[BreachExchange] Digital Transformation And The CISO

[Destry Winant]

https://www.forbes.com/sites/forbestechcouncil/2019/09/16/digital-transformation-and-the-ciso/#415ef5a529ec

As a chief information security officer (CISO), how do you build a
cybersecurity practice that supports the digital transformation
efforts of a company?

Before founding what is now my current company nearly four years ago,
I spent most of my career in a practitioner’s chair as chief
technology and security officer with a financial group and earlier as
VP of corporate audit at an investment banking company. While these
are stories for another day, my experiences there are what drove me to
establish this company and to make the push toward risk-based
vulnerability orchestration across applications and infrastructure.
This shift in perspective means finding more effective ways to
integrate security tools into the existing digital environment without
impacting the speed of business.

It is important to remember that every company today, regardless of
its model, is a software company. From surgical robotics to autonomous
vehicles to beer distributors, all businesses are focused on bringing
better products to the market at a faster rate, which translates into
the need for a more robust software development life cycle (SDLC). And
because the software these companies bring to market must support
their business objective of maintaining ongoing customer and partner
trust, the role of security is always in play. In this way, the
digital transformation of any organization relies heavily on its
cybersecurity practices, a process based on three basic pillars:

1. Modernizing The Software Development Stack. Because these bundles
of software are what comprise the back end — from the operating system
to programming frameworks — and provide a layer for compatibility,
they remain a critical piece of the digital transformation process.

2. Moving To Microservices. An effective application programming
interface (API) strategy involves improving the speed and quality of
software development, which typically runs in a single process. By
breaking them into smaller “micro” parts with independent functions,
it becomes easier to implement and manage security.

3. Using The Cloud. Finding an effective cloud strategy that merges
traditional environments with the latest technologies is key to
building resilient and security-rich solutions for business.

In the past, I have met with a number of CISOs to discuss
strengthening cybersecurity across the SDLC, a conversation that
inevitably brings up the subject of digital transformation and how it
can be facilitated through proper support. Regardless of industry,
these executive leaders tend to share three significant concerns:

1. Achieving Visibility Across The Enterprise. Even though application
security (AppSec) teams share a tight connection with security
operations (SecOps) and vice versa, there is still a disconnect
between the two. CISOs are continually trying to tackle this issue and
gain a more holistic view of what’s happening in their environment.
And with so many silos functioning at once, this can feel almost
impossible.

2. Driving Security In A World Of Continuous Delivery. To keep
companies competitive in today’s digital market, IT teams are driven
to deliver applications and capabilities at a breakneck pace.
Realistically achieving this goal, while also ensuring effective
security, is hampered by fragmented tools and processes.

3. Aligning Security With Business Priorities. As companies move
through the process of digital transformation, certain critical
systems and services will remain at the forefront of the challenge.
Finding ways to align with these priorities while also maintaining
effective security practices is no easy feat.

When it comes to battling these concerns, there is no silver bullet
for success. If there were, you wouldn’t be reading this article. That
said, there are several places CISOs can look when trying to support
the digital transformation initiatives of a company, all of which
share a common thread.

• Understanding is the starting point for CISOs. It is impossible to
align risk with business if you don’t recognize what systems,
applications and services are most critical to the organization.

• Strategizing comes from a clear understanding of a company’s current
pipeline and processes, as well as the desired future state. As part
of this, an assessment should be completed to determine:

Capture KPIs: CISOs need to be familiar with their infrastructure and
how these assets tie back to the business. Which ones are critical to
a business line and must be closely watched to identify risk? Is there
an acceptable level of risk involved? Immediately aligning with the
business on these questions will allow for more focus time and future
attention.

Existing Scanning Tools: It is important to take inventory of both
open source and commercial tools, including those used for static and
dynamic code scans, composition analysis, pen testing and assessments
of container and vulnerability management. This process will help
CISOs better understand where visibility is clear, somewhat opaque or
missing altogether — and how it can serve as a roadmap for teams.

• Testing and learning never end. Using open-source scanning tools
offers a clearer view into what security gaps exist between priority
assets and existing tools when looking for vulnerabilities and risk
across the SDLC pipeline, while also checking the efficacy of current
scan tools. Can open-source close some of these gaps?

While it’s true digital transformation relies heavily on the
modernization of certain cybersecurity practices, we should also never
forget the need for human intervention. From managing workflows to
drawing insight across the organization, people are the driving force
behind the systems and infrastructure that underpin business today.
And as leaders in information security, CISOs must continually work to
ensure that force heads in all the right directions.