Updated: Dec 23, 2019
Offering outstanding user experiences and technology interfaces is vital to attracting today’s customers—they demand it. So enterprises leverage ever-growing portfolios of data and systems to differentiate those experiences from their competitors’ offerings, while also strategizing how best to safeguard that information with cybersecurity programs. In this way, cybersecurity and business goals seem to be at odds.
Enterprises undertake digital transformation (DX) to provide outstanding customer experience, personalization, convenience, agility, and cost savings. However, it is doubtful most organizations would ascribe these traits to their cybersecurity functions. Based on my experiences, here’s some high-level guidance to bring cybersecurity closer to DX goals.
Prioritize Security in Enterprise Culture and Processes
There are three major categories of security controls: people, process, and technology. In many cases, enterprises consider technical controls to be the ultimate solution to safeguard assets from attacks. After all, technology is scalable, configurable, and consistent in its application of rules. However, technology functions exactly as designed, not as intended – this leaves opportunities for exploitation, often through weak processes and/or human-elected shortcuts supported by your enterprise culture.
When it comes to culture, take a look the activities your organization rewards. Do good results justify the breaking of rules? Can projects and changes move ahead without re-engaging the security teams? Does the enterprise celebrate the “heroes/fire-fighters” that save the day when incidents occur; conversely, does the enterprise also reward the teams that develop reliable and secure applications that operate incident-free? IT security processes such as patching, privileged access management, API security review and inventory, change management, and adherence to architecture standards are not glamorous, yet breakdowns in these core areas contribute to most incidents.
In addition to IT processes, business processes must support enterprise goals. For example, since self-service is a DX standard for consumers, the organization should define “normal” predicted volumes for transactions such as new account openings, profile updates and other measurable key activities. Then security teams can program alerts when those activity thresholds are exceeded. Furthermore, business teams should be prepared to act on those alerts and determine whether new DX offerings are more successful than anticipated, or perhaps the increased activity is a symptom of a well-engineered attack leveraging known business processes.
Clarify The Enterprise’s Risk Classification and Tolerance to Enhance Agility
If three different groups within the enterprise – let’s say Sales, Customer Support, and Security – were asked to assess a scenario and its level of risk, the answers would likely result in three different risk classification levels. In all likelihood, the security team will classify it as “high risk.” Except for organizations that regularly deal with life-or-death safety, very few have well-defined matrices of what constitutes medium versus high risk. Usually enterprises employ vague qualifiers, such as material versus serious or severe harm. Every organization would benefit from clear monetary amounts and thresholds – fatalities, volume of records exposed or corrupted, existing or new customers lost, etc. – to guide more consistent risk classification and decision-making.
I like to ask two questions when assessing a new initiative’s risks:
– What are we doing today, versus what you’re proposing?
– What’s the risk if we don’t move forward with this?
Answers to both of these questions help gauge the possibilities for potential losses associated with missed opportunities as well as improved (not perfect!) security controls that may be gained over status quo. These questions, along with your other initial security risk evaluation questions, help establish a reliable process for the enterprise’s triage of allocating finite resources and time. If the risk level doesn’t rise to a defined threshold, then business can proceed without further security consultation. In other words, if this is a “good risk” that falls within defined risk acceptance thresholds – let it run.
Incorporate Detection and Response Activities in Security Strategy
One of the biggest errors in security strategy is overspending on prevention mechanisms to the detriment of detection and response capabilities. Similar to using risk determinations to allocate finite time and resources, enterprises should spend their security budget where it provides the most value. Certainly, there is no foolproof method to prevent undesired access into systems – new exploits will always be created. However, in every breach case I’ve researched, there were multiple opportunities to identify and contain an event once inside. Multiple breakdowns in processes and culture enabled the intrusion (or error) to progress into a larger impact. Your detection and response plans should be ready for any significant event, regardless of the entry vector.
Further complicating detection and response readiness is the complexity of shared security models within multiple X-aaS implementations that comprise most “Cloud First” strategies. Even if the enterprise can detect anomalous activity now within on-premise services, once migrated into a hosted infrastructure, platform, or software environment, will those alerts function in the same way? If an alert is triggered, who has the responsibility and access to make any required changes to contain and minimize further impact – and within what timeframe? Ensure that vendors have the capability and customer service mindset to partner through detection and response, and include relevant Service Level Agreements (SLAs) within contracts. Finally, maintain an inventory of hosting agreements, RACI charts, SLAs, and contacts to streamline decisions and assign actions during events.
In the world of DX, the cybersecurity function becomes both a provider and consumer of customer experience, personalization, convenience, agility, and cost savings to support business goals. Is your team ready?
This article first appeared in Infosecurity Magazine
About the Author