A QUESTION AND ANSWER SESSION WITH: RYAN KING, VICE PRESIDENT, SERVICES, SDLC PARTNERS and CHRIS HART, DIRECTOR, CYBERSECURITY, CYLUMENA
In January, a Frost & Sullivan study revealed that 60 percent of retailers had put their digital transformation programs on hold due to fear of cyberattacks.
According to that same study, 56 percent of those organizations had either experienced a security incident (27%) or were not sure if they had even had a security incident as they hadn’t checked (29%).
We brought together Ryan King from the SDLC Partners’ digital transformation solutions team and Chris Hart from our sister cybersecurity company, CyLumena, to discuss this concerning trend.
Q: Ryan and Chris, what do you see as the most relevant issues organizations should address related to Digital Transformation?
Ryan: Transforming shouldn’t mean that they move away from best practices. Transformation really means looking at your enterprise from a digital angle: different market angles, change the nature of your value chain, disintermediate the expensive parts or plug-in new parts.
Chris: Any organization that embarks on a real digital transformation (not just point updates) is looking at revolutionizing the tech sphere or leapfrogging to the next generation of technology. If the organization doesn’t have a solid software development lifecycle that takes information security into account, it will run into serious challenges.
Ryan: One issue is that many approach transformation reactively once the tech is out in the world and many folks use it in different ways. Starting with a prescriptive, multi-factor view of security and transformation, together, yields a more comprehensive view of opportunity and risks to be addressed.
Q: Ryan and Chris, what do you both see as the most relevant issues that organizations should be addressing now related to cybersecurity?
Ryan: There’s a tension. IT folks are reticent to change things because it’s risky and possible loss of control and the development army wants to break (aka transform) everything. They’re both right. Yet, a lifecycle approach can satisfy both aims – progressively drive for change while ensuring the technology is scalable, secure and productive.
Chris: More often than not, security concerns related to digital transformation, come from the thought that “we don’t have our ducks in a row.” Of course, no one wants to lead transformation that will get their organization written up in the WSJ for a major breach. A strategy-first approach to digital transformation takes data security into account from the first meeting.
Q: Ryan and Chris, how should organizations approach this marriage of digital transformation with information security?
Chris: Previously, application security meant a gate review at the end of a PMO, but no longer. Security controls should be built into the requirements phase. As you transition from business requirements to tech requirements, you’re addressing data privacy and security needs.
Ryan: Yes, and, back then, core technology and systems used to be built into the tech, like claims and banking systems. They were in a self-contained world. But, now, I have a “piece of glass,” and behind it I have a lot of fungible processes. That requires a new view of security.
Q: Ryan and Chris, what advice do you have for organizations that are holding back their digital transformation due to data security concerns?
Ryan: I would say that the number-one need is to have a formal cloud strategy and inventory of how you and partners are using the cloud. It’s the biggest blind spot that is tripping up companies, especially from a data security perspective.
Chris: People look at the big movement to the cloud and think, “we’re just moving boxes.” But, it’s much more. The native fabric (microservices) of the cloud is functionally very different. SLAs for security can vary widely based on many factors, and security must be built into the lifecycle from the beginning.
Ryan: Some CIOs decree, “We’re not doing cloud!” But what they don’t consider is that their partners are already using cloud. Their breach is your breach.
Q: Ryan and Chris, how can an organization feel more confident about creating secure, scalable digital products and experiences for their consumers?
Chris: Understand your security maturity. Have a clear view of how to become a really good security organization. Security enables the business to do what you want to do that you couldn’t without security. Good infosec controls enable good business strategy.
Ryan: In general, growing pains come with digital transformation in a modern data security ecosystem. You never want fear driving your business.
Lastly, I’d say that you must accept risk and build failure into the system. What does failure mean and how can you do all that you can to take control? Certainly, fear won’t stop your competitors!