[BreachExchange] CISOs Weigh In On Managing Digital Transformation Risk

[Destry Winant]

https://securityboulevard.com/2020/01/cisos-weigh-in-on-managing-digital-transformation-risk/

Around the world, companies in every industry are executing digital
transformation initiatives to accelerate the pace of innovation, gain
a leg up on the competition and improve business performance. As part
of this push, they’re embracing DevOps methodologies, cloud platforms
and on-demand applications and services to increase business agility
and improve economics. Meanwhile, advancements in artificial
intelligence, the internet of things (IoT) and robotic process
automation (RPA) are helping enterprises transform raw data into
meaningful insights and improve productivity.

But, in an era of ubiquitous data, Chief Information Security Officers
(CISOs) and security leaders face a host of new challenges their
predecessors never encountered. In many ways, it’s like the Wild West
as users access on-demand applications from any location using any
device. In this new unchartered territory, the risk to confidential
data is expanding along with the cyberattack surface.

Security leaders recognize the urgency of a fresh approach to
cybersecurity and risk management yet are struggling to drive change
within their companies. A PwC Digital Trust Insights survey1 reveals
only 53 percent of companies take a proactive approach to
cybersecurity by building risk management into digital transformation
projects fully from the start.

Making decisions regarding risk management is a core function of the
CISO, but they don’t always get the support they need to make those
decisions stick. CISOs face a formidable challenge: they’re jockeying
for executive mindshare and adequate funding for new programs, all
while working to evolve long-standing corporate cultural practices and
increase awareness.

Five Digital Transformation Secrets to Success from CISOs on the Front Lines

So how can security leaders overcome these issues and become
accelerators for digital transformation? Together with PwC, we sat
down with a number of CISOs who played an active role in
transformation projects to understand their keys to success. Five
common practices emerged from these conversations, which are outlined
in a new whitepaper, Managing Risk in the Digital Era.

Among the revelations is the importance of assessing risk for each
digital transformation project individually.

With threats coming from every angle, it’s difficult to prioritize
cybersecurity projects and investments. Yet given ever-tightening
budgets, CISOs are forced to make tradeoffs about which security
projects and services they prioritize. The CISOs we spoke with
stressed the need to assess risk on a project-by-project basis to
effectively evaluate security and compliance concerns and make the
best investment decisions.

According to one CISO of a major insurance provider, “There is no
one-size-fits-all solution. We assess the risks of every project and
every third-party provider individually, and make decisions
accordingly.”

By taking a close look at each project, determining the type of data
each application consumes, evaluating both internal and external
threats and assessing all the systems and vendors involved across the
entire application lifecycle, CISOs can reduce exposure and ensure
security investments deliver the greatest return.

Other common practices successful CISOs employ to raise security
awareness, tear down silos and improve digital transformation outcomes
include:

Factor in security considerations from day one. By building strong
relationships and working closely with technology leaders and
line-of-business peers to ensure security is built into every project
from the onset, CISOs can help the organization improve results.
Foster a security-first culture and mindset. CISOs who focus on
improving communications and knowledge – from offering training
courses to educating teams on the latest trends – are taking key steps
to make security a core competency.
Weave security into DevOps systems and practices. CISOs should
champion the integration of security into every phase of the DevOps
process (i.e., automating security testing, integrating vulnerability
analysis) to contain risk without slowing down the pace of
development.
Improve communications with senior executives and the board. Learning
how to communicate security risk in meaningful, relatable terms can
help CISOs improve executive awareness and secure funding for critical
cybersecurity initiatives.

By assessing each project individually, increasing cybersecurity
awareness, building security into the corporate culture and improving
executive-level communications, forward-looking CISOs are meeting
digital transformation challenges head on. Download the whitepaper or
tune in to our recent Data Breach Today podcast, “Digital
Transformation: The Privileged Access Imperative” to learn more.