Cyber security during digital transformation – how to reduce your operations’ vulnerability

Article

Business agility levels are critical to the degree of success companies enjoy in a rapidly changing world. But an increased degree of corporate agility also leads to a more complex IT landscape, with increased dependencies between different operators and service providers. And as the outside world becomes increasingly unstable, and the incidence of cyber-attacks on companies has increased in both number and intensity, cyber security has risen to the top of most companies’ agendas. But what effect does digital transformation actually have on companies’ vulnerability? And do agile operations mean greater security risks?

Digital transformation refers, in practice, to the change process that occurs within organisations that employ new technology to identify better ways of serving their clients, or to achieve new levels of operational efficiency through workflow reorganisations.

For many companies, the transformation that has taken place in recent years – and which was further strengthened by Covid – has involved migrating to the cloud in order to facilitate distance working, build competitiveness, and cut costs. Companies’ ability to adapt, to become agile, has never been as important as now – and the expression “survival of the fittest” has probably never been more apt. But how has this rapid rate of change affected companies’ vulnerability?

Stefan Lager, SVP Information and Cyber Security at Iver, believes that the transformation was unavoidable, but that the rate of change has been so rapid that many organisations are currently living with a technology debt. The change management work and growth has been organic in nature, and organisations have failed to get to grips with security work at the same pace.

Photo of Stefan Lager

Stefan Lager, SVP Information and Cyber security at Iver  

Agile operations don’t, in and of themselves, mean increased vulnerability, but an agile environment without a security architecture does – and very much so.

“What we’re seeing in many organisations nowadays is that they have experienced a rapid rate of change and that security has not always been a top priority during the change projects – it’s been something they’ve attempted to add on after the fact.”

 

Transform without increasing vulnerability

It’s no longer possible to work statically, with security divided up into servers, applications, and networks: rather, these elements are now combined into integrated environments. Everything is, furthermore, dynamic: clients and partners are given access, or maybe two companies are migrated, and new employees have to be given access to the environment. This new IT landscape imposes new requirements on security work. 

“Historically, if you made a mistake in an internal environment, you still had perimeter protection that could reduce the risk, but nowadays, with many people working in public cloud environments, a single mistake or single vulnerability can have substantially more serious consequences. Which is why companies need to build security into their solutions from the start in order to keep pace with the transformation without increasing their vulnerability.”

When agile principles are the key to a company’s competitiveness, security work must be structured intelligently to ensure that security does not slow the pace of operational development and growth.

“Security work will, to some extent, always impact agility – things go faster if you never carry out checks. It is, however, possible to build very effective security architectures that exploit the benefits of automation and modern tools to achieve the balance you need between risk and agility.”

The starting point when it comes to understanding where you, as a company, are vulnerable, involves understanding every component element and how they hang together. After which you need an operational risk analysis in order to understand what the risks are – and to draw up a plan for managing them.  

“You need, as an organisation, to ask yourself the following questions: what happens if we move all our sensitive data to Azure or AWS? What could happen? How can we protect ourselves? And when we’ve considered all those issues, how can we build the ability to detect the sort of things against which we want to protect ourselves? How do we verify on an ongoing basis that we have the protection level and detection ability that we believe we have – and that we need?”  

The abilities that a company needs to handle this include technology, processes, expertise, and resources:

  • Do we have the right expertise to evaluate technology choices?
  • Do we have the expertise and resources to conduct 24 hr security monitoring?
  • Do we have the processes for handling incidents on site, and are they tested?

 

Transforming securely – four things to consider

There are, in simple terms, four main components to consider, in order to transform securely: infrastructure, applications, access, and data.

Organisations must ensure:

  • that they have an infrastructure with built-in security, which is correctly configured, and which is continuously updated;
  • that security checks are built in both during the development of applications and after they are put into production;
  • that access to applications and data is granularly structured (Principle of least privilege) and protected by strong authentication;
  • that data is protected throughout its lifecycle (at rest, in transit, and at work).

 

Stefan Lager says that the most important thing when it comes to security in conjunction with digital transformation is to make security an integral part of every project and not to treat it as plaster than you stick on when everything else is done. An in-depth familiarity with one’s own environment and understanding of the threat scenario are key before one can proceed and design good protection. That having been said, it’s impossible to protect oneself against everything. So the next step is to draw up a detection ability plan in order to be able to detect incidents as quickly as possible, and to build incident response ability, to ensure that threats can be stopped in their tracks before they cause too much damage to the operations.  

“Agile methodologies are not just about technological shifts: they’re also very much about people and processes. What this means is that organisations must look at security work in an holistic way and build security in as an integral part of everything they do. It’s important to have a close relationship between different functions, e.g. those that detect threats and those that can quickly reconfigure equipment to limit the damage caused by this threat. It’s only when they adopt this approach that companies can reduce their vulnerability in the new IT landscape and, at the same time, ensure continued agility and future competitiveness.”

Would you like help with your cybersecurity work? We have extensive experience of designing and implementing security solutions that are tailored to your organisation’s specific requirements when it comes to proactivity, accessibility, and security.

Find out more about Iver’s cybersecurity offering.