Following my recent AISA session about security transformation in October, I am digging further into the value that can come from both security and digital transformation, applying security service edge capabilities and zero trust principles as part of the broader digital transformation strategy..
In the first part of this three-part blog series, I am going to take a look at how an understanding of digital strategy and digital risk are foundational to a modern security transformation journey.
Digital strategy and digital transformation
It can be argued that a company sets a digital strategy for several reasons, including but not limited to automating processes to reduce costs for the organization, speeding up process and delivery of services to customers, gaining insights from data, and creating value from that data. But the main goal of this strategy is achieving company growth.
As a result of digital transformation, data is now quickly becoming (or already is) the true value creation asset for organizations today. Furthermore, customers are spoilt for choice and are more informed than ever before, expecting their service providers to have a deep understanding of their business, to deliver a personalized service with personalized pricing, and to do so in a secure and trusted way. To stay competitive, businesses need to find ways to deliver on this customer expectation. If they don’t, they will fail.
By leveraging data, made all the more possible through digital transformation, businesses can realize greater insights and make smarter business decisions to achieve this growth.
Furthemore, the business world now operates in a hyperconnected, cloud-first, big data world, and digital transformation has highlighted the value shift from traditional physical distribution channels and legacy technology environments to value being realized at the scale of (customer) data and the ability to deliver a personalized service (with personalized pricing) in a trusted and private manner. Like I noted before, this is exactly what consumers are now expecting from their suppliers.
In response to this personalized expectation from customers, organizations have been accelerating their cloud and digital transformation programs, in turn enabling them to gain greater insights about their customer and collaborate with business partners to deliver a better product or service for their customers. But with this growth and transformation also comes the potential for risk.
Assessing the risk of transformation
Like any strategy, a digital strategy also introduces risk that must be managed. Referencing the ISTARI model for digital risk, there are three main pillars to consider: digital operational risk, cyber risk and digital value creation risk.
Digital Operational Risk is the risk of failure or disruption of digital services through human error or technology failure. We can think of this as traditional operational risk types with a specific digital services lens. For example, failure of technology change control or failure of technology infrastructure services resulting in disruption to customer services through a digital medium.
Cyber Risk is the risk of disruption, destruction or theft of digital services and data from malicious actors. This risk is well known today. Take for example, ransomware attacks, data breaches, and DDoS attacks.
Digital Value Creation Risk is the risk that the digital strategy does not create the level of value that it was expected to create, thus stifling the growth objectives of the company. Should this risk occur, the business case that justified the investment decision will not hold true and the organization will suffer unplanned financial impact.
Business and technology functions must work together to develop and deliver a digital transformation program which also includes strategies to address all three types of digital risk that are present. And as a subset, and core component of any digital transformation program, is security transformation, which plays a key role in addressing digital risk. Put simply, you can’t have digital transformation without security transformation.
As I covered in my recent article about security transformation protecting sensitive digital and information assets in the new hyper-connected, cloud first world requires a new approach. These sensitive assets are no longer contained in an environment we control – no longer on a CPU we own. With these dissolving perimeters, security and risk teams need to think about how to architect that control environment and how to move those controls closer to the data, wherever it may flow or reside.
This security transformation must cover all security domains and this transformation requires an architecture that will support the broader digital transformation that is required to deliver the company’s digital strategy.
This security transformation is best exemplified by modern cybersecurity capabilities like security service edge (SSE) and zero trust principles, as part of a secure access service edge (SASE) architecture, which help support this security transformation while also addressing the myriad digital risks I’ve outlined here.
In my next blog, I will dig further into how these capabilities not only help address digital risk, but also enable digital transformation.
