For some, saying that we are in the midst of a global digital business transformation can sound like a cliché. Businesses have been using computers since the 1950s, so what’s new?
The big difference is that for their first 50 years, computers supported business processes, automating back-office functions such as accounting, billing, data processing, administrative work, and the like. Since the emergence of the Internet in the mid-1990s, however, computing and network infrastructure have evolved to where they are now the preeminent sources of front-line business value delivered directly to customers, business partners, employees, and other stakeholders. In large part, this is due to the complete redesign of the network that has happened over just the past few years.
Consider the business models of three flagship digital businesses. The goods and services that customers receive from Amazon are merely fulfillment. It’s Amazon’s IT infrastructure that defines its customer experience. Uber and Lyft have converged several mobile-computing-enabled processes—navigation, geo-spatial analysis, algorithm-based pricing, instant messaging, and billing—into a massive disruption of an artificially protected industry (taxi cabs) and are working towards a longer-term vision of revolutionizing personal mobility. And who could have imagined that simply searching for and finding things quickly on the Internet could bloom into Google’s global operation that has completely upended advertising, news and entertainment media, navigation, communications, transportation, and politics?
Old and New Computer Security Models
In the back-office business-process-support era of commercial computing, security was a secondary concern. Security incidents were rare, caused minor—if any—real damage, and were kept out of public sight. But as computing and an online business presence moved to the sharp end of the enterprise-value proposition, cybersecurity became a mission-critical and very public undertaking. And as the richness and variety of computing-delivered economic value expanded, networks had to grow. As did the cybersecurity attack surface. Defenders have not only taken on much more responsibility for an enterprise’s existential welfare, but they face an ever-expanding landscape of points of security failure to defend.
As a result, cybersecurity has become integral to business-value delivery. It can no longer be siloed as a side issue. When investing in any new computing-enabled business initiative, decision makers must ask themselves, “Will it be profitable to securely deliver project X to the marketplace?” This means that plans for any new investment are incomplete without an analysis of cybersecurity risks, potential vulnerabilities, and defensive measures.
Even though security now factors into the investment-decision equation, leaders should not perceive security as a “tax,” but rather as a venture-enabler. Security’s new status as a business investment also means that decision makers need to consider the economic returns on these investments (ROI). Calculating cybersecurity ROI has two aspects: the cost-effectiveness of security spending in protecting a venture’s internal assets, processes, and people, and to what extent security contributes to the positive external value proposition presented to customers, partners, and stakeholders.
What About Small-and-Medium Businesses and Public-Sector Organizations?
At this point, those working for small-and-medium businesses (SMB) and public-sector organizations may question the relevance of this article to their circumstances. All this digital transformation talk may sound like it only applies to elite multinational businesses or aggressive startups. The truth is, however, that customers, partners, and other stakeholders have come to expect a “Fortune 500” quality of experience from all organizations—public and private—with whom they do business.
Furthermore, organizations increasingly look beyond their own walls to consider the quality of the cybersecurity programs employed by their suppliers, service providers, and business partners. Today, widely publicized security breaches, such as attackers exploiting the weak security posture of a local heating and air conditioning contractor to attack the retail payment systems of a large home improvement goods retailer, weigh heavily on the minds of organizations dealing with third-party suppliers. Cybersecurity has suddenly become the priority of every organization in an increasingly hyperconnected economy.
Implications for Cybersecurity
Even as digital technology is transforming business, government, and society, it also transforms how we think of and practice cybersecurity. I see five key implications for cybersecurity in the digital transformation era:
1. From Security “Tax” to Business Enabler. As mentioned earlier, cybersecurity is rapidly evolving from a kind of tax that diverts resources away from opportunities for growth, profitability, and stakeholder experience satisfaction to an enabler and “bodyguard” for business innovation. The purpose of cybersecurity has evolved to the creation and maintenance of safe spaces for business processes and positive stakeholder experiences. Indeed, it’s almost impossible to write any kind of business plan for a new digital initiative that doesn’t take cybersecurity into consideration. Rather than framing it as an inhibitor, security leaders—and business leaders—need to couch cybersecurity as a positive enabler of their business value propositions—one that attracts and retains customers.
2. Protecting the Crown Jewels. In an earlier article on The CISO Collective, I argued that “to protect everything is to protect nothing.” Therefore, every cybersecurity strategy worthy of the name needs to distinguish between essential assets, processes, and people, as well as those elements considered not so important. Setting priorities is a precondition for making budgeting decisions. But I should warn readers that priorities can shift very quickly in the digital transformation era. How many taxi companies ever imagined that their antiquated dispatch and radio communications systems would become their chief business vulnerability when ride-sharing services attacked their market position?
3. What Could Possibly Go Wrong with High-Value Business Processes? In other words, where would a security compromise hurt the most? For example, a ransomware outbreak on a healthcare organization’s administrative computing network might be embarrassing and disruptive, but an attack on embedded systems-based patient monitoring, medical imaging, anesthesia, and life support systems could actually kill people.
4. Where Are We Vulnerable? What are the strengths and weakness of our organization’s security program? While some weaknesses might be easy to identify, such as inconsistent system update and patching processes and subpar threat intelligence capabilities, other vulnerabilities may be hiding in plain sight. It’s also true that attacker “innovation” has created many new and unexpected vulnerabilities that no one could have ever dreamed of. Addressing vulnerability now includes preparing for the unknown.
5. Where Are Our Customers and Business Partners Vulnerable? It’s bad enough that adversaries want to attack your organization to steal data, hold you for ransom, and/or disrupt operations. But they also seek to exploit your weaknesses as a springboard to attack others—and vice versa. While it is impossible to inventory every possible harm to every possible business partner, you can identify your “Crown Jewel” business partners (those that represent the greatest security and data risks), what kinds of interactions occur between you and them, and look for weaknesses in your defenses that could act as gateways for attacks on other parties. Unfortunately, in the digital transformation era, you really are “your brother’s keeper,” whether you want to be or not.
Security Fabric for the Digital Transformation Era
Global digital transformation on all business, public service, and social fronts calls for security solutions that can adapt to conditions where rapid change is synonymous with constant surprise. Over the years, Fortinet has evolved its products, services, solutions, and partner relationships into a comprehensive cybersecurity system—the Fortinet Security Fabric—that offers multiple virtues:
· Adaptive. Able to be configured and re-configured to meet changing cybersecurity challenges and customer business requirements.
· Connected. Products and solutions that talk to each other using a common language and OS, and that can openly interact with third-party products and solutions.
· Unified Visibility and Control. A single control console to view and manage all essential cybersecurity phenomena and functions.
· Borderless. Deployable at scale, from single-premise small businesses to dispersed global multinationals and across the entire digital attack surface, including complex, multi-cloud environments.
· Developmental Headroom. The ability to keep pace with escalating performance demands and new cybersecurity technologies, regardless of whether they originate from defenders or attackers.
While no company sells a “big red pill” to make all cybersecurity problems go away, the Fortinet Security Fabric offers cybersecurity defenders their best opportunity to transform security in step with the massive digital changes transforming the economic, governmental, and social landscape.
Check out the latest Fortinet Quarterly Threat Landscape Report for more details about recent threats. Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.
Explore The CISO Collective - an online content hub and mobile application that provides CISOs with one stop to find the most relevant news and information to enable them to be more effective in their roles.