Digital Transformation Without an Equivalent Security Transformation is Leaving Organizations More Vulnerable
2018 is lining up to be the year of Digital Transformation. Just about every organization looking to remain viable in the growing digital marketplace has some sort of digital transformation in progress or one in the planning stages for this year. These projects range from implementing basic applications to better interact with online consumers, to converging OT and IT networks, or even pushing their entire infrastructure to the cloud.
But digital transformation without an equivalent security transformation is leaving organizations more vulnerable than ever. The results are alarming. According to Gartner, nearly $90 billion was spent on information security in 2017 and is expected to top a trillion dollars over the next five years. But cybercrime over that same period is expected to continue to rise. In spite of our efforts, we are falling further and further behind.
Part of the problem is the expanding human attack surface. Over half of the world’s population is now online, with a growing percentage of consumers that don’t remember a time before the Internet. And that number is expected to hit 6 billion by 2022. It is this group that is driving digital transformation, whether they want real time access to data, transactions, and services as consumers, or are demanding highly flexible and dynamic tools and solutions as employees.
The other part of the problem is the expanding digital attack surface. The growing adoption of IoT devices and networks, the geometric growth of traffic driven by applications and big data, the creation of complex and highly elastic multi-cloud environments, and the number of highly mobile users demanding network access from anywhere on any device has pushed IT resources to their limit.
Of course, in addition to the expanded network becoming more complicated, IT is also under pressure due to a growing cybersecurity skills shortage. By 2021 there will be 3.5 million cybersecurity positions open, and only a fraction of skilled candidates capable of filling them. Which means our current method of filling security gaps with yet another device that requires additional resources to manage and maintain in order to simple keep up with the geometric expansion of our networks is not sustainable.
And finally, all of this is being compounded by the second phase of digital transformation, which is the convergence of traditionally separate systems. We aren’t just building cloud infrastructures. We are adding them to our traditional networks. Think about smart phones, smart cars, or smart cities. Applications and physical resources are being combined in ways that may streamline services, but that also have seriously complicated consequences when it comes to security. Critical infrastructure and key resources like energy are now being actively and automatically managed in response to events.
Smart businesses are also being actively developed. In order to increase efficiencies and profitability, traditionally isolated OT systems are starting to be converged with IT networks to do things like tying manufacturing floors to global market data to automatically support just-in-time inventory and flexible, on-demand production.
Digital transformation is also creating a whole new set of risks that, especially where critical infrastructure is involved, could have potentially devastating consequences.
Part of this problem is our own fault. We tend to approach changes to our infrastructure as individual projects rather than as part of a holistic transformation. We implement new systems and technologies, and tend to deploy isolated, one-off security solutions to address a new challenge in a new environment. Unfortunately, most sophisticated attackers take advantage of the seams that exist between these projects, exploiting vulnerabilities in one part of the network to gain access to another.
To solve this challenge, we need to see security transformation as a critical component of digital transformation. We start by assuming that everything will, one way or another, eventually be connected to everything else. Addressing the security challenges of digital transformation requires simplicity rather than compounding its complexity. You can start by building your digital business infrastructure around the following six security principles:
1. Develop a holistic security plan with unified policies and protocols that looks deep into the future and stick to it. Revisit this plan on a regular basis.
2. Build your security around open standards so everything can connect to everything else, even as plans and solutions evolve. Any solution being considered that can’t also actively contribute to the larger security picture needs to be reconsidered.
3. Establish single-pane-of-glass visibility for centralized management and orchestration. This should also include an active inventory of all devices on the network, as well as an assessment of their state of vulnerability tied to indicators or compromise, and an active plan to patch, protect, or replace at-risk devices. Centralized coordination also allows your security system to expand and adapt dynamically as network systems and resources shift and evolve.
4. Share and correlate threat intelligence, both local and global, so that every device is tuned to the latest threats. This needs to include things like SIEMs and sandboxing in order to detect complex or day zero threats.
5. Use your open standards-based security framework to enable active coordination between devices in order to respond to a threat, regardless of where it occurs across your distributed and elastic network.
6. Apply automation and artificial intelligence everywhere possible - because your cyber adversaries are. The time between breach and compromise is dropping by the day, and will soon be measured in microseconds. We no longer have the luxury – or resources – to hand correlate data and then manually respond to a threat.
Digital transformation is impacting every aspect of our professional and public lives. If we set aside our usual way of doing things and approach it from a consistent and holistic fashion, it will transform our society. That’s not hyperbole. It’s a simple fact. Likewise, if we continue on our current trajectory of piecemeal solutions and haphazard security, the results could be catastrophic, and organizations that don’t approach this carefully, right from the beginning, are not likely to survive.
This byline originally appeared in SecurityWeek.
For more information, download our paper and learn about the top threats that enterprise security leaders are being forced to address and the security approaches to evalutate to protect against them.