Over recent months, we have seen an increase in multiple sectors wishing to embrace the path of undergoing a digital transformation. The benefits in doing so outweigh the costs given the cost of cloud computing and the capabilities of scaling without the need to worry about the provisioning of the underlying infrastructure. One key area that is often neglected is consideration given towards securing your digital platform, whether this is your existing infrastructure or your new platform. Additional considerations regarding the journey to undertaking a medium to large scale transformation is also a challenging issue for the cyber security sector given many actions are taken without due consideration of the consequences.
Here at Complete Cyber, we have been involved in working with clients that have Enterprise IT systems that span geographically and consist of privately-owned Data Centres combined with hybrid Cloud estates.
Often, we are brought i to evaluate and assess these landscapes to determine the security posture and highlight the risks present within these environments. The issue with the approach of bringing in a cyber security consultancy at a later stage in any transformation is often the requirement for security has not been built into those environments nor into the organisation to adopt in securing the new landscape.
To be digital-ready and innovative is now increasingly important given the current situation relating to the COVID-19 (coronavirus) situation. The term ‘business as usual’ will forever need to adapt to a new age whereby a return to normality will never be the same as before. The evidence behind this statement is supported by the increase in remote working and the need to access applications and systems remotely. This inevitably places a huge strain on the availability and the need to secure these systems to prevent data breaches and prevent an organisations IT infrastructure from being exposed to potential attack vectors. The concept here is previously companies would operate with limited access to their IT infrastructure and allow a minority of remote user’s access via a company build laptop and a corporate VPN connection. The challenge now is everyone is now having to migrate to this approach and therefore VPN servers, bandwidth considerations and the overall security of home users’ networks now become a potential area for attackers to manipulate and gain access.
Another recent change brought into consideration by the current lockdown is consumers are increasingly turning to the internet and are increasingly spending more on e-commerce sites. This brings issues regarding payment card information that requires compliance with PCI-V3.2.1 and an increase in malicious actors that will be drawn to e-commerce sites and will look to potentially exploit vulnerabilities in the application. With an increase in internet traffic to a particular site, malicious hackers will always be drawn to the crowd to look for ways to exploit a situation and this requires organisations to be both aware and to ensure their public-facing applications are as secure as possible.
With these changes in mind, the process for undertaking a digital transformation now faces a new set of security challenges that were not previously considered. The summary of these challenges is:
Remote working is often considered somewhat difficult when needing technical users to agree and work cohesively on a project
The difficulty in engaging with security SMEs at the start of a transformation project is likely to increase with remote working due to communication breakdown and approach to working in isolation
Access to Cloud infrastructure now has to happen from multiple access points rather than be geographically centrally accessed, making it harder to trace malicious traffic
Lack of early engagement relating to having defined security requirements means digital transformation projects often do not meet compliance needs nor are deployed to a satisfactory security baseline
Undertaking a risk assessment before designing a cloud-first approach without assessing any potential risks
Lack of security governance to adopt within a transformation programme
Unknown migration patterns whereby business applications have not been identified and checked for migrating. This often leads to last-minute adjustments in a transformation programme leading to corners being cut in regard to security assurance
Whilst these challenges are common observations from working with current and previous clients, this is often because of a lack of engagement with a security- based SME present.
There are of course other problems when faced with undergoing a digital transformation and these have long been known as common issues many businesses are facing, these being:
Security is never easy and often requires time & effort to implement and therefore is often left out or ignored – The path of least resistance
Justifications for additional spend don’t always support a business case. Security is about prevention and is not a guarantee that a breach or malware attack won’t happen
Appointing the right individuals with the required skills is difficult given the short timeframes transformation programmes last
Cloud security changes daily as does the threat surface making it difficult to tally a viable solution – again security is never easy!
All is not lost!
Performing or undergoing a transformation programme is not a lost cause when it comes to addressing the security gaps mentioned. Some measures within an organisation can often lead to significant impacts and this starts at the top!
Support at the Board Level
Security in any transformation programme is often successfully implemented when an organisations C-level board ‘buys into’ security as a need for the organisation. Here at Complete Cyber, whilst we remain a technical consultancy, we also support the strategic aspect of cybersecurity and have had success stories in providing oversight and advising CISOs, CTOs, CFOs and COOs with guidance surrounding the need for implementing security into a transformation programme to ensure a ‘value add’ service is provided. This has led to ensuring budgets are allocated for specialist resources or seeking investment in small changes within the deployment process, e.g. introducing security tooling in the deployment processes.
Security is never easy?
Whilst security is admittedly a difficult area to tackle given the constraints it poses on IT delivery teams; it is in place to ensure governance is implemented and also aims to safeguard the resultant delivery from being targeted by malicious threat actors. The key to addressing this obstacle is to engage with the relevant security SMEs at an early stage within a digital transformation. By introducing security at the onset of a programme, there is a greater success than obstacles generated by the introduction of being secure by design and adopting security governance will become less of a barrier and move the programme to become more innovative.
Our team of security architects have been fortunate enough to be involved in assisting clients undergoing such transformations and being able to influence our client’s perception of introducing security at the earliest stage possible. This by far has the greatest impact in evolving both cultural perceptions on addressing security and ensuring the benefits of securing your enterprise systems is done in accordance with a governance model to achieve a secure by design system. We believe in not only providing technically experienced security architects but individuals that champion security to ensure we manage stakeholders appropriately and spread the message for securing your designs and deployments.
Utilising the right skills to fight security in a digital transformation
Whilst transformation programmes can last between a short time frame to several years, obtaining access to the right skillsets is often difficult since the requirements are requesting specific security architect skills combined with knowledge about migration programmes that incorporates multiple functional disciplines. This is where a security-based consultancy can be utilised to undertake a high-level view of any transformation programme and coordinate the necessary security steps required to secure the end product. E.g. assisting with the security of migrating IT assets into a new environment typically cloud and on-premises based.
Support at the Board Level
Additional benefits in utilising a cyber security consultancy is being able to plug the skills gap whereby they can be brought in for short/long term durations whilst providing cutting edge advice and guidance in securing your environments and deployments processes.
Cloud Security Changes Daily!
Whilst embedding security into the design and deployment process for any digital transformation is an absolute must, the key output is to also ensure that the new world also supports operational security. Achieving this in the cloud is somewhat open to multiple options in what security-based solutions need to be in place to continuously monitor your cloud infrastructure for potential malicious activity/attacks and full-fill security compliance. Utilising a security architect with cloud expertise can be a major benefit in ensuring a secure baseline can be created to meet the needs of an organisation. This is especially important if an organisation has different maturity-based models regarding information security governance since the balance between utilising commercial tools or combining commercial with open-source tooling is dependent on the maturity of ownership, skillsets and experience within an organisation.
Because Cloud changes daily due to continuous deployments that change both the infrastructure and application stack, having the right form of detection including compliance checking tools is critical for ensuring security in a digital-first world.
Justifying a budget for Security in the World of Digital Transformations?
Whilst businesses performing transformation of IT infrastructure from on-premises to a cloud-first or hybrid cloud infrastructure, costs can often escalate but the intention is to maximise savings by utilising cheap computational costs and having the scalability and reliability at the disposal of a click of a button. Whilst these benefits versus agreed budgets can be justified, requesting additional funding for security is often seen as a non-value adding benefit.
If you have concerns related to IT security or are currently planning/undergoing a digital transformation, then please get in contact for a discussion on how we can assist you in resolving any cyber security related issues.
We offer free cyber health checks to all new customers to provide an oversight into areas of your business that may require addressing with potential security controls.
Please visit our website where you can find out more information on the types of services we offer and to also discover our range of retainer-based models for securing our services on a short to long term basis.