Why digital transformation and security should go hand-in-hand [Q&A]
Digital transformation is becoming an essential part of many business initiatives and of course security is a high priority too. You would think that two such essential areas would exist in close harmony, but it isn't always the case.
In the age of digital transformation security can get left behind. So, what can businesses do to ensure that new digital initiatives are secured from the start? We spoke to John Worrall, CEO at application and infrastructure security specialist ZeroNorth to find out more.
BN: Why is it so important to design security into transformation initiatives from the start?
JW: Forward-thinking organizations are executing on aggressive digital transformation initiatives and developing software at rapid rates, so security must be designed into development processes from the beginning, as opposed to being an afterthought.
For starters, when you design security programs that fit directly into business transformation initiatives, the speed of business isn't impacted as security is a part of the process -- not an after-the-fact entity. For example, if the security team is brought into the software development process late in the cycle and identifies a security issue, the development team will then need to go back, reopen the code that was written and refresh their memory on the logic they were building to see where the specific module is. All of this unnecessary activity wastes time and resources. With security built into these processes, the necessary fixes can be made in real-time while the specific code is fresh in the development team’s mind, allowing development and security to move together at the speed of the business.
The bottom line is, security should be a key component of any company’s digital transformation strategy. In today's competitive business landscape, speed is critical, and businesses won’t be slowed down by security if it's designed into everything they do in a thoughtful and effective way.
BN: Does the trend towards digital transformation widen the potential attack surface?
JW: Absolutely. A study from Ponemon Institute and ServiceNow notes that 60 percent of organizations who suffered data breaches over the last couple of years cited the culprit as a vulnerability that wasn’t remediated. With even the most unlikely organizations now developing software, it is critical that every single line of code is secured prior to production to protect the organization's assets and limit risk.
Every time a new line of code makes its way to production, the attack surface widens, as that’s one more line of code that savvy hackers can exploit and probe to find an easy entry point into the organization. There are literally millions of lines of code developed each year to drive value to customers and business, and the volume of code being pushed out is growing exponentially, thanks to digital transformation. This reality should reinforce the need to bake security into the process proactively.
BN: What questions should businesses ask when taking on a new technology?
JW: Before implementing any new technology, businesses should thoroughly evaluate it from a security standpoint to gain an understanding of what the provider’s security program looks like. As a starting point, business leaders should seek out answers to questions like: Are there any vulnerabilities in their code? Does the business have solid cyber hygiene programs in place? What are their response capabilities like, in the event of a breach? Do their processes and regulatory needs match those of my business?
Essentially, the business should look at and vet any new technology through a security lens to gain a full picture of any risk that would come with an implementation. If a security-savvy team member gives it an A+ from a security standpoint, great. But any other grade should be an immediate red flag, meaning it is time to reevaluate if the new tech is worth investing in.
BN: What is the impact of new privacy legislation on digital transformation projects?
JW: There's no denying privacy legislation is impacting digital transformation projects and businesses collectively. In terms of digital transformation projects, businesses should think about what data they need to capture to deliver value to their customers and market, then ensure they have good data management policies to support it.
It's understood that data is an incredibly powerful tool for businesses, but if a company is super worried about privacy, they simply shouldn’t take and store data that they don’t need. For the data that is necessary to bring the value expected of the business, they should fully understand what privacy regulations require and build the right procedures into the business to support those. That said, those offering services typically need to have personal data, so mature data management frameworks are a must.
The rise in government regulations are a significant driver for more secure software as well. With countless high-profile breaches directly related to vulnerabilities in software, it’s clear that software is one of the major avenues through which hackers are looking to gain footholds within organizations. When this happens and an enterprise has its data stolen, privacy is compromised and regulatory bodies can come down hard.
BN: How can organizations bridge the gap between security and development teams?
JW: Both departments have to be put in a position to succeed and fully understand the needs of the other. Currently, there is a lot of friction between the two teams -- largely because developers are at an organization to create and move fast -- and security teams are typically brought in at inopportune times to help fix any vulnerabilities that surface. This significantly interrupts the developer team’s workflow, causing friction.
The key to eliminating this friction is by designing security into development processes from the beginning. Rather than having the teams siloed, organizations need to rethink how they deploy people, processes and technologies to create a cohesive environment that allows seamless collaboration.