Cybersecurity a Central Ingredient in Evolving Digital Business Models

Cybersecurity a Central Ingredient in Evolving Digital Business Models
Author: Chris Dimitriadis, Chief Global Strategy Officer, ISACA
Date Published: 3 September 2019

About the only thing shifting as fast as the cyber threat landscape is the typical enterprise’s org chart. As enterprises aim to keep pace with the rapidly evolving digital economy, many are restructuring internal departments, hiring criteria and the processes by which they develop and distribute products, all with the overarching objective of becoming more proficient at rapidly responding to new opportunities in the marketplace. In making these well-intentioned adjustments, the ability for enterprises to establish robust, broadly integrated cybersecurity as a core capability of their recalibrated operation will be one of the best predictors of whether these changes will prove successful.

The Expanding Footprint of Data in the Enterprise
The degree of difficulty in achieving solid, enterprise-wide cybersecurity posture is difficult not only because cyber threats continue to grow in volume and sophistication, but because of the expanding footprint of data in the enterprise. Call data the new gold, the new air, the new oil – whichever metaphor you prefer – and the reality remains that the need to leverage data is becoming increasingly essential across lines of business. That is one of the main reasons why security teams must not look at themselves as the sole implementer and enforcer of sound security practices, but rather spread security awareness and adoption of clear policies with their colleagues as an ongoing, sustained point of emphasis. More than 8 in 10 respondents to ISACA’s research say that establishing a stronger culture of cybersecurity would increase their organization’s profitability, and this will only become more on-target as organizations increasingly embrace digital business models. The rising profile of data analytics factors in heavily, as referenced in a recent McKinsey article, which noted that “as companies adopt massive data analytics, they must determine how to identify risks created by data sets that integrate many types of incredibly sensitive customer information. They must also incorporate security controls into analytics solutions that may not use a formal software-development methodology.”

The cloud is another area in which proactively bolstering security capabilities will be critical in the new enterprise environment. While cloud computing is certainly not new, turning to cloud providers has become increasingly attractive for many enterprises whose traditional server-based approach no longer is sufficient for storing and protecting their data. Modern cloud platforms supply enterprises with an array of options that provide data storage and protection that can lead to dramatically improved scalability and flexibility. While new, sophisticated security capabilities are being integrated into today’s cloud platforms, these capabilities are not always integrated into organizations’ security programs, whether due to discomfort with trying new approaches or just the challenge of carving out time to explore them amid the usual, day-to-day challenges. This is a missed opportunity for enterprises to enhance their security programs and derive additional value from their investments in the cloud.

Turning DevOps into DevSecOps
Another dynamic elevating the importance of broader integration of security principles is DevOps. In an era in which business velocity can reach a dizzying pace, enterprises have turned to DevOps to move faster and more efficiently in their builds, deliveries and deployments. The problem is, security oftentimes is an afterthought in this process, which puts developers in the difficult position of trying to figure out security best practices on their own. Working security into the DevOps program – referred to as DevSecOps – allows the security team to become involved during the design phase and ensure that critical security flaws are identified and addressed before they require costly fixes that become increasingly costly later in the process. Similarly, Agile development methodology needs to take cybersecurity considerations into account, such as ensuring that all data is properly categorized and that a comprehensive, risk-based approach to safeguarding the data is in place.

Historically, we have seen enterprises are typically more attentive to positioning themselves to sell products and increase revenue than to protecting themselves and their customers from security threats. But as we near a new decade – the 2020s – the pace at which enterprises will realign to thrive in a technology-driven digital economy will only accelerate. We remain in the early stages of this era of digital transformation. Consider the way technologies such as artificial intelligence/machine learning, robotics, and the ongoing proliferation of connected devices will create new business opportunities that result in new methods of product development and ushering products to market. Anything less than deeply ingrained cybersecurity throughout the enterprise will not work going forward. By integrating sound cybersecurity practices in all areas of the organization, implementing new security capabilities that are baked into modern cloud services and turning DevOps into DevSecOps, enterprises will have the flexibility to re-imagine their business models while retaining a stable foundation on which to innovate.

Editor's note: This blog post originally appeared in CSO.