Agile security key to digital transformation
In a rapidly digitising world, security is more critical than ever. However, if you want it to be nimble, you need to architect things in the right way, ensuring the right levels of protection, for the right things.
The speed of digital transformation today means that modern security needs to be adaptable and agile enough to change - on a daily basis - if required - in order to keep pace with how cyber crime is evolving.
However, if your security strategy is to succeed, explains Chris Volschenk, CEO at Nexio, it is something that will need to be baked into your digitisation plans from the outset.
“If you are only bolting on security, either during or after your digitisation attempts, you are honestly missing the boat. Essentially, if you implement your security after the fact, it is not only going to cost you a lot more, but it will also never be as inclusive as you require it to be. Security has to be part of the process from the outset, in order to ensure that all layers and potential attack vectors are secured,” he says.
Volschenk adds there are two strong frameworks that organisations should adopt in order to ensure their security meets best practice standards. The first is the NIST cyber security framework, while the second is the ISO 27000 framework around cyber security.
“Since the aim is to deliver security that is nimble and agile enough to cope with whatever the new digital landscape throws at it, it is vital to have a proactive – rather than a reactive – security strategy in place. The concept of proactive security, however, is easier in theory than it is in practice.
“This is because being proactive means anticipating what might happen and what the cyber criminals’ next steps may be, and then ensuring you have a strategy, processes and procedures in place to manage an attack. Remember that the vast majority of businesses either have already been, or soon will be, compromised in some way, so it is vital to have the necessary measures in place to deal with such an eventuality.”
He likens the process to creating a garden, suggesting that if the garden isn’t planned properly, with shade in certain areas and your flowers in the right place, it will be a failure. Therefore, just as one would consider hiring a landscaper to get your garden design right, so a company that is digitising its environments should be talking to security experts to help it understand exactly what it wants to achieve and how to go about achieving it.
“Continuing the garden analogy, you would only want shade in those areas where it would be beneficial to people or plants. The same goes for your security – you cannot provide the highest level of security for everything, so decide what your organisation’s crown jewels are, and what data is governed by new legislation, and ensure these areas receive the highest levels of protection.
“From a legislative perspective, identity management sits alongside data protection as the most critical area to focus on, since you can easily fall foul of the new laws if you fail to adequately protect your customers’ identities and information.”
Volschenk adds that another crucial part of organisational security is the ‘people’ aspect, since you are more at risk from internal threats than external ones. This requires not only ongoing training and education for employees around the subject of security, but also the implementation of new methods – such as multi-factor authentication (MFA) – which can link a trusted device to a trusted identity to provide multiple layers of security at once.
“Remember that whatever your industry, every business today has an IT component, so every business faces some form of digital security threat. For this reason, it is vital to carefully document your plans, processes and responses so that if an incident happens, you have everything in place to be able to manage it effectively.”
In the end, he says, it is about architecting things in the right way, to ensure the right levels of protection for the right things. If you can achieve this, agility will be a given. Remember, though, that before you can architect anything effectively, you need to know what exactly you are trying to protect. This is why it is vital to work with security specialists, because they will be well positioned to help you put an integrated and agile security plan in place that links directly to your business strategy.
“Ultimately, security is an all-encompassing layer that surrounds not only your information and management areas, but also the people, processes and technology. In a digitising world, the best way to keep your security strategy agile and nimble is to link it back to your business requirements, because this will determine the type, level and extent of security implemented in any given part of the organisation,” concludes Volschenk.