At Online Business Systems we have our feet in two different worlds – Digital Transformation and Cybersecurity. As you can guess, we get a lot of questions about how to plan for and incorporate a security strategy when designing and executing a digital transformation project (e.g. process automation, transforming to a paperless organization, incorporating AI, or a cloud migration.) I have read quite a few articles and blogs written on this topic recently and had a few thoughts of my own based on my experiences being on the front lines where we’ve seen security done well (and also, unfortunately, not so well.)
Here are a few specific things to consider as you plan your project and go forth boldly into the gleaming digital future:
1. Go with the dataflow.
As a process or organization moves into the digital realm, security should be a key consideration during the design and specifications phases. It’s usually best to start by identifying all your dataflows, including inputs, outputs, and data storage locations and to have a clear understanding of what it is you ought to be protecting.
A key first step in planning your security strategy is to identify your potential exposure pertaining to your digital footprint. Your assessment should include all connected systems, web instances, back-end support functions, data storage locations, network nodes and communication endpoints, administrative interfaces, and third parties. After you know what’s going where, determine what types of data are stored, processed, and transmitted. This is also the time to come up with a data classification, retention, and disposition strategy. Figure this out during the planning phase and not after you end up with terabytes of unclassified, unstructured data.
2. Plan, plan, and then plan some more.
There will undoubtedly be a different set of security/privacy requirements in the new environment; for example, moving from a paper-based process to a cloud environment will require a new set of systems, workflows, and technologies that you’ll need to secure.
Make sure that your resources and project plan reflect this. Bolting on security as an afterthought can lead to unforeseen expenses (or worse) and significantly increase your organization’s legal, regulatory, and reputational risk. Fully engage your security experts or external consultants at the onset to help you determine your requirements and evaluate risk, and consider putting security gates (logical places where the security/privacy teams can review the progress of the design and look for potential areas of concern) at the major milestones in the project. We’ve seen plenty of organizations ignore this step at their peril; the costs and time required to fix oversights after a product launch are always much greater than they would have been if security and privacy had been considered during the initial design.
3. BYORA (Bring Your Own Risk Assessment)
Look at the project through the lens of your current risk assessment and not in a vacuum. Perform a targeted risk assessment of the proposed environment to determine how the changes will impact your risk profile and interrelated systems, you will most likely save yourself some headaches (and probably some cash) by identifying areas where current controls, technology, and processes can be integrated into the new project. Don’t forget that using data in a digital format may impact compliance and regulatory considerations (i.e. cardholder data or PHI have very different security and privacy requirements when stored/processed/transmitted via electronic mechanisms than those old paper forms.)
4. Test the heck out of it.
The world is moving at the speed of technology, and keeping your systems and data secured can feel like changing the tires on a car while it’s going around the racetrack.
The primary goal for most digital transformation projects is to add efficiency, speed, flexibility, and increased access to data and systems through technology. The downside here is that this augmented connectivity and functionality may increase the effective surface area for the bad guys to exploit.
Network and application layer penetration testing and code reviews are some of your most effective tools to identify critical issues or misconfigurations. This testing is especially important when integrating new systems into your current environment, as attack vectors and points of entry may have changed. Make sure that those who are responsible for kicking the tires on your new systems to identify the scary technical vulnerabilities are organizationally independent from those building out those systems.
If you don’t have this expertise in-house, or if you just want ‘fresh eyes’ on it, you should consider bringing in a trusted third party who is well-versed in security testing and digital transformation.