Digital transformation: security nightmare or hidden opportunity?

Mov­ing from lega­cy sys­tems to the cloud, deploy­ing new tech­nolo­gies and mak­ing greater use of data can present seri­ous reg­u­la­to­ry and secu­ri­ty chal­lenges. How­ev­er, it inevitably push­es the need for a water­tight cyber­se­cu­ri­ty strat­e­gy up the cor­po­rate agen­da too, which is good news for gov­er­nance lead­ers keen for cyber­se­cu­ri­ty to be tak­en more seri­ous­ly. Is dig­i­tal trans­for­ma­tion a secu­ri­ty night­mare or a hid­den oppor­tu­ni­ty?

Senior stake­hold­ers who might pre­vi­ous­ly have been on ‘team night­mare’ may have switched sides dur­ing the pan­dem­ic, or at least see dig­i­tal trans­for­ma­tion as less of a threat now. “The world has shift­ed from risk-based aver­sion to dig­i­tal trans­for­ma­tion to think­ing about it in terms of com­pet­i­tive advan­tage or a unique dif­fer­en­tia­tor for their busi­ness,” says Liam Healy, SVP & man­ag­ing direc­tor of Dili­gent, a lead­ing gov­er­nance, risk and com­pli­ance soft­ware-as-a-ser­vice com­pa­ny.

In addi­tion, 83% of board direc­tors recent­ly iden­ti­fied cyber­se­cu­ri­ty as a top pri­or­i­ty, accord­ing to research by the Tri­cor Group and Finan­cial Times Board Direc­tor Pro­gramme. How­ev­er, less than half of respon­dents report­ed that their boards had actu­al­ly tak­en action to improve cyber­se­cu­ri­ty dur­ing the pan­dem­ic. This sug­gests that gov­er­nance, risk and com­pli­ance lead­ers still have work to do to push cyber­se­cu­ri­ty improve­ments over the line. Where should they start?

“They need to under­stand the oblig­a­tions of the busi­ness – the risks they have to man­age to be com­pli­ant – but also shift their focus towards the over­all strat­e­gy of the busi­ness, and how to part­ner more close­ly with col­leagues in the IT and infor­ma­tion secu­ri­ty team,” Healy says. 

They also need to have a good grasp of how infor­ma­tion enters and moves through the busi­ness, where it is stored and who has access to it. “A great exam­ple of this is board papers or any sort of sen­si­tive infor­ma­tion that, from a gov­er­nance stand­point, is curat­ed by mul­ti­ple indi­vid­u­als,” says Healy. “It’s often not the final ver­sion that’s the most sen­si­tive; it’s ver­sion ten. And if that ver­sion is leaked or sent to the wrong email account, that’s a big risk.” 

The secu­ri­ty demands of dis­trib­uted work­forces also need to be account­ed for. “Is your home net­work secure? If you’re on the road, is that net­work secure? Dis­ap­pear­ing phys­i­cal bound­aries pose a big chal­lenge for many organ­i­sa­tions,” says Hen­ry Jiang, CISO at Dili­gent.

To solve this chal­lenge, gov­er­nance, risk and com­pli­ance lead­ers must revis­it secu­ri­ty strate­gies and ensure that as well as pro­tect­ing infra­struc­ture, they are also data cen­tric. “The doc­u­ment some­one is pulling up on their lap­top, how do you pro­tect that? How do you redesign the secu­ri­ty pro­gramme so that pro­tec­tion extends right down to the end­points where data resides?”

A redesign of this scale is no mean feat, espe­cial­ly when car­ried out in con­junc­tion with all the oth­er ele­ments of dig­i­tal trans­for­ma­tion. “Dig­i­tal trans­for­ma­tion is a mas­sive under­tak­ing,” says Healy. “It’s often a mul­ti-year process that has to be under­tak­en in bite-sized chunks.” Any secu­ri­ty trans­for­ma­tion there­fore needs to be organ­ised in a sequen­tial fash­ion that pri­ori­tis­es essen­tial issues so that the busi­ness can hit key objec­tives and mile­stones with­out dis­rup­tion. It should also aim to be a “force mul­ti­pli­er” of good process­es, says Healy.

One thing gov­er­nance lead­ers can be sure of is that the senior lead­er­ship is now like­ly to be more recep­tive to their advice. Fre­quent sto­ries about reg­u­la­to­ry fines or com­pli­ance gaps were win­ning gov­er­nance, risk and com­pli­ance pro­fes­sion­als a seat at the top table even before the pan­dem­ic struck. And with ESG issues now a cen­tral plank of many busi­ness strate­gies, there’s nev­er been a bet­ter time for these indi­vid­u­als to make them­selves heard.

“Gov­er­nance, risk and com­pli­ance pro­fes­sion­als have a unique oppor­tu­ni­ty to cap­i­talise on what the world cares about,” says Healy. “They have the ear of the CEOs and CFOs of many insti­tu­tions, and direc­tors are ask­ing: ‘What’s our plan here?’ ” In fact, many board mem­bers are now extreme­ly well edu­cat­ed on cyber­se­cu­ri­ty issues. “There are more cham­pi­ons on the board these days than there have ever been,” says Healy. 

Of course, no secu­ri­ty or gov­er­nance pro­gramme can com­plete­ly elim­i­nate risk. “Secu­ri­ty prac­ti­tion­ers like myself need to talk about these risks in a lan­guage the board can under­stand,” says Jiang. How­ev­er, he advis­es against using scare tac­tics when attempt­ing to push for more robust mea­sures. “That said, you should always speak can­did­ly about the risks asso­ci­at­ed with data.” 

He rec­om­mends using key risk indi­ca­tors, data and stan­dards to make your case. But once you have the sup­port of the board, it’s essen­tial to report back with tan­gi­ble results. “You can’t say ‘give me X amount of dol­lars,’ and then the secu­ri­ty pro­gramme stays at the same lev­el,” he says. “Progress has to be made.”

There may also be some push and pull between gov­er­nance lead­ers and those in oth­er depart­ments who are keen to roll out inno­v­a­tive new prod­ucts and ser­vices as quick­ly as pos­si­ble. “Peo­ple aren’t ask­ing for less these days,” says Healy. “They want things to be faster and bet­ter than they are now…the chal­lenge with all this is that you also need things to be secure. You have to have con­trol over sen­si­tive infor­ma­tion even though every­body wants it to be at their fin­ger­tips.” Squar­ing this cir­cle is an ongo­ing chal­lenge, “espe­cial­ly as cyber threats con­tin­ue to pro­lif­er­ate,” says Healy. 

Suc­cess may depend upon how adept gov­er­nance lead­ers are at recruit­ing cham­pi­ons through­out the organ­i­sa­tion, name­ly indi­vid­u­als with the pow­er and influ­ence to push cyber­se­cu­ri­ty up the cor­po­rate agen­da and ensure it is an inte­gral part of any dig­i­tal trans­for­ma­tion rather than a ‘nice to have.’ Healy adds:  “They’ve got to not just iden­ti­fy who these indi­vid­u­als might be, but secure their buy-in ear­ly on in the process.” He adds that an approach along the lines of ‘this is what we need to do, it’s tied to these busi­ness objec­tives, and here’s why I need your help with it’ is more like­ly to suc­ceed at secur­ing exec­u­tive-lev­el sup­port.

The role that any part­ners and ven­dors will play in an organisation’s dig­i­tal trans­for­ma­tion and cyber­se­cu­ri­ty strat­e­gy needs to be care­ful­ly con­sid­ered when upgrad­ing secu­ri­ty prac­tices. “It’s impor­tant to have an objec­tive view and lay out what the key pri­or­i­ties are for select­ing your part­ner­ships and your ven­dors,” says Healy. 

Grant­ed, none of this can be achieved overnight. But one thing is unde­ni­able: there’s nev­er been a bet­ter time for gov­er­nance lead­ers to con­vince senior stake­hold­ers that dig­i­tal trans­for­ma­tion isn’t a secu­ri­ty night­mare. It’s a secu­ri­ty oppor­tu­ni­ty.

To learn more about how Diligent’s mod­ern gov­er­nance plat­form brings togeth­er the dis­parate tools, data and inte­gra­tions and process­es into one place so that lead­ers can gov­ern at today’s pace of busi­ness, vis­it diligent.com