Digital Transformation: what it means for cybersecurity from a defender’s perspective
To remain competitive in this business world and consistently continue to grow, evolve and innovate at the same time, corporations all over the globe are resorting to digital transformation. Although a new generation of successful companies like Google, Amazon and Netflix are leaders in this space, they have also, in a way, disrupted the market and made all other legacy companies follow the same path.
Digital transformation helps reengineer existing business processes and change culture and customer experience using digital technology. Essentially, digital transformation is all about reimagining business in the digital world. Technologies like SMAC (social, mobility, analytics and cloud) are being increasingly adopted by most companies – irrespective of size and scale – to get the best benefit of digital transformation and make this a business differentiator.
Broad characteristics: A recipe for the attackers
Transformation, in general, is not that easy to achieve. Digital transformation is challenging because it not only aims to change the business processes but also massively changes the technology architecture. Both these changes also have a substantial effect on the organization culture. A few of the characteristics of digital transformation which have tremendous implications for cybersecurity are as follows:
An increase in the attack surface because of large-scale digitization
Increased use of open-source solutions, which increases supply chain risk
Moving digital assets to cloud decreases security visibility and creates compliance challenges
An increase in the internet presence leads to an increase in attack surfaces and challenges with access controls and real-time monitoring
Allowing device and network agnostic access to the corporate network from anywhere poses numerous challenges like identification and data protection
Integrating SecOps with DevOps continues to be a great challenge, both in terms of technology integration and the availability of appropriate security skills
The democratization of technologies like blockchain, AI and ML increases the adversarial usage of such technologies
Over and above all these, there is a perceptible increase in spending on security. It is therefore obvious that theconcerns on return on investment (ROI), cybersecurity performance and above all, cybersecurity governance also increased among all the stakeholders.
All these characteristics are necessary evils and pose a cyberecurity risk to the enterprise.
Trade-offs for the defenders
There is an imminent need for us, the defenders, to be cognizant of these risks and prepare our de-risking strategy well in advance, because as they say, “a stitch in time saves nine.” All security controls are essentially trade-offs with growth, convenience, performance and privacy. Delay in security clearance may delay product rollout, which leads to business loss. Similarly, the introduction of multi-factor authentication for applications may affect the user experience, and all in-line and intrusive security controls may affect the performance to some extent. Capturing user biometric identifiers for strong identification or capturing customer personally identifiable information (PII) for better customer experience leads to the risk of privacy and non-compliance.
The essence of the de-risking strategy is managing these trade-offs effectively and efficiently.
Striking a balance: An opportunity that should not be missed
It sounds like a difficult task for defenders to ensure that the digital transformation journey remains secure and does not pose any residual cybersecurity risk to the enterprise. However, it really isn’t.
All that is needed is to partner in this journey and to position cybersecurity as a business differentiator. Fortunately, because of many high-profile cyberattacks, the consequent business loss, and evolving legal and compliance requirements, the importance of cybersecurity controls is now known and appreciated by all stakeholders, including board members. It is time for us to leverage this opportunity and strengthen our position as a business partner in the digital transformation journey.
Few quick prescriptions
Do not view these recommendations as silver bullets, but rather as some bootstrapping prescriptions.
Assume that all digital assets will be in the cloud in the near future, so the entire control strategy should be focused accordingly
“SecOps” should be integrated with “DevOps” immediately. Security-as-a-code plays a major role in this integration
Adopt software composition analysis solutions quickly so that the supply chain risks related to the adoption of open-source solutions can be de-risked
The traditional security operation center (SOC) needs to be transformed into a cyber defense centre (CDC) with more emphasis on threat hunting, threat intelligence, orchestration and improved situational awareness.
What next? A new cybersecurity architecture
We find ourselves in very exciting times indeed! We all are working to build a next-generation cybersecurity architecture that will be cloud-native, resilient, futuristic and transparent. Some of the notable high-level features of this new cybersecurity architecture are as follows:
- Strong identification, so that authentication can only be context-based
- The same cybersecurity controls available on-premises are extended to cloud
- Continuous risk and threat monitoring at all layers with an appropriate feedback mechanism
- Coordination among all cybersecurity controls, which will lead to efficient orchestration
- Cybersecurity controls are part of the “shift-left” strategy
- There is a clear strategy to invest in hiring and retaining cybersecurity talent
[Disclaimer: The views expressed in this article are exclusively my own, and are in no way be construed as the views of my employer]
About the author
Dr. Durga Prasad Dube
Executive Vice President, Head- Cybersecurity, Reliance Industries Ltd
Dr Dube has extensive experience of 30+ years in working for both Public, Private, Academic and Research organizations in senior Management positions with diverse Industry experience. He is currently working as Executive Vice President and Head Information Risk Management, of Reliance Industries Ltd, a global Fortune 500 business conglomerate. Dr. Dube has served Reserve Bank of India (RBI), the central Bank of the country for more than 20 years in various capacities in senior roles. At RBI, Dr. Dube managed large assignments in both IT and Business domain. From Reserve Bank of India, he was also deputed to IDRBT (Institute for Development and Research in Banking Technology) as Faculty and head consulting services and laid the foundation stone for all Information security and Audit related projects. During the formative years of Core Banking adoption by Banks he consulted many major banks in India in designing their Information Security framework, which have stood test of time. As a Diamond Jubilee Oversees Banking Research fellow, he visited all major global financial organizations in USA and UK and gave a report of comparing the IT assurance practice of USA and UK to that of India. Most of his recommendations are put into the practice by Banks in India. The book authored by Dr. Dube; “Information System Audit and Assurance”, published by TATA McGraw Hill in 2005 is widely acclaimed. He also has authored various research papers in the area of Internet Banking, Cyber Security, Cyber security Maturity Model, etc., which were published in referred journals and conference proceedings.
Interested in next publications?
Register to our newsletter and receive a notification when there are new articles.