Digital transformation is a major programme for many organisations. The motivation for it varies, but there are some common aspects, namely adopting new technologies to maintain an efficient and effective workforce and engaging with customers to improve the bottom line.
Likewise, in the public sector, digital transformation programmes create opportunities for efficiency savings and economies of scale, with new and imaginative ways to deliver services to citizens. But the stakes are high. Get the security wrong, and the programme could be the cause of a very public and very expensive, loss of confidence.
So good cyber security within digital transformation programmes is key, but it’s also the area that numerous studies have identified as a barrier to success. We’ll explore the reasons why – and suggest an approach to ensure the security challenges can be addressed more simply.
Digital Transformation – the security conundrum
What makes a transformation programme successful?
When it includes all areas of the business impacted by the transformation. Ownership of the programme – the CIO, CTO, CMO is relatively immaterial – the point is that it must be at the highest levels as the changes will affect the whole business.
With cyber security in mind, a transformation programme is also more likely to be successful when security is considered from the outset, not as an afterthought.
“Many local government organisations are starting to implement digital transformation programmes. It is imperative to ensure that such changes are designed with security built in, rather than bolted on.”
Andrew Rogoyski, formerly an adviser to the UK government on cybersecurity issues
And what puts the brakes on?
According to the IDC (International Data Corporation), one of the challenges of a digital transformation is security. The security team are often accused of blocking or delaying the programme.
Why is this?
When an organisation has a security team, that team will be structured and managed in accordance with the drivers of the organisation. The organisation may be compliant or certified to an information security standard, such as ISO27001, PCI DSS, or IASME.
Alternatively, instead of having a compliance regime, they may be following the best practice information security guidance from NCSC (National Cyber Security Centre) called the 10 Steps to Cyber Security or maybe doing their own thing. We have also seen the security team being double hatted with the IT team.
Regardless of titles and structure, where security teams can fall short is if they are operating without an effective information risk management structure, driven by the business.
From our experience the security teams are excellent at finding technical solutions to information security problems, cyber security is a techie issue after all, isn’t it? But often, they are let down by the wider business.
The business owns the information – not the security team
The security team have an essential role to play in recommending and perhaps implementing the technical controls, but the decision on what level of protection is applied to information should be made by the owners of the information. That’s the business, not the security team.
So it is little wonder that when a large change programme like digital transformation comes along the security team struggles to communicate its concerns. It hasn’t been given a set of requirements for how business information should be protected and therefore does the best it can, which sometimes means (through no fault of their own), making far-reaching decisions without sufficiently understanding the problem.
Change becomes a real challenge that ultimately leads to delays and friction between the business, who want to take advantage of changes in technology, and the security team who are doing their best to protect the business, but without the necessary support from the business.
Security within an information risk management regime
If, however, the organisation has a security team which operates within an effective information risk management regime, ideally not double-hatted as the IT team (but very much part of the business digital transformation) – it should be water off a duck’s back.
Managing the risks associated with change should be “business as usual” to this organisation. The security team will assess the risks of the change with valid business information, and report the outcome to the business to make the decision to accept that risk or not.
The key is having an effective information risk management regime and excellent communications between the business and the security team. The business must make the security team aware of its appetite to information security risks. At the same time, the security team must be able to communicate risks to the business in a manner the business will understand.
Here at Ascentor we strongly advocate that the security team should not be empowered to say “no” to the adoption of new information systems – especially to strategic technology initiatives like digital transformation. It’s not their business – or their information to make far-reaching decisions about.
The security team’s role is to advise and support the decision-makers, to explain information security risk in business terms to the owners of the information and let them make the business decisions – that’s a CXO’s job.
Information has intrinsic value
If the report of security causing friction within digital transformation programmes is true, then perhaps there are too many businesses that do not have an effective information risk management regime and have devolved responsibility for information security to the security team.
Now, more than ever, information has intrinsic business value and should be managed by the people who own and value it. Get information risk management right and the security challenges of digital transformation are made much easier.
So, how do you build the best security into your transformation programme?
Information Risk Management is now a well-established countermeasure to the growing cyber threat that all organisations and citizens face.
In practice, however, security isn’t always integral to our working practices and systems – often we pay lip service to it or add it as an afterthought. In major transformation projects, especially ones that involve sensitive information (such as customer and public data), this is just not acceptable. In the same vein as the above quote from Andrew Rogoyski, security must be built in all the way through.
IA Inside from Ascentor is one way of ensuring your transformation programme enjoys security that is holistic, integrated and effective throughout the project. Find out more here .
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about information risk management and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter.
If you’d like to discuss how our consultants could advise on any aspect of IA and cyber security, please contact Dave James, MD at Ascentor.
