Digital security transformation: shifting to a cyber-aware culture

When I define digital transformation for clients and other business partners, I focus on three aspects: reinventing business in the digital world by putting the customer or citizen first; resetting an enterprise’s mindset and culture; and leveraging innovation, technology and talent.

Given that October is National Cyber Security Awareness Month, now is a great time to drive home the fact that security must be part of all aspects of digital transformation, and cannot get lost in the discussion. In fact, digital transformation should be viewed as an opportunity to drive and create a more robust, cyber-aware culture.

What are the noticeable characteristics of shifting to a more cyber-aware culture? Some examples include:

• Shift from CIO/CISO concern → to enterprise-wide concern. Today, most organizations have both a Chief Information Officer (CIO) and a Chief Information Security Officer (CISO). Their responsibilities are to ensure data protections are in place from a technology perspective. However, because technology is so embedded into all business processes, there are times when systems development occurs outside of the CIO’s purview. A digital enterprise knows that cybersecurity is not just an issue for the CIO/CISO to worry about. When programs are improved or launched, security must be recognized, planned for and implemented for all of the people, processes and tools that are involved.
• Shift from executive awareness → to executive leadership. A digital enterprise has governance and practices in place that address all phases of program support. In the last couple of years, we have begun to see cyber-related briefings at the board and executive levels. This is a great start to have executive awareness of cyber activities (e.g., number of threats blocked and where they are coming from). However, in a digital enterprise, there needs to be more. Breach governance should be in place and should include legal, communications and executive leaders from business line or division programs. Executives also should be asking security-related questions in strategic meetings, and thus model behavior for thinking about security. For further reading, see our blog on 11 cyber questions CEOs need to ask.
• Shift from monitoring externally → to monitoring both internally and externally. Protecting sensitive assets and ensuring business continuity are essential to all digital enterprises—particularly as increased connectivity and data sharing bring new vulnerabilities. Most organizations are monitoring their networks for external threats, but, as they advance their digital transformation maturity, internal monitoring and protection also must be included. This means continuous monitoring of the security posture with alerts whenever someone brings up or takes down an application that exposes a new vulnerability. It also includes a robust insider threat program to ensure employees or third parties with network access have not posed threats to systems or data, either inadvertently or purposely. Also see our blog on why insider threat is about more than cybersecurity.

While there are other indicators of the shift toward a more cyber-aware culture, these are a few that demonstrate an enterprise is focused on security during its digital transformation. You’ll find more cybersecurity insights on our global blog