Tackling the cybersecurity maturity challenges to succeed with digital transformation

If enterprise IT and digital technologies play such an important role in digital transformation, then why are there such cybersecurity gaps?

Security teams get involved in digital transformation projects too late or not at all. The reasons and consequences are multiple  – time to transform your security approach.

Why are there gaps between the reality of cyberattacks, cybercrime and awareness regarding the crucial role of security on one hand and the preparedness and degree of cybersecurity maturity on the other? Is security missing in digital transformation projects? Is it being tackled too late? And, if so, why. A look at some eye-opening findings and reasons for the gaps between preach and practice.

The board is concerned about cybersecurity maturity – but lip service is not enough

The digital crime gap infographic which we mentioned in another article is far from the only one showing these gaps.

ISACA, previously known as the Information Systems Audit and Control Association, found that 82 percent of respondents “report that their enterprise board of directors is concerned or very concerned about cybersecurity” in its State of “Cybersecurity – Implications for 2016” report, conducted with the RSA Conference.

And, although it also found that executives are more supportive and active regarding security policies and practices, the reporting structure for security didn’t mature. Only 21 percent of CISOs (Chief Information Security Officers) report to the CEO or board. Moreover, executive teams aren’t really always given the best example as only 43 percent of execs are reported to follow good security practices themselves, the report says (PDF opens).

Executive team support to cybersecurity risk mitigation - Cybersecurity - Implications for 2016 - RSA Conference and ISACA
Executive team support to cybersecurity risk mitigation – Cybersecurity – Implications for 2016 – RSA Conference and ISACA

There is a bunch of similar research but there is also reason to be optimistic as leadership awareness levels regarding cybersecurity rise and ever more senior information security professionals do approach information security as an enterprise risk-management issue and communicate information security risks and strategies directly to executive leaders (respectively 42.74% and 42.91%) as PwC’s “The Global State of Information Security® Survey 2016” found. On the other hand, this means that for the rest this is not the case (yet).

The business role of the information security professional - source The Global State of Information Security 2016 PwC
The business role of the information security professional – source The Global State of Information Security 2016 PwC

Security maturity and optimization: perception versus reality

In the 2015 edition of its Annual Security Report, Cisco mentioned that the gap between the security reality for IT (and the business) on one hand and the perception of the boardroom regarding security on the other is still significant and needs to be bridged.

While almost two-thirds of the CISOs feel their protective processes are optimized as good as possible, less than half of SecOps (security operations) managers agree with this statement. Note: as said many CISOs report to the CIO who tends to be in general more concerned about the IT aspect than the CEO to whom relatively few CISOs report as mentioned earlier.

The Cisco report also shows that while 90 percent of organizations feel pretty confident about their security approach, their past breach record doesn’t really reflect that. It shouldn’t be a surprise that organizations with the best security setups and strategies also have execs who understand cybersecurity is an essential business priority in this digital day and age.

Why cybersecurity maturity isn’t what it should be in the digital business and transformation reality

The question remains: why those gaps? As usual there are many reasons. Below are a few reasons – and ways to address them.

Security as a must – we rather avoid

Let’s face it: everyone thinks security is critical but few people like to be confronted with it, let alone “see” it in the devices and platforms they work with.

While almost two-thirds of CISOs feel their protective processes are optimized as good as possible, less than half of SecOps managers agree.

The user experience matters. Performance and agility matters. And, yes, security matters, as long as it doesn’t influence these other factors. It’s probably the reason why we should think security first as well in our transformation and digitization efforts and why security is a bit becoming built-in everywhere from the holistic vendor perspective.

Still, many organizations keep steering away too much from the issue of security and avoid being confronted with it, despite saying it’s crucial. A mentality shift is needed. In the digital transformation reality the focus is a lot on speed, optimization, automation, innovation and all those other – intermediary – goals. But it should also be on security (and of course compliance). If we want to reap the full benefits of transformation, innovation and digitalization, we also need to take that crucial security part into account because without it we forget the fundamentals, now more than ever. Security is a must. Period. And we need to stop looking at security as a cost center or from an archaic perspective.

Security as the enemy of digital transformation

Digital transformation is about change, agility, speed, connectivity, real-time economy, customer expectations, disruption and all those “hot” things we just mentioned. Security in the eyes of many stands in the way of all this.

More than 3 in 4 (76 percent) of respondents believe security is brought in too late to digital transformation initiatives.

It’s about rules and regulations, protection, defense (even if in reality cybersecurity becomes pro-active and offense), training, awareness, boring stuff (to some) and a layer that some believe to slow down the “sexy” digital transformation initiatives.

Marketing wants a new way to transform how it markets and serves customers or optimizes customer experience, it doesn’t want security to poke in there. Well, that too unfortunately is not really an accurate view anymore. Security experts know very well that users don’t want experiences, speed, innovation and performance affected by security solutions. Guess what: it doesn’t have to (anymore) and can even be done in the cloud. Still, security tends to get called in quite late in digital transformation projects. That’s also what research by Dell and Dimensional Research found. According to the research a majority of respondents feels that the security team gets involved in digital transformation projects too late. Among the reasons: execs are scared that their digital transformation efforts cloud be blocked by (the intervention of) security. That doesn’t seem like a valid excuse to us, at least not with today’s security solutions and certainly not by pretending security isn’t crucial.

Security and the technologies of the digital transformation economy

With the research from Dell and Dimensional Research we also enter the arena of technologies and IT domains were digital transformation is often taking place.

And it seems that there is not always a great relationship between security and some of these technologies. Initiatives in the space of the Internet of Things are probably among the most ‘obvious’ one. However, they’re not the only. While 97 percent of respondents say they invest in digital technologies such as mobile (or better: mobility), cloud applications and infrastructures and the IoT, only 18 percent say security has been involved in all mobile, IoT, cloud and self-service initiatives. Ouch, especially as according to the research digital transformation can be accelerated by bringing security in earlier.

Other reasons why cybersecurity maturity and strategy are lagging behind

There is a bunch of other reasons why cybersecurity maturity isn’t what it should be and a strategy to enable the business to optimize and transform is lacking. Yet, many of them have to do with cybersecurity and security overall. However, several can be tied with DX evolutions and goals. Among them:

Security requires strategy and prioritization

Security isn’t always easy and does not start by adding security controls but by prioritizing the most critical processes, systems and potential sources of attacks or vulnerabilities. Needless to say that in the realm of the Internet of Things, vulnerability risks increase by the way. So, security needs a strategy and that is harder than adding a few firewalls of course.

The business case challenge of cybersecurity

Only 21 percent of CISOs (Chief Information Security Officers) report to the CEO or board.

It’s harder to make the business case for security than it is to, for instance, make the case for a digital transformation project in regards with the digital workplace, collaboration or customer experience. You’re analyzing risks and dealing with the unpredictable. Rather than looking at the gaining back of costs, it’s sometimes better to factor in the losses if you fail to properly secure what needs securing. The problem is that you only truly know it when it happens and your business is interrupted, data stolen, compliance requirements breached or reputation down the drain.

Specific security skillset challenges

Skills is another one. It’s true that for many large organizations it’s harder to find the right security experts for specific applications, also in a context of digital transformation where often loads of data are involved and rather new technologies surface. But the shortage is an overall challenge (and there are partners to deal with it).

Security on the level of the user in a mobile age

The security parameter has changed as you know and as we mentioned. The cybersecurity perimeter is a but everywhere, the attack surface has grown and good old point solutions or firewalls alone don’t cut it anymore and in a digital transformation context protection at the level of the mobile user is a must.

The critical – but undervalued – role of data and information in transformation

The role of information and data, critical in digital transformation, is still all too often undervalued. Data and information are the lifeblood of the business and a source of revenues and new business models. In fact, the DX economy essentially is very much about 3 things: people, purpose and actionable information, regardless of the source. Unfortunately this isn’t reflected enough in the cybersecurity maturity levels of many organizations, nor in their compliance and/or governance measures, for that matter. According to the 2016 Ponemon Institute Cost of Cyber Crime Study infographic, information loss accounts for almost 40 percent of the damage of cyber crime and companies with an advanced information governance program reduce losses by $1 billion annually.

The cost of cyber crime in 2016 - 2016 Ponemon Institute Cost of Cyber Crime Study
The cost of cyber crime in 2016 – 2016 Ponemon Institute Cost of Cyber Crime Study

There is more, much more, regarding cybersecurity challenges in a DX context and regarding cybersecurity maturity, strategy and – transformation – as such. We’ll cover it in more blogs (sign up for the newsletter to stay tuned).

However, if you want digital transformation to succeed, changing the mindset, strategy and maturity regarding security is a must.

Involve security from the very beginning, make it embedded, look at data protection and privacy as assets and strengths instead of costs and give the CISO or other security executive a place around the table. In case you doubt: yes, CISOs are also expected to generate new business opportunities. But that’s for another article.

J-P De Clerck
J-P is the founder of i-SCOOP. Born and based in Belgium, he likes to share information, thoughts, inspiration and anything regarding the convergence of marketing, management, customer-centricity, publishing, digital technologies, psychology, transformation, optimization, media and IT - in the hope it serves you. The mentioned areas are those he has been active in since 1992 as a marketer, a consultant, a publisher and a trainer. Connect on Twitter via @conversionation or on LinkedIn.