The principles of DevOps go beyond just improving software development processes. They also help foster stronger, more productive teams
Digital transformation: 3 ways to manage security risk
How can IT leaders manage the security risks associated with digital transformation without becoming the department of “no”? Deloitte recommends these three strategies
Any digital transformation project carries with it potential cybersecurity risks. A big data analytics project may offer unprecedented insights, but it also means amassing volumes of data that could be a target. Mobile apps for consumers and employees allow a company to innovate, at the risk of creating another opening for hacks.
The rapid adoption of digital innovations by consumers and businesses is creating both opportunities and risks, as Deloitte explains in its Managing Risk in Digital Transformation report. Cybersecurity and privacy are prominent among those risks, although Deloitte covers others such as execution risk (the risk of sinking money into digital projects that never launch or go wildly over budget) and third-party risk (depending on reliable partners).
With the recent revolution that started in manufacturing and supply chain, the report states, “we are already seeing the application of new technologies, including robots, the internet of things (IoT), artificial intelligence (AI), cloud computing, predictive analytics and blockchain rapidly changing the way many companies design and curate experiences, manufacture, distribute and service products.”
These innovations are causing more data to flow in more different ways, inside and outside the organization, incorporating every more and more of the world we live in into a “physical-to-digital-to-physical loop.” Protecting that data at risk and in transit, as well as enabling investigation in the event of fraud or a security breach, are huge challenges, the authors observe.
[ Get answers to common digital transformation questions and lessons from top CIOs: What is digital transformation? A cheat sheet. ]
That is no reason to halt digital transformation – which most of us couldn’t do if we tried – but it means we must manage the risks to maximize positive transformation.
1. Aim for “yes, and …” rather than “no, but …”
The principle of “Yes, and …” comes from improv comedy and is also often recommended as a rule for life, leadership, and creativity. The idea is that when your improv partner throws out an idea, no matter how silly, you never simply shoot it down. Instead, you find a way to build on it and make it better.
You can see how it works in this dialog between Tina Fey and Eric Schmidt at a Google event, following the release of her book "Bossypants." He kicks off by saying (with finger cocked), “Stop, I have a gun,” and she replies, “The gun I gave you for our wedding anniversary! How could you, Eric!” They’re off to a good start until he says, “We’re not married.”
Point is: “yes, and” keeps the conversation going, whereas denying the premise kills it. Security professionals need to be in the conversation about digital transformation if they want the opportunity to raise objections and address them.
Gideon T. Rasmussen, a consultant on cybersecurity program design and assessments based in Charlotte, NC, warns that security organizations perceived as being a roadblock to progress are more likely to be bypassed. When organizations with robust information security and risk management programs can slip up, it’s often because of “something is done out of process by an urgent business need” – like the need to ship the CIO’s pet digital product by the end of the quarter.
The best practice is to instead make “security consulting” an integral part of every digital project, enabling the success of the product while avoiding unnecessary risk, he says.
“If you’re a no person, you don’t get very far,” agrees Bryan Kissinger, vice president of information security at Trace3, which provides training and consulting related to DevOps and cybersecurity, and a former healthcare CISO. For example, the days when security professionals could simply say “no” to cloud computing are gone because the benefits are too great. Instead, security advocates must make their influence felt by steering the organization toward more secure cloud options and adding controls to mitigate the risks.
2. Create a secure platform for agile innovation
Even when moving quickly to seize digital opportunities, many organizations can’t afford the “go fast and break things” ethos Facebook is famous for. While working as CISO for Banner Health, Kissinger felt the tension between the organization’s desire to deliver a highly engaging patient app and the fact that placing health data in mobile and cloud systems was inherently risky.
“Innovation teams really thrive when they can move quickly and use agile development methodologies, allowing them to get to market quickly,” Kissinger says. “There would have been a tremendous loss of opportunity if these projects were mired in bureaucracy and security assessments.”
His solution was to try to separate the need for rock-solid security from the need to allow experimentation and iterative development at the user experience level. The security team worked with the developers to create a base platform of mobile and cloud code responsible for managing how users would be authenticated and health data would be encrypted, stored, and transmitted.
“We created a secure perimeter, a container, a barbed-wire fence,” he says. As long as the app developers worked within that perimeter, he felt confident allowing them the freedom to create apps where the deployment cycle could be weeks instead of months or years.
3. Get agreement on acceptable risk
The risk of digital transformation will never be zero, but they will often be less than the risks of doing nothing while competitors innovate. Business leaders understand the relationship between risk and reward, which means they will accept a reasonable level of risk in order to achieve an upside goal.
The trick is to give them a realistic understanding of that risk, without asking them to become experts on hacking techniques or encryption protocols. What you don’t want to do is allow businesspeople to sign off on a transformation program – or even insist that it move forward – because they perceive a major risk as a minor one.
When cybersecurity professionals present their risk assessment that is too technical or otherwise opaque, businesspeople are left guessing about the real magnitude of the threat, Rasmussen says. Instead, he recommends using an analysis framework like the one from the FAIR Institute, which translates cyber risk into probability and financial numbers that are easier for a CEO, CFO, or board to assess. You can find a brief explanation of how FAIR calculates metrics like annualized loss exposure and event-based loss exposure in this blog post on their website.
“It gives a way for security professionals to speak with business management in a way that makes sense to them,” Rasmussen says.
[ Culture change is the hardest part of digital transformation. Get the digital transformation eBook: Teaching an elephant to dance. ]