattacks with each other. This is a unique representation of this new age of cybersecurity, fostering dynamic protection and cooperation. You can read more about the power of cooperation for defeating cybercrime here.
4 . Do not hesitate to kill or zap a legacy technology
Question the continuation of legacy technologies. If it is confined to just a few small applications, consider that the cost of a complex migration or evolution might be worth the reduction of the above-mentioned negative impacts.
Don’t believe the hype. At least, not blindly. Calculate the risks that any new technology may create and weigh them against the rewards it will bring to your business. Identify possible risk mitigations before adopting any buzzy new technology.
Accelerating the journey towards a cyber-secure digital transformation
Here are four quick steps that can be taken to facilitate a faster, more seamless digital transformation while improving your overall cybersecurity — even when no new technology is involved:
Increase your secure application development capabilities,
demonstrating efficiency in secure code management, improved performance and cost savings, so you can manage your risk portfolios in an informed way.
Identify and classifysensitive data
that is not sufficiently categorized or inadequately stored in repositories. Doing this early in your digital transformation program helps you know where your data is located — a fundamental part of digital transformation that can easily be overlooked.
Manage encryption with care.
In our experience, many organizations fail to understand that poorly implemented or managed encryption gives a false sense of security, leaving you surprisingly vulnerable to man-in-the-middle attacks, denial of service, or adversaries taking advantage of the weakness.
Implement sound governance of identities and accesses.
Identities have become the new perimeter of the enterprise business, and permissions are its attack surface. Technologies are leaning towards less control on the lower technological stacks, which highlights how controlling data access and usage will only become more business critical. Your business assets are just one mistake away from every hacker in the world. Your permissions should be aligned with your business evolution at all times, not just for a few months.
Cybersecurity and digital business risk management: Two sides of the same coin
Organizations are investing significantly in digital transformation. This is a prudent decision, considering the business value implications and the benefits to stakeholders.
As they transform, these organizations have the option of integrating security prior to implementation, or to fail to do so and repeat the mistakes of the past. The effectiveness of transformation is limited by how resilient its structure is against the threat environment. From the board and C-suite to line managers, all business leaders are responsible for managing risks and protecting next-generation information systems. While they may not need to know how to configure a secure cloud, they do need to know how to keep the enterprise accountable for expectations, and that includes all the considerations discussed above. The question is, who and what will be ready to help them navigate through these complexities?
Ultimately, cybersecurity should be a strategic consideration, discussed at the board level prior to considering a digital transformation.
For more information on how you can boost your organization’s cybersecurity and overall digital transformation, please reach out to us.
About the authors
Global CTO for cybersecurity products, distinguished expert and member of the Scientific Community
Coming from an Information Technology engineering background, with 18 years’ of experience in information security, Vasco has helped many customers balance operational constraints versus acceptable business risks. In the recent years he has expanded this experience to help customers look into what the information security landscape might be in the next 5 years+ and best way to manage it. During innovation workshops, he shares with them some keys to anticipate the future shape of cybersecurity and maximize sovereignty over their most critical data.
Using those customer interactions and by continuously monitoring major technological trends, Vasco influences Atos cybersecurity services and products roadmaps, as well as partnerships, mergers and acquisitions.
Head of Cloud and Innovation, Global Digital Security Consulting, Atos
Dan Schaupner has been with Atos since 2017 and brings two decades of experience to his leadership of consulting activities. Previously, Dan was CTO at a Washington DC risk management firm, advising the U.S. government on cloud security (FedRAMP/Trusted Internet Connection). During his career, Dan has advised business and technical leadership in many industries including finance, healthcare, higher-education, manufacturing, and others. Dan is a graduate of the Atos Gold for Technology Leaders program, member of the Atos expert community, and provides mentorship to the Atos FUEL program for emerging professionals. Dan holds an MBA from Virginia Tech, an Engineering Bachelor’s degree from the University of Michigan, and CISSP and CISM certifications.
Interested in next publications?
Register to our newsletter and receive a notification when there are new articles.