It is very likely that the COVID-19 pandemic forced your organization to accelerate its digital transformation (DX) strategies.
Doing it successfully and securely has been a challenge.
There are a lot of lingering questions:
- What do organizations do to transform their infrastructure to where it needs to be from a technology standpoint?
- What impact do your people have on the digital transformation process?
- How do you secure your new initiatives?
These questions and more were discussed in the recent SecureWorld webcast, The Challenges of Digital Transformation, Part 1, which is now available on-demand.
Security digital transformation (DX) starts with strategy
Sol Cates, Principal Technologist and Chief Technology Officer at Thales Group, explained why strategy and groundwork are essential to DX. And he emphasized that security plays a crucial role in keeping everyone on the same page.
"I see organizations doing a digital transformation: a migration towards cloud, or this sort of new focus on either serverless or hybrid architectures, and multi-cloud architectures.
This is where it strategically makes sense to deploy, or be highly available, as you grow your strategy of cloud. These are all very new things that organizations are working through, and one thing I would say is a challenge has very little to do with technology and has a lot to do with people."
As the global leader of research and technology at Thales, Cates is focused on improving understanding of today's challenges and tomorrow's hurdles, and developing solutions that address those problems.
"Those teams trying to accomplish a transformation journey, need to manage up—finding good ways to work with marketing, sales, and finance, for example. It takes the entire organization to successfully do this.
You must lead and manage with your peers, because quite often the executive leadership above you needs a sort of blueprint for success from you, rather than being able to try to figure out and dictate down the transformation. That's when I see a lot of wasted time and effort."
Cates then discussed some best practices and a crucial point: organizations must coordinate things so they can meet the business requirements and regulatory requirements, and still maximize options for success in the cloud.
And many organizations, he says, quickly realize during this process that they want to hold their own keys:
"We're really seeing a shift in the last couple years with more adoption of this key management style and more adoption of customer supplied and customer managed keys, because again customers are wanting to hold their keys, or they were required to."
DX and security responsibility within cloud
Tim Dierks is the Engineering Director for Data Protection at Google Cloud Platform, leading engineering teams and programs around key management systems and platform support for regulated customers.
During the SecureWorld webcast, he explained the landscape around data security, data residency, and enterprise key management including bring your own key (BYOK) versus hold your own (HYOK).
Dierks also discussed a key consideration in transformation: what is your organization's responsibility when it comes to securing data in the cloud?
"The original thesis is let the big cloud providers handle hiring all the security engineers to solve all the sticky little problems, and they will handle the problem and customers can just focus on the business.
However, I think every business out there is in a spot where we all have more data, and more data at risk, then we can confidently secure. I think for every CISO out there, none of us are truly confident that everything is 100% locked down, and that remains an ongoing challenge."
And while there continues to be huge and important challenges in how we will actually secure things, he says moving to the cloud means the opportunity to climb the ladder.
Climbing the ladder to the cloud is helping to solve some of our issues:
- Infrastructure security challenges solved in the cloud: you no longer need to worry about physical security of your data centers or hardware lifecycles.
- Vendors large cloud provider use are highly vetted and trusted.
- Encryption challenges improve because data is automatically encrypted in transit and at rest.
- Patching problems mitigated; now your cloud provider worries about and handles these actions.
Dierks also cited three new challenges to be considered, including transparency in the cloud, organizational policies and oversight, and role-based controls and management. And he talked about multiple benefits of a move to the cloud, as well.
Security controls keeping pace with digital transformation
Tony Sager of the Center for Internet Security (CIS) also joined the webcast. As Senior Vice President and Chief Evangelist, he leads the development of the CIS controls which many organizations employ on a daily basis as a best practice in security.
He has a unique take on transformation:
"Transformation for us is about being a fast follower. We're going where the technology is going. There's always new versions, patches, hot fixes, and changes."
And he says CIS controls are built to respond to the times we are living through right now:
"In security, we're not getting hit by billions of unique contacts every minute; we're getting hit by millions of repeats of a relatively small number of types or classes or patterns.
And so that gives you the opportunity to start scaling up defense and building it into infrastructure like some of the things I get to describe because it's all talk to me, right, I can't defend against everything. I can't take millions of dead data points to take action.
I need a way to translate all this sort of badness into a relatively small number of positive constructive things that I can do about it."
And Sager shared a few easily understandable examples of what that looks like, including this one:
"For all the parts of my IT environment, what's the best way at the component to configure it for best effect and security? You can't solve all security problems by configuring your desktop well, for example, but you can make a major contribution."
And there are things you can do to make a major contribution to security digital transformation at your organization.
If you are taking on DX or continuing with cloud adoption, take advantage of the insights from these three experts, now available on-demand on the SecureWorld platform: The Challenges of Digital Transformation, Part 1.
