How to manage cyber risks in a transformation project

Leaders must balance the need for speed with implementing transformation in a cyber-secure way, while avoiding the pitfalls along the way

Whatever the business transformation – digital, entering a new market or overseeing a merger – there are inherent risks. But all too often the focus is on areas such as operational benefits or cost-savings. Cybersecurity, however, needs to be a major part of the planning process.

Cybersecurity is integral to the success of any business transformation project and needs to be factored in at the design and planning phase. This is particularly important if the C-suite doesn’t have sufficient experience or where a chief information officer (CIO), or their equivalent, is not involved in the business process conversion. 

In practice, however, cybersecurity teams are often included too late or not at all. “The project leaders need to identify potential cybersecurity threats and develop a robust strategy to manage cyber risks and become cyber resilient,” says Jane Frankland, founder of KnewStart and the IN Security Movement.

“Although cybersecurity’s role in business transformation has improved, both in awareness and involvement in earlier stages of the design process, those in charge, typically chief information security officers (CISOs), are still struggling to see the breadth of projects in their ecosystems.”

For instance, with complex cloud migration strategies, such as moving from software as a service to platform as a service and developing multi-cloud set-ups, businesses need a clear strategy, an agile governance model and alignment across the whole organisation. In all this, the organisation’s appetite for risk must be understood.

“Businesses must include cybersecurity at the start and communicate a transparent governance risk framework, along with close monitoring and remediation of anomalies, to maintain compliance. And they must work on developing the right mindset, behaviours and culture in their organisations when transitioning,” says Frankland.

Protecting sensitive data

Business transformation inevitably goes hand in hand with technological upgrades, which often means migrating sensitive data and technical processes from one system to another. The first challenge, according to Chris Harris, Europe, Middle East and Africa technical director at Thales UK, is understanding where sensitive data is held. 

“While this should already be an integral part of an organisation’s cybersecurity approach, it is often something that catches them out,” says Harris. “No area should ever be overlooked when considering cybersecurity in a digital transformation project. Doing so could leave a business exceptionally vulnerable to attack. Hackers will find any means to infiltrate an organisation so businesses must ensure they shut every gate and lock every door.”

Once the transformation is underway, the switchover period poses the greatest risk of hacking and cyberattacks, and needs attention. “Cybersecurity measures such as anti-malware, comprehensive firewalls and prior planning of every step of the transfer are key,” says Steve Jacob, UK director of international web development agency SmartOSC.

“With cybersecurity laws and regulations, such as GDPR [General Data Protection Regulation], in place in many regions, many regulatory bodies have teeth and will bite, hard, with penalties for non-compliance. Being actively aware of the cybersecurity requirements in any new market you plan to enter are now table stakes.”

Locating the source of responsibility

While everybody in an organisation should be trained in the importance of data security and what they can do on a personal, day-to-day basis to mitigate risks, the ultimate responsibility for cybersecurity lies with the executives and, if there is one, the dedicated cybersecurity team. 

“The C-suite executives should make a comprehensive plan to identify potential security problems and who is in charge of heading them off in time,” says Jacob.

It’s a view shared by Richard Meeus, security technology and strategy director, Europe, Middle East and Africa, at Akamai Technologies, who says the ultimate responsibility falls to the C-suite and normally this means the CISO. 

“They should be involved in all discussions about the transformation project to ensure the business is not putting itself at any unnecessary risk and security is factored in at each stage,” says Meeus.

The wider business also has a shared responsibility to know the risks associated with a project and the steps being taken to mitigate them. While education from top to bottom is vital to ensure any security policies introduced are being followed, final responsibility sits at the top. 

“Ultimately it’s the person at the top that can lose their job should a breach occur, so they need to be aware of steps being taken,” Meeus adds. “Just because the world we operate in is in large part virtual, the rules have not changed. It is still the responsibility of businesses to take ownership and responsibility for the data they collect and store,” he says.

What can go wrong

From reputational damage to hits to the bottom line, no business can afford to overlook any area of cybersecurity. “Hacks and data breaches spell disaster for the individuals who are targeted and the reputation of any company that is attacked. Keeping users’ personal data safe should be the business’s priority above all things when undertaking a transformation project,” says Jacob.

Without a watertight plan in place to identify and resolve cybersecurity issues quickly, sensitive data can fall into the wrong hands and even be used for criminal purposes. “It’s absolutely crucial businesses have a solid data recovery plan to be prepared for the worst-case scenario,” he says.

The coronavirus pandemic has accelerated the need to move on digital transformation for many organisations, but it remains vital to carry out safe implementation without cutting any corners. 

“Companies must follow a security-by-design approach and build tailored cybersecurity measures into the system. It’s also vital that businesses factor in security from day one, rather than treating cybersecurity as an afterthought. Any lapse in this could allow hackers to breach the perimeter,” says Harris at Thales UK.

Balancing transformation and cybersecurity

Balancing the need to move quickly on a transformation project with undertaking it in a cyber-secure way must start with identifying project risks and developing a clearly defined, managed process. “Ideally, simplify the approach as much as possible, using a standardised set of solutions to gain speed and agility,” says KnewStart’s Frankland.

She also advises the leaders charged with transformation responsibility to grasp the breadth of projects to understand the risk exposure across networks, applications, cloud infrastructures, datacentres and supply chains. 

“Penetration testing and risk assessments are also a must to uncover vulnerable assets and direct risk mitigation action. Automation within continuous security monitoring solutions can further advance capabilities, reduce the threat surface and enable cybersecurity teams to focus their efforts on remediating risks based on their priorities, maximising time and efficiency,” says Frankland.

And to reduce risk even further, businesses might consider actively including women in the transformation team. “Women are well known for adding a strategic and competitive advantage to business. And when it comes to cybersecurity, they add another benefit of seeing risk in a different way to men,” she says.

“Being highly attuned to changing patterns, a skill that’s needed for spotting anomalies, correctly identifying threat actors and protecting environments, women are especially useful in cybersecurity. But it’s not that women are better than any other gender, it’s just that when we come together as human beings, we do a better job. Diversity strengthens businesses.”