Digital transformation is a term bandied about a lot, but it means different things to different people. It’s not a monolithic process.
Because digital transformation has become critical for organizations to survive, organizations must clearly know what it means specifically to them and align accordingly. Will the organization move completely to the cloud? Will it give up its data centers? Will it be a hybrid environment? Organizations must continuously assess transformation goals, what is achievable and what is not.
Typically, when we are talking about digital transformation, CISOs are rarely at the table, coming into the process at the tail end. And when we are afterthoughts, it affects our own strategic planning because the intended solution might not allow us to protect information.
Without any extra budget to account for these things, we are playing catch-up with a digital transformation journey that we should have been a part of. We find ourselves accountable for the decisions of others.
Alternatively, we are sounding the alarm about risk, without necessarily having the capabilities or the solutions in place to help the organization protect its information. It forces us into a position where we must fight the organization to either slow down the project – something it often does not have the luxury to do – or secure the resources and funding to do the right thing. CISOs have enough budget challenges to begin with, but when you do not even know what is in the pipeline, then it becomes an even bigger problem.
Smaller organizations typically will go with tools that fit their budget. Because they cannot afford the big guys, we cannot always get satisfactory information about the security controls a less expensive vendor has in place.
Communication and relationship-building will go a long way to head off these problems. We need to build ties with IT. We need to build very tight relationships with the CTO and the CIO to understand the journey and where it is heading. In some cases, we also need to collaborate with the CFO.
And we need to extend ourselves to business units because many times they are the ones driving decisions and procurement.
But when we find ourselves with a considerable amount of residual risk on our hands, we have to figure out how to turn this around and try to mitigate some of these things.
At the highest level, start thinking about what type of protections are needed as a baseline to cover as much as we can. If you do not have baseline security in place, and you are moving into digital transformation, then your gaps are only going to get exponentially bigger.
Visibility is essential. If you can see what is happening, and you are able to detect things very quickly, then you can take countermeasures and start building a case to make investments.
With digital transformation exploding at an exponential rate, if we do not have that visibility in place, it is going to be extremely hard to prioritize to mitigate risk. Because if you look at reality, you are not going to be able to put everything in at once because of budgetary constraints.
Organizations are asking everyone to do a lot more with less. Inevitably, we must be creative. To go to the business and present a convincing case for investment, we need data to rank risk. If you can’t quantify it and you can’t qualify it, you’re not going to be able to protect your organization.