Rushing digital transformation will create cyber security ‘bear traps’ – here’s how to avoid them

A bear trap on a circuit board
(Image credit: Getty Images)

Organizations undergo digital transformation for a variety of reasons, including maximizing insights derived from data, streamlining operations, and adjusting workflows for hybrid work.

There’s no doubting the benefits. But there are potential traps along the road that businesses must also avoid, not least in the form of cyber security risks

Typical risks may arise from failing to provide adequate resources to match a project’s ambition, lacking proficiency to handle a multi-cloud setup, and failing to align with security frameworks. These ‘bear traps’ can be more prevalent if digital transformation is rushed, and organizations speeding up their efforts must be double vigilant because, with haste, comes a lack of focus. 

Prioritizing security, not project outcomes

Security must be the primary concern for any organization undergoing digital transformation, says Rick Hemsley, UK&I government and public sector cyber security lead at EY. That’s the bottom line. Organizations need to “integrate security considerations into every aspect of the development of new systems, processes, and products,” and those that fail to do so “will only be able to take a reactive, whack-a-mole approach to cyber security, instead of adopting a proactive mindset”.

There’s more to avoiding traps than putting security at the heart of digital transformation, though. Organizations need to learn to think differently about security too, says Frank Kim, SANS Institute fellow, cloud curriculum lead, and CISO-in-residence at YL Ventures. “A key metric in the past would have been the mean time to failure, or for something bad to happen. 

“But in the modern world, we look at the mean time to recover,” he tells ITPro. “We don’t think about the mean time to failure because we are expected to fail on a regular basis, so recovery is more important.” 

This approach resonates with a new attitude towards risk, where risk can’t be eliminated entirely, but needs to be understood and managed effectively

Speeding up processes heightens risk level

Organizations that decide to speed up digital transformation efforts put themselves at greater risk of leaving cyber security gaps waiting to be exploited, says David Sarginson, head of software development at digital transformation consultancy Opencast. “More change means more risk,” Sarginson explains. “The more change you introduce at any time increases complexity, and therefore the chances of unanticipated consequences.”

RELATED RESOURCE

Whitepaper image with title on blue background and bottom right images of the sky and skyscrapers looking from the ground up

(Image credit: AWS)

Achieving transformative business results with machine learning

Discover why hundreds of thousands of organisations use AWS ML to resolve challenges and create new opportunities within their organisations.

DOWNLOAD FOR FREE

Further complications arise from organizations having a multi-cloud setup, Kim adds, and staff needs to be familiar with the nuances of different cloud setups, he says. “Your security team must be knowledgeable in a multi-cloud environment in each of these areas including the pitfalls, the configurations, and the mistakes that could be made. Ideally, architect from the start what those best practices are into your infrastructure.” 

When process speeds are accelerated, there’s less time to get to grips with the nuances, and more opportunity for gaps in security to manifest because security likely won’t be baked in at the outset. “[By] designing best practices directly into the infrastructure code and set-up, you’re providing a paved road for internal stakeholders that need to move to the cloud and adopt these processes,” Kim continues. “When you go off the paved road you know when to pay attention a little more.”

Instigating the right culture

Effectively dealing with cyber security risks associated with digital transformation, whether it’s been sped up or it’s happening at a slower pace, requires a risk-based approach from the outset, says Hemsley. The CIO and security teams should have the right level of knowledge and resources to “create a security framework which is defined by proactivity”, he says.

Achieving this might need an element of cultural change, and Kim confirms this isn’t always easy. “An organization can’t change culture overnight,” he says. “Depending on the size and the nature of the organization it takes anywhere from three to ten years to change.” 

Once organizations then undergo a process of risk awareness, sufficient resources must be allocated, and all employees should be trained on cyber security best practice, adds Sarginson. In addition, his advice includes using frameworks, where possible, like the NIST Cybersecurity Framework or ISO 27001. This may help to make implementing protections more efficient by removing the need to work out a security posture from first principles.

Ultimately, avoiding cyber security bear traps involves taking the proper technical steps and the right cultural ones – or as Kim puts it: “It’s not just about implementing new technology, like lift and shift. It’s about building out your people and building out your processes.” 

The yellow and white logo of ITPro on a dark grey background
Join the ITPro Network

Do you want to make your voice heard as an IT decision maker? The ITPro Network is a select group of senior IT professionals who contribute to ITPro’s unique content through interviews, opinion, podcast appearances and more.

Members also get access to monthly group chats and other exclusive content and events. Interested? Fill out this form to apply.

(Please note we cannot accept applications from vendors at this time).

Sandra Vogel
Freelance journalist

Sandra Vogel is a freelance journalist with decades of experience in long-form and explainer content, research papers, case studies, white papers, blogs, books, and hardware reviews. She has contributed to ZDNet, national newspapers and many of the best known technology web sites.

At ITPro, Sandra has contributed articles on artificial intelligence (AI), measures that can be taken to cope with inflation, the telecoms industry, risk management, and C-suite strategies. In the past, Sandra also contributed handset reviews for ITPro and has written for the brand for more than 13 years in total.