The digital transformation wave is here, we’re in the middle of it, and cybersecurity needs to adapt matching the urgency, pace, and the delivery of new or improved digital products.
Businesses are transforming across industries, focused on improving the quality and engagement of customer-facing products. cybersecurity needs to be a pressing concern that is ultimately not seen as a novel-risk, but just another fundamental piece of the business equation alongside other risks.
Digital transformation, similar to any transformation, changes how organizations and teams form to ideate and deliver outcomes. Some businesses focus on “decentralizing” certain shared services or components of those services while centralizing what can be automated and leveraged at the scale and speed needed to succeed in the competitive business environment. Cybersecurity can fit into these narratives in any number of ways, but just as transformation of infrastructure, development, and engineering practices takes time, the same is true for cybersecurity and there is no single, perfect way to do this.
Decentralizing the cybersecurity function, or parts of it, as part of a transformation strategy, usually comes packed with two underlying motives: resource management and controlling cybersecurity outcomes.
The first motive is an easy pill to swallow, it essentially means that the business needs more of what the cybersecurity team delivers. People hear about cybersecurity risk, they get it, they don’t disagree, but the perception is that it is still very hard to stay secure and compliant. The question to address the first motive is, “How can we manage and prioritize our cybersecurity talent to keep up with the pace and urgency that digital product teams need?”
The second motive has spread many cybersecurity teams thin; critical controls and requirements not being implemented, monitoring and detection services going unchecked, and eventually team burnout. If the cybersecurity team in a company today thinks they don’t have enough resources to secure the enterprise, breaking these teams up and devolving decision making exacerbates the scale problem.
In certain environments, this second motive comes from a place where the path of least resistance is seen as better than the status quo even if it comes with increased cybersecurity risk to the business. Digital product teams often are accountable exclusively for delivering products and experiences quickly, while security is a constraint they have to manage. While some feel that by decentralizing cybersecurity in hopes of creating a less resistant path, we inadvertently spread accountability everywhere. Without a single accountable owner for cybersecurity at the enterprise level – when an incident happens, it leads to finger pointing.
This second motive is more common in cases when a business feels it needs smaller, vertically integrated teams that can deliver improved experiences for their customers, members, and stakeholders. The need for improved experiences makes sense – why transform if we’re not going to move faster, better, smarter? We wouldn’t build a house faster and skimp on the soundness and safety of the design; that wouldn’t make the house better, and we wouldn’t be smarter for going that route.
These transformations are a huge opportunity for integrating cybersecurity into a product-focused transformation in a better way than the past, and the following factors should be considered closely:
The need for cybersecurity governance
If there are going to be more initiatives and teams that need cybersecurity focus and attention, aligning on our governance practices will help the cybersecurity organization scale. Simply put, we need to answer 3 simple questions for every domain that requires governance and oversight:
- Are we doing the right things? Do we have reasonable requirements laid out in a clear way with accountability built in?
- Are we doing the right things right? Are we actually doing the things that we’ve outlined as requirements for business product teams and stakeholders?
- How do we know? How are we measuring and monitoring our adherence to the reasonable requirements? What tools, services, or processes have been implemented as part of outlining the requirement? If there’s no way to monitor for internal compliance, the requirement should be re-evaluated.
If the cybersecurity team is going to decentralize, then there needs to be appropriate governance and oversight in place to prevent drift of requirements and controls being met. Consider assigning risk managers to each of the orgs where cybersecurity professionals will be embedded for periods of time, to make sure that the right amount of governance is in place, that risk isn’t increasing without being discussed, and the cybersecurity expectations that the end-customer has are being met.
Integration speed will vary
How fast can we integrate cybersecurity into product development and delivery? That depends on a number of factors:
Scaling the org without dimming the lights
- We can’t sacrifice “keep the lights on” (KLO) cybersecurity activities that the organization now needs in order to be healthy. Assess the risk of outsourcing or no longer performing manual or low-value KLO activities so that you can organizationally scale to do the things only “we” can do.
- If a needed cybersecurity process isn’t mature, it more than likely can’t be repeated with consistent results. Lack of consistency can turn into varied outcomes. Varied outcomes can show up as operational misses or worse yet, data breaches.
- Work to mature processes to a documented, repeatable, and measured state so that risk isn’t increased when or if decentralization occurs.
Monitoring & detection controls
- Scaling the cybersecurity team requires that we’re still able to see what we used to see, on top of doing and seeing more.
- If our monitoring and detection controls aren’t being optimized, scaling the team will only strain our ability to see and respond to what we’ve always been expected to do.
Incident response & business resilience
- Incident response and resilience for cybersecurity are non-negotiable. We have to be able to identify problems and respond to them in a structured, managed way.
- Incident response has to be practiced, measured, and learned from.
- If the cybersecurity team is going to be more tightly integrated into business product and process development, it needs to have its own resilience monitored and reported on regularly, since it’s pivotal to delivering a product that customers want.
Incorporating these critical considerations into your organization’s digital strategy can help to make cybersecurity an integral part of your product transformation.