Digital technologies are fundamentally transforming how industries operate and provide value to customers. To keep pace with the disruptive forces of digital transformation, businesses must rapidly innovate to compete. However, these innovations introduce new cyber risks, as businesses adopt new technologies or leverage existing ones in novel ways, creating new pathways for cyber attacks. With the growing importance of digital innovation in business operations, products, and services, the potential risks and consequences of a successful cyber attack continue to increase, making the stakes higher than ever before.
To be successful, companies must ensure that their products, services, and business operations are proactively resilient to cyber attacks by changing the role of cybersecurity in digital innovation.
Proactive Resilience
When constructing a mountain road, builders do not simply decide on the road’s placement and wait for cars to fall off the cliff before implementing safety measures like guardrails. Instead, they analyze the nature of the road and its associated risks, and proactively put the necessary protective measures in place.
Similarly, in successful digital transformations such as ecommerce, banks and retailers don’t implement a means for exchanging sensitive information or conducting transactions, only deciding to implement protective measures after a hack has occurred. Instead, they recognize the potential risks in advance and proactively implement cybersecurity controls as the foundation to safeguard against them.
When designing any new product or service, it is crucial to identify the conditions that are necessary for its success, safety, and scalability. In the context of a typical business transaction, such conditions might involve verifying the identities of both the buyer and seller, safeguarding confidential information, and providing proof of payment. It’s possible to establish these objectives in advance and anticipate any factors that might prevent them from being met.
By clearly articulating these objectives for a new business activity, one can identify and deploy the cybersecurity technologies required to achieve these objectives and efficiently manage the risks to them.
But traditional approaches to cybersecurity are largely at arms-length from innovation. Instead of incorporating security intrinsically into new products, services, and business activities, the conventional approach is to reactively apply cybersecurity controls in compliance with corporate security policies and standards. Under pressure to “move fast and break things,” it is understandable why development teams at times omit security altogether in initial product releases.
The problem with this approach is that deploying cyber controls without understanding, in detail, how a particular business activity works will invariably leave it unprotected while simultaneously interfering with its efficient operation. Essentially, you can’t protect something if you don’t know how it works.
While cybersecurity standards and the governance processes that ensure their application are helpful for maintaining good cybersecurity hygiene and safeguarding unchanging legacy business practices, they leave new products and services inadequately protected and interfere with the demands of digital transformation.
Organizations undergoing digital transformation face a dilemma: either fail to implement their digital transformation strategies, which are essential for corporate survival, or compromise their security by exposing themselves to unknown risks that they cannot manage, potentially leading to disastrous consequences.
To ensure that products, services, and business operations are proactively resilient to cyber attacks, a fundamental shift is needed in the role of cybersecurity and its relationship with the organization. Cybersecurity must expand beyond its traditional responsibilities of safeguarding company computers to become an integral part of mainstream business innovation, sharing responsibility for the protection, and creation, of business value.
Integrate Cybersecurity Into Design
The first step is to incorporate cybersecurity into the initial design of products, services, and other technology-driven projects. To support the demands of traditional software development with regular release cycles, most large organizations have built formal governance processes that mandate cybersecurity reviews at checkpoints throughout the development lifecycle and in vulnerability testing after development is complete.
The problem is that security vulnerabilities discovered in these later stages of the product development cycle often send projects back to the drawing board with the effect of both slowing down the development process and risking costly redesigns to incorporate security features that could have been anticipated as part of the initial design. By integrating cybersecurity at the design phase, organizations can avoid these inefficiencies and ensure the necessary speed and agility needed to meet the demands of digital transformation.
Complementary Responsibilities
Initiating the design process with cybersecurity is a crucial step, but it also requires a significant shift in mindset regarding the collaboration between cybersecurity and design teams. In practice, product teams focus on building great products and features and have an understandable tendency to view cybersecurity as a hurdle to be overcome, or in some cases, be avoided altogether. Meanwhile, cybersecurity teams focus on managing general risks to enterprise computers and assessing the risks associated with the final product in this context.
To successfully incorporate cybersecurity into the design of new products and services, both cybersecurity and design teams must assume complementary responsibilities. Cybersecurity staff must provide security design and architecture advice and support, which may require new capabilities and skills. This demands a culture of collaboration, a service orientation, and the ability to provide cybersecurity design assistance, which is different from simply evaluating conformity with security standards and practices.
Product teams, on the other hand, must articulate the requirements of their products and services in sufficient detail to facilitate collaboration with cybersecurity staff. The most challenging part of evaluating the cybersecurity posture of complex systems is determining how they work and what they do. Once that is understood, determining the appropriate set of controls becomes straightforward.
By identifying the essential elements necessary for their project’s success and the consequences of potential failures, product teams and cybersecurity colleagues can work together to efficiently apply cybersecurity technology to securely achieve business objectives.
Through integrating cybersecurity as an essential element of innovation and fostering a shared responsibility for creating business value, companies can go beyond the standard risk assessments of their computer systems and proactively ensure the resilience of their products, services, and overall business operations against potential cyber attacks in the ever-changing landscape of digital transformation.
