How and why digital transformation needs cyber resilience

The pace of digital transformation accelerates with a focus on resilience, agility, and operational efficiency. End-to-end cybersecurity is an essential transversal part of each digital transformation strategy (or, at least, should be).

Yet, the acceleration of digitization and digitalization calls for more: cyber resilience. Here is why digital transformation and cyber resilience go hand in hand. What is the most direct link between digital transformation and cyber resilience? Simply put, more transformation means more attacks and more complex risks. Yet there’s more.

Cyber resilience isn’t just about cybersecurity; it’s about business continuity in case of cyber incidents in an increasingly digital – or hybrid – business environment where data and connected ecosystems play a crucial role.

From your extended supply chain to your organizational structure, your business success depends on end-to-end resilience, but it only takes one vulnerability to trigger a massive service failure.

The impact of increasing digitalization shows in the growth of the volume of data that is created and consumed each year (with volume being one of the V’s of big data). End 2018, research firm IDC said that the global datasphere had reached 33 zettabytes (ZB) of digital data in that same year. In 2020, including the impact of COVID-19 on digital transformation, the global DataSphere is expected to reach more than 59 zettabytes of data. Through 2024, it is poised to expand with a five-year compound annual growth rate of 26%.

Cyber resilience and digital transformation illustration

At the same time, the amount of data being stored (utilized storage) is expected to grow to 8.9ZB by 2024, representing a 2019–2024 CAGR of 20.4%. This growth goes hand in hand with an ongoing shift to cloud storage, which impacts the mix and share of the installed storage base between core, edge, and endpoint.

Digital transformation and resilience – defense alone isn’t enough anymore

Digital has such an important place everywhere in our lives, organizations, and society that the traditionally defensive and responsive approach of cybersecurity alone doesn’t cut it anymore. A few examples of the why and how cyber resilience and digital transformation should ho together.

The attack surface continues to grow, and just defending against breaches isn’t enough when data, digital infrastructure and applications move to the center of business and society as they clearly have been doing. Moreover, the nature of cyber risks changes with hacks and breaches often having hugely impactful consequences. Whether we like it or not: we are at an inflection point and need a more holistic and strategic approach which cyber resilience offers.

Digital transformation inherently brings with it new risks that may have been previously unforeseen or that may have complicated the risk profile of well-established business processes (IDC).

Of course, each business is different, and not all data, infrastructure, applications, systems, and source code are equally mission-critical or valuable for your organization. On the other hand, access to some seemingly less critical systems can serve as an entry point for cyber criminals in times where everything is connected, and one human or technical error can lead to crippling attacks – again that holistic aspect.

Before looking at how to tackle the challenges and the steps that you can take now, let’s take a look at what’s happening in our digital economy and cyber crime – and why cyber resilience matters for digital transformation.

Cyber resilience and digital transformation - drivers of risk in a digitized world

Cyber resilience challenges behind digital transformation evolutions

  • Organizations rely more on digital services, with an apparent acceleration in 2020. This also goes for government bodies and regulators that push the digital agenda of our businesses. Digitization and digitalization put digital technologies and platforms in all aspects of business, society, and our lives.
  • The acceptance of digital tools and platforms among consumers and workers has grown across the board with 2020 again as a pivotal year. A new generation is also entering the workforce, making the need for flexible work methods higher, and a demanding generation of consumers expects systems to be up and running at all times.
  • With 5G coming our way and the Internet of Things being leveraged for smarter and safer spaces, workplaces, and even smart cities, new possibilities and opportunities emerge but at the same risk further increases.
  • The potential impact of adverse events such as cyber attacks on business continuity and the ability to keep essential processes working, regardless of the issues we encounter, can be more dramatic on our business overall than ever before. Cyber incidents become more complex, interconnected, and impactful with more sophisticated attacks as organizations up cybersecurity efforts.
  • Innovative – collaborative – approaches and digital transformation of business are accelerating. Technology complexity is increasing with hybrid IT, multi-cloud approaches and increasing complexity of technology ecosystems with API-based architectures.
  • In the industrial domain and with the convergence of IT and OT on the path towards Industry 4.0 and the rise of Industrial IoT, the digital transformation of utilities and other areas where critical services for society are concerned, the challenges are ubiquitous since here we really see a much larger attack surface as everything gets connected and the impact of attacks can be disastrous. Industrial cybersecurity is one of the greatest challenges of our times.
  • Digital business occurs in highly interconnected ecosystems with data, systems, supply chains, business processes, and innovation expanding beyond the company. Growing volumes of data with more sources increase the attack surface as data is shared and leveraged across organizations.

Adverse events inevitably happen and will continue to occur in this increasingly digital world. The question has shifted from ‘if’ a cyber attack will happen to ‘when’ it will. Given the crucial role of data and digital assets in the core business process, it becomes a strategic business imperative to look at ways to protect data, which has become a business asset on its own, prevent business interruption, and keep the lights on at all time.

An effective cyber resiliency strategy is one that enables organizations to orchestrate 1) a quick analysis of and 2) response to a cyber attack for optimal business recovery.

Organizations must be able to restore critical servers, platforms, data, and applications within minutes, if not seconds, of any disruption to meet the expectation of continuous business operations.

If your business becomes more automated, future-proof, data-driven, digitally transformed, and in the end, a digital business, then the ‘digital’ part becomes core in your business and needs to be protected as a vital asset.

In other words: it’s time to get cyber resilience on the corporate agenda and add layers of risk management, disaster recovery, business continuity, cyber insurance, and next-level cybersecurity strategies and approaches to survive and thrive in times cyber incidents do happen and can have a significant impact on your bottom-line and brand.

Unfortunately, as multiple attacks have shown, the awareness regarding the importance of making sure data and systems are seen and protected as crucial business assets isn’t always what it should be. And, even if it is, all too often, basic mistakes are made on a level of cybersecurity. It’s another reason to make security part of a broader cyber resilience approach that involves the necessary stakeholders and looks at all possible scenarios and risks.

The increasing role and complexity of your IT environment

Information technology undoubtedly plays an ever more critical role in your business too, regardless of where you are in your digital transformation strategy journey, the industry you’re in, or the size of your business. Data and the applications leveraging them are omnipresent within your company and across the ecosystems of which it is part.

In this expanded digital universe, the demands of your customers and workers have changed. We live in an always-on society, and people expect real-time connected services, with some platforms being essential for your core business and bottom-line. Now that people are expected to work even more remote than before, and consumers use more digital tools as a consequence of COVID-19, the number of applications and people accessing your data from outside the company walls only continues to grow.

Data is the glue that connects it all and has become a critical business asset that enables you to create value and run your business. It gets accessed, created, shared, stored, and captured across ample networks and systems, all with their strengths and risks. Your data doesn’t just drive the decisions that significantly impact your business; it’s also crucial that you have access to your data anywhere, anytime in today’s hybrid IT environment.

Digitally transforming businesses become more dependent on the digital realm and – thus – a more substantial portion of business is lost in case of a breach.

While data and IT are essential, and your IT infrastructure expands and becomes more hybrid with the omnipresence of cloud computing and the cloud becoming core, it also becomes more complex and challenging to overview with information needing to be accessed by various people for different reasons across different applications and places.

Merely knowing where all data sits is a daunting challenge in this context. Being able to understand where confidential, sensitive, and less critical data lies – so you can prioritize how you protect what – is even harder. And backing up data and information seems like an impossible mission as a consequence. Yet making sure that your platforms run and you have your data backed up and protected at the same time has become a necessity. The inability to recover applications, business processes, and data within set recovery objectives can lead to revenue loss, reputational damage, and regulatory penalties.

Traditional backup and restore approaches don’t suffice, nor do the disaster recovery strategies which you might already have in place. The stakes are too high, and the complexity of IT requires a different approach. Moreover, cybercrime is big business as digital is at the very center of your business.

The holistic and highly dynamic nature of digital transformation and cyber resilience

Perhaps one of the most important reasons why digital transformation and cyber resilience go hand in hand is the fact that digital transformation has always aimed to be a holistic given, rather than automation and ad hoc projects.

This holistic dimension doesn’t just play on a level of information and data (removing silos), people and processes, organizations and ecosystems, etc. It also plays on a level of your attitude and culture with regards to what matters most and the protection of data and systems enabling all stakeholders to thrive.

The concept of a connected enterprise becomes critical when assessing business resilience (IDC).

And then there are of course the more pragmatic reasons why digital transformation and cyber resilience go hand in hand. These are mainly related with costs, direct or indirect, in times that trust is essential, cybercrime has become big business and regulations only show how important data protection has become.

It is clear that having a holistic cyber resilience approach, including measures to recover fast, is inevitable for organizations, large and small. Believing that cybercriminals only go after large organizations is a mistake one needs to avoid in this context.

In past years ever more organizations have taken measures to enhance cybersecurity and become more cyber resilient. The problem, however, is that as organizations invested more, attacks also became even more sophisticated. Many companies believe that they are sufficiently protected, resilient, compliant, and more or less prepared. But to what degree are they indeed? Cybersecurity and cyber resilience are highly dynamic domains that require attention as cybercriminals are always seeking and finding new loopholes in the protections that organizations have implemented.

The dynamic and evolving needs to look at cybersecurity and cyber resilience measures are also related to the highly dynamic nature of digital transformation and what your organization does in this regard.

Digital transformation ecosystems and cyber resilience across connected supply and value chains

Moreover, your business is part of an ecosystem with ample partners who also need to be part of your strategy and this ecosystem reality is another reason why digital transformation and cyber resilience must be approached from a broad business perspective, including your partner ecosystems.

In February 2020, Accenture announced the third edition of its annual State of Cyber Resilience report, identifying a group of so-called cyber resilience leaders. While the report also found that investments in advanced cybersecurity technologies have grown and the basics of cybersecurity are improving, the risks that target weak links in the supply chain have increased. Forty percent of security breaches per the report were indirect attacks targeting these weak links.

Kelly Bissell, who leads Accenture Security globally, commented: “The sizable number of vendor relationships that most organizations have poses a significant challenge to their ability to monitor that business ecosystem. Yet, given the large percentage of breaches that originate in an organization’s supply chain, companies need to ensure that their cyber defenses stretch beyond their own walls.”

Large organizations, in general, tend to invest more in further-reaching digital transformation initiatives, leveraging a mix of technologies such as the Internet of Things and the likes, which all offer benefits but also add to the risks. Yet, even if your transformation efforts are limited, it’s clear that traditional cybersecurity approaches don’t cut it anymore. Each business creates and/or uses applications whereby data and services are external and go beyond the good old perimeter as we’ve known it for so long. And each organization and industry is on a path of digital transformation.

The inability to recover applications, business processes, and data within the business set recovery objectives can lead to revenue loss, reputational damage, and even regulatory penalties.

As IDC states, digital transformation challenges our traditional views of business resilience, and the fact that data has become so essential for our businesses means that we need to include more people and broaden our approach. Truism indeed. Digital transformation and cyber resilience really go hand in hand.

More on digital transformation and cyber resilience

Want to know more about cyber resilience and how it’s related to digital transformation, risk management, cybersecurity, and business continuity? Below are a few additional articles, including a look at what some large companies who embed cyber resilience in their digital transformation strategies do better.

Cyber resilience and business continuity: definition and introduction

How cyber resilience has become more critical over the years from the perspective of business risks and cyber incidents.

Cyber resilience - cybersecurity and business continuity - source and courtesy DRI via Twitter

This introduction to cyber resilience shows how digital transformation and innovation have been perceived as business opportunities and risks by risk management experts and how cyber incidents have moved up to the first spot in global business risk perceptions. It further provides a cyber resilience definition and an introduction to a cyber resilience lifecycle approach.

Cyber resilience leaders: what they do differently

Large organizations tend to invest more in large digital transformation projects that include multiple technologies and leverage the power of ecosystems.

In its third annual State of Cyber Resilience study, Accenture looked at organizations with annual revenues of at least US$1 billion in 16 countries. The study, released in early 2020, identified a group of cyber resilience leaders. They perform better in areas such as finding breaches fast, fixing those breaches, reducing their impact, and stopping more cyberattacks altogether.

One of the characteristics of cyber resilience leaders: they invest in the capability of moving quickly and train people better. These are also typical traits of organizations that do better in digital transformation.

Accenture Security recommends three actionable steps that organizations can take to be more like cyber resilience leaders