Every organisation wants to accelerate their digital transformation to remain relevant in today’s fast-paced business environment, and to also remain competitive. However, in the push to do so, this may come at the expense of security practices, which have been well-established by IT teams. The push to adopt digital transformation initiatives is prompting many companies to accelerate their adoption of cloud technologies. That, in turn, threatens to disrupt some well-established security practices.
With businesses looking to scale-up in their digital transformation, more will be spent on emerging technologies. It is predicted that digital transformation-related spending on technologies and services in the Asia- Pacific will reach US $375.8 billion in 2019, steadily increasing through 2017-2022 with a growth of 17.4 percent.
However, in the race for digital transformation, security cannot be an afterthought – and organisations in the region need to align it along with their goals. A staggering 35.9 percent of the global number of cyber security events in the first half of 2018 happened in the Asia-Pacific region, and this constituted the highest region in the world.
The goal is to strike just the right balance between innovation and a secure, governable enterprise. So, how do you go about that? This article looks to offer four strategies that we’ve seen proven effective in helping security professionals be more responsive to the business -- without compromising on strict security needs.
1) Security should be an integral part of digital transformation – not an afterthought
The latest cloud application or disruptive technology is so critical to business success that it will be implemented by the business come hell or high water. That often means security is brought in as an afterthought, or worse, after the fact.
Bringing security midway into projects already in motion often results in barriers and obstruction, counteracting the very motivation for digital transformation. This disrupts projects, grinding them to a halt, and no one is better off.
The better approach is to have security at the table from the beginning, allowing new technologies to be deployed in a manner that is both transformative and secure. Moreover, users and the business can benefit from the new technology conveniently, without additional risk. Here are security practices that can strengthen digital transformation projects:
1. First, leverage existing secure authentication methods wherever possible rather than creating a disjointed user experience requiring multiple authentication attempts, passwords – and spurring users to find insecure workarounds. The result is user enablement, increased operational efficiency, reduced risk, and a default to doing the right thing, i.e. remaining secure.
2. Similarly, extending established authorisation profiles to new applications (as opposed to defining authorisation independently on each application) streamlines the user experience, minimises risk, and removes one of the major barriers to successful digital transformation – security that obstructs business objectives.
3. Finally, implement an adaptive, risk-based approach that only requires additional security assurances when the situation warrants it. Often the kneejerk reaction to a new application is to place a barrier (such as a VPN or multi-factor authentication) in the way of user access, which is heavy-handed and often results in disgruntled users finding ways around the security measures. Instead, use an adaptive approach that considers a variety of risk factors (such as location, time-of-day, behaviour patterns, and role) and secure only when needed.
2) Don’t let Shadow IT cast a shadow over your business
Shadow IT is so ingrained in digital transformation that the two have almost become synonymous. But it doesn’t have to be that way.
The reason IT is kept out of the loop when line-of-business users adopt new technologies is not because they do not want them to know, but the fact that they do not want to receive a “no” response.
Therefore, the success is for IT and security teams to work with colleagues to enable and empower them, instead of approaching them with an attitude of denial and restriction.
The theme for security professional to keep in mind is that it’s all about communication and working to prove themselves as partners.
• Take more interest in the operations and objectives of a project – rather than simply focus only on a project’s vulnerabilities.
• Find out what the line-of-business is working on, uncover their concerns and goals, and insert yourself as an ally—rather than a killjoy there to shut them down.
• For example, if provisioning encompasses all systems, uses a unified authorisation, and empowers the line-of-business to do much of the work themselves (rather than having to rely on IT), “yes” becomes the default answer from security rather than the exception.
3) Stay away from silos
The knee-jerk reaction to the introduction of a new technology is to look at it as an island, unrelated to the rest of the enterprise. Securing this island is easy—you implement the best authentication, iron-clad authorisation, and purpose-built administration of users and access.
Following the second point I’ve made above, IT teams should collaborate with their colleagues. Around with the spirit of digital transformation, islands should talk to and work with one another.
Without that vision, you will end up with too many passwords, role-bloat, and the need for IT to get involved any time anything deviates from the norm, and the risk of increased costs due to inconsistent and duplicated administration efforts. Nothing could be further from the essence of digital transformation.
Here are some ways we’ve found to implement these for new applications or services in a manner that reduces complexity, avoids redundancy, and streamlines administrative activities:
• Seek to provision once (and while you’re at it, let the line-of-business drive),
• Establish a single source of the truth for roles and authorisation that applies across all applications (legacy, cloud, whatever),
• Automate as much as possible with orchestrated processes and a high level of self-service.
4) Implement an identity-centric security approach
Digital transformation may be great for the business – but unless IT and security are looped in and part of the process, projects can extend the threat surface. Expanding new technologies, including cloud and mobile solutions may exacerbate risks which will ultimately hurt business goals.
Think of digital transformation and security as two sides of the same coin. Security professionals must adapt to the need for speedy digital transformation projects to empower the business. Businesses must come to the realisation that a cool new app, if broken into, could kill not just the project, but the company.
Identity should be the new perimeter with rock-solid authentication, and a clear indication of who should have access to what. This will mitigate negative impacts when an inevitable breach occurs, and also make it easier to detect bad actors.
When the correct stakeholders have the appropriate access to the right systems in the right ways, the true potential of digital transformation can then be realised. Business objectives can be achieved, with a thriving and happy workplace, all without an increase or decrease in the risk levels of security.
Check this out: Top Enterprise Security Startups in APAC