Global organizations are still failing to build cybersecurity training into digital transformation initiatives from the very start, imperiling projects and exposing the business to added risk, according to experts.
During a panel debate at Infosecurity Europe today, Gemserv head of data privacy, Camilla Winlo, argued that even after the accelerated digital transformation of the pandemic years, organizations are forgetting the basics, with some having failed to update their work-from-home policies from pre-2020.
“It’s been amazing to see how fast companies can move [digitally], but what’s slightly disappointing is that they’ve not thought about the balls that got dropped in the process, even though they’re seeing the service impacts,” she explained.
“So, I’m happy for you to work at speed but please make sure you’re going through the full list of what you need to get covered and don’t get overly focused on the technology solutions.”
Training employees to use new digital technologies in an effective, secure and compliant manner is a key part of security-by-design best practice. However, in some organizations, new technology initiatives are rolled out without all staff having been first trained, Winlo said.
“It’s remembering the technology and forgetting the people, and it’s always the people who cause the problems,” she added.
Santander International CISO, David Cartwright, argued that organizations could go even further, by consulting with end users during the development process for new technology, to head off risk further down the line.
“It’s strange we’re forgetting about the users, because we’ve gone from DevOps to DevSecOps, but we’ve not quite made it to DevSecUserOps, and I think we need to get there,” he added. “A lot of the time if these guys had been involved from day one on how you build it, the training requirements would be reduced.”
Experts on the panel debate agreed that a “fail fast” strategy for digital transformation could be a useful way to head off cyber risk.
“From a data protection point of view, if you’re failing fast and in an agile way you should be able to contain the impact of the failure, which is really important,” said Wimlo. “They should be going in there expecting to fail and having a control set there to wind things back if it does.”
Although awareness of security- and data protection-by-design has improved since the GDPR came into force, there’s still a long way to go before DevSecOps is fully embedded in most organizations, Cartwright argued.
Separately, new research from F5 released today found that only 4% organizations are currently ranked at the highest level of digital maturity, with 31% classed as “digital dawdlers.”