Business & Technology

Digital Transformation and Security Transformation Need to Walk Hand-in-Hand

By Patrick Grillo | June 05, 2018

You don’t have to be a wild-eyed futurist to recognize that digital technologies are fundamentally transforming economic and business processes in every corner of the global economy. To define digital transformation in economic terms, it means the integration of digital technology into all areas of a business, resulting in fundamental changes to how businesses operate and how they deliver value to customers

While businesses have employed computing technology since the early 1950s, the role of technology has changed from supporting business processes (accounting, data processing, communications, product design, etc.) to becoming an essential element of a business’ customer value proposition. High-profile technology companies such as Google, Amazon, Facebook, and Netflix have transformed the advertising, consumer retail, media, and entertainment marketplaces respectively by packaging their computing platforms for revenue-generating customer consumption. But even long-established businesses in industry segments such as financial services, industrial products, automotive, oil and gas, transportation, food, and medical services now understand that unless they can enrich their revenue-generation processes with digital technology value, they risk not just falling behind more digitally savvy competitors, but also becoming irrelevant to the marketplace as a whole.

Obstacles to Digital Transformation

While the digital-transformation wave appears to be sweeping away everything that stands before it, cybersecurity worries have emerged as a significant obstacle to the transformation process. For example, SoftServe, a consulting and research firm, reports that 55% of companies indicate that cybersecurity is their biggest concern when making digital business transformation investments. When in conversations with business decision makers, Forester Research Vice President and Principal Analyst Marc Cecere notes, “Security nearly always tops the list of digital transformation obstacles.” And in 2017, the Harvard Business Review cited security as one of the top ten obstacles to digital business transformation.

At this phase of the global digital transformation, four areas stand out as particularly acute cybersecurity pain points:

1. Cloud/Virtualized Computing. Virtualized and cloud computing are inherently dynamic phenomena, with firms adding, dropping, and moving various cloud services, data, and architectures at will. It never seems clear who’s responsible for securing cloud-based services, and many public cloud computing operations take place in countries with less than robust legal and ethical standards regarding data protection, consequences for malicious hacking, or enforceable vendor responsibilities. Despite the fluidity of cloud computing, many processes and resources remain siloed from each other, especially with the growth of multi-cloud, with variable levels of protection against cybersecurity risks exposing organizations to the risks of the “weakest link.”

2. Internet of Things. The legions of Internet of Things (IoT) devices being deployed in today’s networks are expected to almost double between 2018 and 2020, rising from 11.2 billion 20 billion. IoT risks fall into two areas. First, they tend to possess rock-bottom levels of memory and processing power, making them difficult to secure and protect. Second, companies often deploy them with the sinking feeling that the IoT devices monitoring or collectively controlling their mission-critical industrial infrastructure are vulnerable to attack.

3. Burgeoning Threat Landscape. The problem is that new threats don’t just come and go. Legacy threats often remain in circulation for many years, constantly being recycled by malefactors who tweak them to avoid detection by defenses that may have previously stopped them. Furthermore, active markets for malware have sprung up on the Darknet, making malware accessible to adversaries unable to develop their own, such as ransomware-as-a-service. Finally, organizations that concentrate their security programs on what happens within their perimeter often remain unaware of what’s going on in the global threat environment until it shows up on or inside their doorstep.

4. Rising Regulatory Pressure. The European Union’s General Data Protection Regulation (GDPR) is having a significant impact on businesses based in the EU as well as others around the globe. GDPR really isn’t about technology, but about the rights and responsibilities of firms and customers engaging each other via digitally enabled business processes. The coming of GDPR also looks like the first of many new regulatory initiatives aimed at curbing real or imagined risks and abuses perpetrated via digitally transformed business practices.

If Digital Transformation, Then Security Transformation

Since security risks have emerged as the biggest obstacle to digital transformation, it follows that cybersecurity must also undergo a similar transformation. To this end, security transformation demands the integration of security into all areas of digital technology. This results in fundamental changes to how security is architected, deployed, and operated. This vision of security transformation consists of four main elements:

1. Right Protection, Right Place, Right Time, Across the Network. This attribute is all about agility and timeliness for cybersecurity programs. Proactively, this means that a security system should be able to automatically prioritize the identification and protection of an organization’s crown jewels even in a dynamic and elastic digital infrastructure. This requires driving consistent visibility and control deep into every area and ecosystem of the digital network, from access control to the microsegmentation of even temporary virtual devices.

2. Threat Intelligence Ecosystem. Think of this as over-the-horizon radar about new and recycled threats potentially heading in your direction, combined with practical information on how to detect and defeat them. Note that the situational awareness called for here extends far beyond the assets and processes under your immediate supervision. Since the vast majority of organizations are not large enough to fund comprehensive threat intelligence operations on their own, almost every cybersecurity team taps into one or more proprietary or community-based threat intelligence resources. Yet, this can bring its own challenges. Monitoring multiple threat intelligence sources requires strong abilities to distinguish between relevant and trivial developments in the threat environment. But even then, today’s “trivial, don’t-care ripple in the threat environment” can escalate into tomorrow’s devastating assault on your business, so while low-level threats can be deprioritized, they cannot afford to be forgotten.

3. Open, but Controlled Solutions. Even if an Amazon-style “everything store” existed for cybersecurity technologies, products, and services, it would be immediately clear that no single vendor has all the answers for any organization’s cybersecurity do-list. Under ideal circumstances, multi-vendor security solutions must a) easily exchange mission-critical information with each other, b) be programmed and directed through a common language, c) be visible and controllable through a “single pane of glass” user/administrator console, and d) not add the kinds of complexity to an infrastructure that inadvertently expands its attack surface. Needless to say, running afoul of point number four in this “success recipe” can prove particularly painful.

4. Ability to Bring it All Together.  The question boils down to several variations on “How.” These include: a) how to enable an organization’s digital transformation through efficient and effective security transformation, b) how to deliver security transformation against a budget, and c) how to keep the solution effective as both transformational information technologies and a cybersecurity threat environment continue their blistering pace of change. It also must address all the previous key security transformation criteria discussed above: a) the right protection in the right place throughout the network, b) an integrated threat intelligence ecosystem, and c) controlled openness for greater protection and flexibility.

These questions and others are all addressed by the Fortinet Security Fabric, which brings together multiple security technologies to deliver comprehensive and collaborative security capabilities across the whole network. The Security Fabric is also supported by a single source of threat intelligence, leverages technologies from Fabric-Ready partners through an open integration ecosystem, and can be extended deep into new network environments with a single click using advanced Fabric Connector technology..

Speaking at Infosecurity Europe

I would be remiss if I failed to mention that I am delivering a presentation, “Digital Transformation: Cure-all, Placebo, or Poison Pill?” at the Infosecurity Europe conference this week in London as part of the conference’s Information Security Exchange program. The session is scheduled for June 5 at 14:15 hours. A copy of the presentation will be posted on the Infosecurity Europe website following the conference.

Read more about our presence at Infosecurity Europe.



For more reading, our paper on "Covering the Gaps in IoT Security” provides details on the security risks of IoT and what organizations can do to address them.