Consumers are demanding we offer outstanding user experiences and technology interfaces, and we need to strategize how we both safeguard and leverage ever-growing portfolios of data and systems to differentiate ourselves from our competitors. Yet, often our cybersecurity programs and business goals seem to be at odds. Digital transformation (DX) strives to provide outstanding customer experience, personalization, convenience, agility, and cost savings. None of these are traits most organizations would ascribe to their cybersecurity team! I offer below some high-level guidance to bring cybersecurity closer to DX goals.
Embed Security Into Your Culture and Processes
Security controls fall into three major categories: people, process, and technology. In many cases, organizations consider technical controls to be the panacea to safeguard assets from attacks. Technology is scalable, configurable, and consistent in its application of rules. Yet technology functions exactly as designed, not as intended, leaving opportunities for exploitation – often within weak processes and human-elected shortcuts supported by your culture.
For culture, look at what your organization rewards. Do good results justify breaking the rules? Can projects and changes push forward without consulting security? If you celebrate the “heroes/fire-fighters” that save the day when incidents occur, do you also reward the teams that develop reliable and secure applications? IT security processes such as patching, privileged access management, API security review and inventory, change management, and adherence to architecture standards are not glamorous, yet breakdowns in these core areas facilitate most incidents.
In addition to IT processes, business processes must support your goals. For example, with self-service being a DX standard for consumers, business should define “normal” predicted volumes for transactions such as new account openings, profile updates and other measurable key activities so security can program alerts when those thresholds are exceeded. And, business teams should be prepared to review those alerts. Perhaps your DX offerings are more successful than anticipated, or perhaps this is a symptom of a well-engineered attack leveraging known business processes.
Enable Agility by Clarifying Risk Classification and Tolerance for the Entire Organization
If you asked three different groups – let’s say Sales, Customer Support, and Security – to assess the same scenario that contains some level of risk, you would likely receive three different risk classification levels. In all probability, your security team will classify it as “high risk.” Except for organizations that regularly deal with life safety, very few have well-defined matrices of what constitutes medium versus high risk. Almost all leverage vague qualifiers, such as material versus serious or severe harm. We need clear monetary amounts and thresholds – fatalities, volume of records exposed or corrupted, existing or new customers lost, etc. – to guide consistent risk classification and decisions.
Two of my favorite questions to ask when assessing the risk of a new initiative are:
- What are we doing today, versus what you’re proposing?
- What’s the risk if we don’t move forward with this?
Answers to both of these questions help set perspective for potential losses associated with missed opportunities as well as improved (not perfect!) security controls that may be gained over status quo. These questions, along with your other initial security risk evaluation questions, help form a consistent process for your business triage of where to allocate finite resources and time. If the risk level doesn’t rise to a defined threshold, then business can proceed without further security consultation. In other words, this is a “good risk” that falls within defined risk acceptance thresholds – let it run.
Include Detection and Response Capabilities in Your Security Strategy
One of the biggest strategy errors in security is to overspend on prevention mechanisms to the detriment of detection and response capabilities. Similar to the risk determination above to triage where to allocate your security team’s finite time and resources, you need to spend your security budget where it provides the most value. There is no foolproof method to prevent undesired access into your systems – new exploits will always be created. In every breach case I’ve researched, there were multiple opportunities to identify and contain an event once inside, yet multiple breakdowns in processes and culture enabled the intrusion (or error) to progress into a larger impact. Your detection and response plans should be ready for any significant event, regardless of the entry vector.
Further complicating detection and response readiness is the complexity of shared security models within multiple X-aaS implementations that comprise most “Cloud First” strategies. Even if you can detect anomalous activity now within your on-premise services, once you migrate them into a hosted infrastructure, platform, or software environment, will those alerts function in the same way? If you receive an alert, who has the responsibility and access to make any required changes to contain and minimize further impact – and within what timeframe? Make sure your vendors have the capability and customer service mindset to partner through detection and response, and include relevant Service Level Agreements (SLAs) within your contracts. Finally, maintain an inventory of hosting agreements, RACI charts, SLAs, and contacts to streamline decisions and assign actions during events.
In our world of DX, the cybersecurity function becomes both a provider and consumer of customer experience, personalization, convenience, agility, and cost savings to support business goals. Is your team ready?