Author: Ivo Georgiev
Historically, businesses have used computers on site, managed their own infrastructure, and employed IT resources to take care of and support business needs. In the last decade, however, new technologies have become mainstream. Cloud-based computing, mobile computing, increased (and cheaper) access to data storage, artificial intelligence and machine learning, software-defined networking, and the Internet of Things (IoT): all these technologies have the potential to make businesses more efficient and profitable.
Digital transformation — the risks
Digital technologies carry security and privacy components. When security is not properly managed, critical business processes may be exposed to very significant risks. Businesses could be vulnerable to hacking attacks, and their data — or the data of their customers and partner organizations — could be extracted, exposed or used in criminal activities. Privacy legislation and data security regulations exist emphasizing the need for businesses to protect the data that they have custody of, and to protect the privacy of the people and the businesses they are working with.
The role of the security architect
Engaging a security architect is a critical step in the planning stage of the digital transformation process. The senior security professional will work with key business stakeholders to help define the security processes and controls needed to protect core business operations and the digital assets they depend on. It is unfortunate that many organizations apply a reactive approach to information security, calling the firefighters only after the house is already on fire rather than proactively working to reduce the security risk they are facing before a security incident occurs.
The dependency of businesses on integrated digital technologies and services keeps increasing. Reactive organizations are often not well prepared to quickly detect a security breach, contain the spreading of the attack through their IT environment, eradicate the threats and recover the affected business processes to normal operation.
Without proactive security planning and risk management, many businesses suffer severe financial and reputational damages as a result of privacy and security breaches. Small and medium size companies are at increased risk of not surviving a cyber attack.
What does a security architect do?
The security architect helps the business identify the assets that need to be protected, assesses the associated information security risk and identifies the security governance processes and controls that are needed. In the next phase, the security architect determines the people, processes and technologies that are necessary to carry out the security function in the organization and protect its core business activities.
There are several critical tasks that the security architect is responsible for. The process begins by identifying the business assets that must be protected: these include critical business processes, personal information, business data, essential IT services, infrastructure and communications facilities. Assets are prioritized based on their criticality to the business.
In the next phase, threat modelling is conducted to identify the most likely avenues of attack and the potential business damage that might result, if the attacks are successful.
Finally, a baseline security assessment is conducted. This involves determining the current state and effectiveness of existing security controls throughout the organization and its IT environment including business applications, computer networks, data centers and cloud-based services.
The result of this assessment is a report of findings and recommendations providing executives with a clear description of the current security maturity level of the organization and the suggested remediation activities to be implemented to close identified privacy and security deficiencies.
Maintaining a good security posture through the digital transformation process
Adopting an information security management framework such as ISO 27001 enables companies to be proactive and meet data security regulations while reducing the associated compliance costs.
A privacy impact assessment will review a business process, and assess how personal information is protected from the moment it is obtained, while being processed, in storage, in transit and until it is disposed of. This activity supports the efforts of a company to provide privacy assurance to its employees, customers and business partners, and comply with privacy legislation like GDPR.
People remain the weakest link in the security chain and often become victims of phishing, whaling and other social engineering attacks that could have devastating consequences for the business. Delivering an up-to-date security awareness program will help train employees how to recognize these threats, report them and avoid serious security incidents.
Maintaining good situational awareness and a well-exercised incident response plan will further reduce the security risk during and past the completion of a successful digital transformation. This means continuously monitoring the business and IT environment, so that successful attacks can be quickly detected, contained and remediated.
Digital transformation and risk management
Risk management is a critical element of the digital transformation process. It has very significant business, security and technical consequences. Businesses implement risk management programs to control and reduce the risks associated with their operations to a business acceptable level.
Risk management practices enable executives to optimize the digital transformation budget by allocating funds to technology implementation and integration activities addressing interdependencies associated with the most risk first.
Engaging the right people, including the security architect, early in the planning stages of the digital transformation process, lets an organization reduce the security risk and increase the probability of a successful outcome by correctly assessing which business processes needs to be transformed, what operations will be affected, how the transformation will proceed, and what the post-transformation landscape will look like.
The implementation of appropriate security governance paves the way for a successful digital business transformation. It helps the company ensure adequate controls are in place to secure business operation and critical business data at a significantly lower cost than if security needs to be retrofitted after the completion of the transformation process.