The significant challenges around ensuring cybersecurity adapts to the rapid digitalization of organizations was the topic of discussion during a panel at the Infosecurity Online event.
The panel speakers first highlighted how digitalization has fundamentally changed the ways companies operate over recent years, such as the greater use of data and offering digital products as well as the shift to remote working brought about by COVID-19. “The journey to digital transformation has been happening for quite some time now,” noted Amitabh Singh, chief information security officer and chief data officer at Swisscard AECS GmbH.
Ledum Maeba, head of information security, Avanti Communications, said that it is important to have a very cautious security approach when it comes to digitalization. “We are digitalizing everything we do, but we are very cautious in what we do; we take every process very seriously and we make sure all security concerns are addressed before we do anything.”
Before specific digital projects begin, Simon Cole, global security architecture and solutions director at Dentsu, outlined how security should become one of the key considerations: “You have to define what success looks like and that’s with many lenses, so what it means for the business, but also what it means from a security perspective.”
Very often this is not the case. Singh said: “So far when we’ve been working on security, it comes as a retrofit requirement, so we build certain things into digital transformation then security comes later on,” adding that “security needs to come by design as a de facto thing that has to be considered when we are thinking about digitalization.” He noted this should be the goal in the financial industry where he works.
Such an approach clearly requires strong collaboration between security teams and other areas of the organization. “My risk posture is going to be totally different than the executive who is about to launch a new product. What we have to do is have that honest conversation and decide what the acceptable risks are, what are the guardrails,” said Cole.
In this new environment of home working, third party sharing and use of cloud applications traditional perimeter security structures are insufficient, according to the panel. Instead, security must become tailored to the specific business needs of individual organizations and what level of risk is acceptable. Singh commented: “Security professionals have a much larger challenge of first trying to understand the environment. Once you have understood the environment you need to define exactly what security means for that, and define what is good for us.” He added the approach must be fluid, adapting to changing digitalization.
With increasing reliance on third party suppliers, including greater levels of data sharing, undertaking extra due diligence regarding their security is important. This includes assessing the chances of a data risk occurring. Maeba stated: “You need to be really sure they are able to meet your security requirements.”
The panel then discussed how organizations’ increasing shift to the cloud to facilitate digital transformation is impacting security. Singh explained there are two main elements to this, the first of which is user access and the need for a zero-trust model. “Never trust, always verify and contextualize,” he said.
The second is the overall management of the environment, where security professionals are too often caught up in the latest “fads” and simply using new patches to solve issues. This leads to the integration of the technologies becoming more challenging. Again, understanding an organization’s goal in moving to the cloud is vital for the right approach to be taken. Based on this, security professionals should “articulate what the products available in the market are that can give you a seamless picture.”