Balancing Digital Transformation and Security
Charlene O’Hanlon and Andy Sealock from West Monroe discuss how IT teams can create a successful digital transformation paired with updated security protocols, and offer some examples of tactics successful companies implement during redevelopment and where others fall flat. The video is below, followed by a complete transcript of the conversation.
Announcer: This is Digital Anarchist.
Charlene O’Hanlon: Hey, everybody. Welcome back to TechStrong TV. I’m Charlene O’Hanlon, and I’m here now with Andy Sealock, who is the senior director of advisory and transformation at West Monroe. Andy, thank you so much for joining me today. I really do appreciate it.
Andy Sealock: Thank you for having me, Charlene.
O’Hanlon: Great. So tell me a little bit about your organization, West Monroe.
Sealock: Yeah, we’re a management consulting firm. We’ve been around for about 17 years or so. Kinda got the start back around 2003. Really had sort of a technology background, but over that time have really branched out and become a lot more sort of business advisior around that. So strong technology background turning into more general business consulting advisory.
O’Hanlon: Well, I can imagine over the last 18 months or so, you’ve had some pretty interesting conversations with organizations, especially around digital transformation and ways that they can improve their business processes.
Sealock: Yeah, there’s been a lot of that, and it’s been fairly impressive. Like most consulting firms, we were traveling around a lot. We were pretty worried at the beginning of the pandemic. And it’s really been interesting. We’ve been able to leverage collaboration and digital toolsets to really keep our momentum going. We were able to serve pretty much all of our clients and grow from there. And we’re looking forward to keeping that going as the pandemic ends. And I took my first business trip for a year and a half about last week.
O’Hanlon: All right.
Sealock: And you think, y’know, it’s gonna continue to be a hybrid working environment going forward; things are gonna change; but we have managed to be able to make progress through all of it.
O’Hanlon: That’s great. That’s great. So when you’ve been talking to your clients about ways that they can improve their businesses during the pandemic, I’m sure there was as many conversations about accelerating their business capabilities not only to – I don’t wanna say “take advantage of ” the pandemic, but basically survive during the pandemic, but also kind of use the time to maybe improve the way that they do business so that they can really provide much more value for their customers.
So as you have had those conversations, and you guys have worked with your customers, what has kind of been the main theme, if you will, regarding digital transformation? Are we beyond survival mode and now kind of into more of that thriving mode for organizations?
Sealock: Yeah, yeah, I think we are definitely beyond survival mode at this point. Obviously not across the board; there are obviously inequities, and some sectors are doing better than others. But in terms of a broad swath of the Fortune 1000, folks really are starting to set them up for growth from here on out. Now, some of the survival mode did accelerate, I believe, some innovative thinking, and if anything, there has been more demand and we’re seeing more traction from our clients around digital transformation.
And interestingly enough, security has been at the forefront in many cases of “How do you do that?” Talking about a lot, one of the conversations we usually have up front is, “Well, what do you mean by digital transformation?” So I think it means a lot of different things to a lot of different people. And I think for the purposes of our conversation here, I think the view that is probably gonna be most applicable is kind of using it as a useful lens to refocus what has historically been long sought after but not always achieved outcome of the IT function – that’s the ability to actively enable the business, on its terms, to be successful at a market. And the view that we tend to take on it, that this aspect of digital transformation, we’ve really taken a more – and many of our clients are taking a more – product-centered view of IT. Treating IT outcomes more like an external market offering of our digital product that’s going to succeed or fail based on consumer demand, whether that consumer is a customer or an employee. So I guess that was sort of the first ones that is – But some boundaries around, “What do you mean by digital transformation?” and that’s the one that we’re seeing most often right now, is the digital productization.
O’Hanlon: Right, right. Well, y’know, we’ve had conversations also with organizations that are looking at digital transformation more from the lens of, “How can I better enable my internal business processes to align with what the customers are looking for today?” And considering the fact that so many customers had to pivot their entire lives, and shelter in place, and do everything online, it was a huge and massive and very, very expedited digital transformation process for so many organizations. And it’s ongoing.
I mean, I guess we should definitely say that digital transformation never really ends.
Sealock: Right.
O’Hanlon: But I’ve also kind of, in my conversations with folks, realized that because so many organizations did pivot quickly and adopt these new technologies to accommodate their customers, there were not as many conversations around security as perhaps there should have been. To the point where a couple conversations that I’ve had, people are saying, y’know, “The second phase of digital transformation is going to be a number of organizations actually going back and correcting the mistakes that they made in the first phase of digital transformation.”
So I’m sure you guys didn’t see as much of that, because you’re helping your customers with their digital transformation in a much more thoughtful and process-oriented way. But for organizations that were just like, “Give me the technology, and give it to me quickly, so that I can do what I need to do,” we’re now seeing that. So do you expect that Digital Transformation 2.0 is going to focus much more of security and kinda correcting those problems?
Sealock: Yeah. Well, I think it’s already there. I think it’s already upon us. What we’re seeing, it’s less about necessarily going back and correcting existing mistakes. It’s more gonna be about evolving to have useful, secure digital products going forward. And it’s a very different way to engage with security. It really requires you to have them as part of the team, as much as your testers or your developers or anybody in a true, say, DevSecOps implementation. Your cybersecurity specialists are gonna be right there at the very beginning, working with the product manager, working with the developers’ teams, the testers.
It’s really more changing that old security mindset of this sort of external quality gate that you do at the end, and it’s more about being that you continually encode and build security in the product development process from the very beginning. And it sounds what you _____ _____, but we see it, it’s happening right now, and I think it’s becoming the normal way of doing things. It just, it works so much better.
O’Hanlon: Yeah, well, DevSecOps is definitely being embraced by more organizations, especially those that are very adept at DevOps to be begin with. There is a level of complexity associated with it, though, that is an obstacle for some organizations to overcome because of that culture shift that – Perhaps with DevOps it was easier for organizations to kinda shift our mindset to a DevOps mindset. But now including security as part of that conversation I think is a little larger barrier for many organizations and dev teams to kinda get over.
So do you have maybe any advice or best practices that you would offer up for organizations as they kind of adjust their mindset?
Sealock: Yeah, there’s a few things. There are some sort of more technical and operational methodologies and processes, and I’ll get to those in a minute. But since you started with the culture shift, let me start sort of with that. And some [interruption in audio] quite frankly, it was really incumbent upon security. I like to put the onus on them to make it easy to insert themselves in the process and get ’em to be as much a part of the team as the product owners, as the developers and the testers.
And I think they’re starting to realize that if you’re gonna be successful digital products, which means you’ve gotta get ’em to market fast – you sort of launch fast, feel fast, take in the consumer feedback, incorporate it, refine the product, make it better over time. ‘Cause this is all about driving adoption.
O’Hanlon: Right.
Sealock: That’s how digital products succeed or they fail. You drive adoption. And you can’t have ’em so locked down from a security perspective. They don’t have the functionality, or they’re just so difficult and kludgy to use. You’d have to keep reauthenticating and reauthenticating, and that kills product adoption. So what many, I think, of the more progressive security functions are doing are they’re making sure in addition to having the technical acumen, they’re also building in business acumen.
So you don’t want the product managers or product owners to not want to put the call into security, ’cause then they’ll crust the project up front. They can’t be the team of “no.” They have to be the team of finding out, “Well, we’re gonna launch the product. We’re gonna have this functionality. We’re gonna be successful in the market. Here’s some alternatives of how we could build it more secure versus less secure. And we’ll adopt that for the risk/reward profile of the product.” So it’s a different mindset.
It’s, I think, a little bit of a different skillset – again, that business acumen. But more and more, I think, the security functions are learning you’ve gotta be easy to do business with, with the rest of the product development team. So that’s kind of a governance and a cultural shift that – again, that we see the progressive security functions doing the things to make it easier for the teams to call ’em in early.
O’Hanlon: That’s a great point. That cultural shift is super important. But actually recognizing and kinda putting the guardrails in place, also, to make sure that everybody has what they need, when they need it I think is super important as well. Are you seeing more of your clients then kind of adopting that DevSecOps mantra and attitude within their organizations as they do kinda push their digital transformation efforts farther?
Sealock: Yeah, it is starting. And again, I think people are realizing that it’s necessary. ‘Cause in addition to having functional, valuable, easy-to-use digital products, they’ve gotta be secure digital products. Same thing. This is all about product adoption. What’s the fastest way to kill a product’s adoption? One of the fastest ways? Well, if consumers can’t trust the app with their sensitive and confidential information. So it’s gotta be all these other things. It’s gotta be fast, it’s gotta be flexible, it’s gotta be useable, it’s gotta adapt, and it’s gotta be secure.
‘Cause once you’ve lost the trust, you’re never gonna get that back. And again, it sounds a little bit about having your cake and eating it, too, and not necessarily buying into the traditional trade-off of, it’s gotta be useful and flexible or secure. You can do some of both, but being a bit smarter about it. And the folks I think from a DevSecOps perspective will recognize some of these best or better practices. And to some degree I’ll put a bit of an onus on the security group.
One of the things that they can help do is focus on secure application coding practices and effective training for your developers. If your developers are fully trained up on your secure coding methodology, and keenly aware of it from the beginning, well, you’ve already moved the ball relatively far, right up front – building security into the development process up front. And that doesn’t take extra time. That’s not slowing you down. It’s a bit of investment up front, getting the developers trained on secure application coding practices.
But once you do that, that’s a very good example of building security in from the beginning. Same sort of thing on the other side of that is, especially if you’ve got your automated CI/CD pipeline, building in automated code and artifact scan. So as soon as the developers, as they’re putting in their little bits of code, the new code for the next version of the product, making sure that that’s being scanned for those very same secure coding practices that you were training on before, and you get that uplift there.
Again, this is not adding time to it. And scanning as well the actual artifacts of the development. You can automate the scanning looking for malware, looking for security vulnerabilities – old patches that are _____ _____ that need to be updated. These are all things that build security into your code from the beginning, and if you set up your tooling correctly and keep it configured, you’re not slowing things down. And that’s the beauty of it. This is building security into the process from the beginning without slowing the process down.
O’Hanlon: Yeah, well, that makes a lot of sense, and we talk about DevOps as being the people, processes, and technology, so – And it seems like with DevSecOps, we are there from a process and technology perspective. We’ve got the things that need to be implemented to make DevSecOps work. It’s just that third, that culture/people, kind of that leg of the stool, if you will, that really seems to be what’s holding some organizations back.
So I think as we move throughout the year and we see organizations that have successfully undergone a digital transformation that has included culture as as much of a consideration as the processes and the tooling, the technologies, then I think maybe we’ll see larger uptake from other organizations that can learn from those that have done it so well. But Andy, thank you so much for having the conversation with me today.
It’s always great to hear about when digital transformation is done well, and companies are successful in being able to just work the marketplace, and make it work for them. So thank you again for your time and your expertise. Really do appreciate it.
Sealock: Thank you for having me. It was a great time.
O’Hanlon: Okay, great. All right, everybody, please stick around, ’cause we’ve got lots more TechStrong TV coming up, so stay tuned.
[End of Audio]
