Digital transformation projects took on a whole new world of urgency in March 2020. Lockdowns drove businesses to establish work from home systems, often without much prior planning, meaning some things fell through the cracks. Worryingly, cybersecurity was one of them.
While cybersecurity was never, of course, excluded from the digital transformation process, accelerated implementation timelines meant blind spots were created. With organisations now increasingly using hybrid work models, such weaknesses must be addressed by the C-suite, ensuring that cybersecurity is baked in moving forward.
Learning from mistakes
There were numerous mistakes made by many companies in the rush to implement work from home. Greg Day, CSO (EMEA) at Palo Alto Networks, calls them “time-based decisions that can be rectified with further time and reflection”.
Although this might sound like semantics, it’s an important point: organisations have had to compress multiple digital transformation projects that might normally take years into a matter of months. The sudden work from home business demand dictated that “good enough” was sufficient for projects to get the green light.
Three common missteps sum up the insecurity scenario: fragmented cloud transformation, virtual private network (VPN) bottlenecks and the cyber-time paradox.
“The notion of moving to the cloud means the chance to rewrite the software to take advantage of doing things in new ways,” Day explains, “yet for many it was more a cut and paste, saving the rewrite for later when there is more time.”
This led to companies using whatever cybersecurity was provided with the cloud offering or buying off the shelf without due diligence. “With hindsight,” Day continues, “this creates non-scalable fragmented solutions, as many now realise they have many multiples of different solutions … most using multiple cloud providers with each having its own solution for identity”.
Then there’s the VPN situation: businesses already had capacity to serve maybe 25% of staff, but in the rush to transform simply bought more secure tunnels to connect back to base. “Your business network quickly becomes a bottleneck: the pinch point, now that huge volumes of traffic must get through,” Day says. Such a “choke point” for a security goal simply isn’t fit for purpose. For example, security requirements for video sessions are quite different to those for accessing confidential data.
That leads to the final part of this erroneous triumvirate: thinking that the “same old security same old” will scale to such a dramatic shift in workload. Day calls this the cyber-time paradox. More digitised business processes mean more to secure, producing more data to manage and so increasing the threat surface.
Simultaneously, what is considered acceptable process downtime has diminished to hours and often minutes. It’s a paradox that can’t be solved by throwing more people at it; it demands that companies assess what processes can be automated or outsourced, Day concludes.
How can you properly bake cybersecurity into your project? The basic maths of ensuring a secure digital transformation outcome remains simple enough: process + people + implementation = success. Stephen Crow, head of security and compliance at independent tech company UKFast, likens it to building a shed.
“You don’t put the roof on first,” he says, “you make sure you have the right tools and somebody building it who is competent at DIY, and follow a plan.” You can still take the roof off to make changes after the initial build is complete, but it’s not ideal and will inevitably cost you a lot more.
If you haven’t considered upgrade paths and end-of-life planning, you must do so sooner rather than later. “This is critical because later down the line you might end up in a situation where you’re relying on old systems with exploitable vulnerabilities that have no patch,” Crow explains. Similarly, if your initial rollout has mistakenly equated a Security Information and Event Management (SIEM) system plus a Firewall with “sufficient cybersecurity”, this needs revisiting.
“A SIEM and a Firewall can only protect you from a tiny percentage of potential attack vectors,” Crow says. “Never put your trust and effort into one single tool.” Equally, your digital transformation security success can be hamstrung by introducing too many overly strict or manual procedures. “This is a surefire way to generate shadow IT usage that circumvents security,” Crow says. “Cybersecurity is a day-zero responsibility for everyone working on a project.”
Mivy James, the digital transformation director at BAE Systems Applied Intelligence, advises that equipping and empowering users with the right understanding to make the right decisions must go hand in hand with a digitally transformed culture.
“Infosecurity can’t be seen as the thing that puts the brakes on digital change,” she says. “The danger here is that cybersecurity has traditionally been seen as the department of ‘no’ and something which can slow change down.”
Digital literacy is rightly considered vital for leadership; James sees cyber literacy as a large part of that. For example, in the uptake of cloud-based services, cybersecurity is either overlooked entirely or seen as such a cause for concern “that cloud migration becomes impossible”, she notes.
Normalising cross-functional multidisciplinary teams where business, technology and security leaders operate together in decision making is required to drive such cyber-literacy, according to James.
Business leaders need to listen to their security experts, because security isn’t a point in time exercise. “Integrating security too late in the game will create huge complexities for your business,” Crow says, “or worse, missing it out completely will leave gaps that are hard to fix in key technologies and processes.”