How digital transformation is changing the role of the CISO
Digital transformation has become a key initiative for many enterprises, facilitated by the emergence of easy-to-use cloud-native technologies such as containers and Kubernetes. This year, the COVID-19 outbreak has pushed enterprises even further to accelerate their digital journeys. As they do this, security is constantly raised as a key concern, but it should also be viewed as a key enabler.
Done right, security can remove obstacles to digital transformation and accelerate faster adoption. It can not only help the enterprise avoid increased risk, but also proactively reduce it. For that to happen, CISOs need to evolve in their role and become transformational leaders who can empower the business and drive innovation.
Here's why CISOs must embrace digital transformation, get to know the advantages of the new technologies, and understand the step change they introduce to security practices of yore.
The speed imperative
As organizations undergo digital transformation, they make software and applications a fundamental part of the business, and they redefine the customer experience to be digital-first. This trend has firmly taken root and been widely embraced.
As the COVID-19 pandemic progressed in 2020, schools and universities had to quickly get online platforms up and running so that the education process could continue as soon as possible. Retailers had to boost their digital offerings in response to an increase in online shopping. Food delivery companies had to launch no-contact grocery delivery services.
Digital transformation puts more of the business in the hands of IT, where applications interact with customers and automation makes the business more efficient. Since applications fuel diverse digital experiences, the ability to bring them to market as fast as possible becomes essential. To stay competitive, organizations need to innovate and develop new applications and features quickly. In today’s technology landscape, cloud-native, which is reshaping the enterprise, is the only way to make digital transformation possible.
Power digital transformation
Allowing for faster delivery cycles, cloud-native technologies are instrumental in digital transformation. Once you deploy a cloud-native stack on a decent scale, many things become possible. You can address customer needs faster, launch and scale digital offerings in days rather than months, tap into new markets, expand the customer base, and, as a result, make more money. The business impact is straightforward, and the adoption of cloud-native continues to rise.
With applications broken down into microservices, organizations also gain another significant benefit of cloud-native: cyber resiliency. Since microservices can be updated independently of the rest of an application and containers can easily scale up or down with the demand, you gain agility and, therefore, can adapt to unexpected market changes a lot faster. According to McKinsey, companies with agile practices have managed the impact of the COVID-19 crisis better than their peers.
Take flight booking as an example. An airline now needs to manage many uncertainties before, during, and after flights. Planes might be grounded or rerouted at the drop of a hat. Socially distanced seating arrangements might be different from country to country. Passengers might need to produce various documents to be able to book their flight, check in, or board. And all these things can change, constantly. Airlines that embrace digital technology will be able to adapt better and faster to such constant flux—and cloud-native technologies are their most agile, flexible, and scalable option to do that.
But the speed and agility to experiment and deliver products quickly are of little value if they increase an organization’s exposure to risk. Digital transformation inevitably involves a change in security mindset, elevating the role of the CISO in the organization. In a world of two-week sprints and a "failing fast" approach, it’s no longer suitable for security to become involved only at the end of a project. Security needs to match the agility of the digital business, empowering developers from the start, and become part of the fabric of digital transformation—accelerating innovation rather than slowing it down.
The evolving role of the CISO
Over the last decade, the role of the CISO and the security function within organizations has changed dramatically. As few as 10 years ago, security was completely separate and hidden from application teams, widely perceived as an obstacle for new initiatives. Getting security approvals or defining security requirements for a project could take several months, holding developers back from deploying the product on time. This is unthinkable for the pace of modern business.
But as companies are taking on digital transformation projects and evolving their IT infrastructure, the risks are changing, too. In a cloud-native world, developers push new code to production continuously. Organizations deploy applications via containers or functions in a matter of minutes, rather than days and weeks.
Traditionally, the CISO’s role has been to safeguard the organization against cyber threats and reduce potential risks. However, with an ongoing digital transformation, the focus of the CISO is shifting, and the role is rapidly becoming more strategic and influential. Today, the role of the CISO is measured not only in whether the business suffers losses because of a data breach, but also in how security preempts new initiatives and makes it possible to bring services and applications to market faster.
Enable high-speed digital innovation
Beyond just protecting the organization, the priorities of the modern CISO are to drive growth through multiple projects and make this growth as smooth as possible from a security standpoint—not just removing obstacles, but creating business opportunities.
A severe vulnerability in one of the applications can hinder digital transformation because it would introduce an unacceptable level of risk. In a cloud-native development pipeline, however, such vulnerabilities can be discovered, remediated, and mitigated much sooner.
Furthermore, when executed correctly, security can empower the business and create a sustainable competitive advantage. For example, a global cosmetics company uses a cloud-native security solution to safely develop a mobile AR app that allows customers to try its makeup products via a selfie, without compromising their privacy.
Embrace change and break silos
So how can you as a CISO enable and support digital innovation, rather than hold it back? One of the best practices is to address security issues earlier in the software lifecycle, where DevSecOps enables rapid development by making security a part of it. To achieve this, the office of the CISO will need to collaborate with and rely on its developer and DevOps colleagues. Another important principle is that security should always focus on the possible remediation or mitigation that will allow the application to move forward, reducing contextual risk instead of blindly driving to eliminate it completely.
By allowing the business to operate in a secure fashion, the role of the CISO is crucial to the success of the digital transformation. Security should be designed to accelerate the development process, helping businesses to enable digital experiences and drive innovation. PwC, in its "2021 Global Digital Trust Insights" report notes, “like the high-powered brakes on a racecar, cybersecurity makes high-speed digital change a lot safer.”
In a rapidly changing world, one of the major challenges is how quickly you can address the constantly shifting requirements, business priorities and customer needs. For example, in the wake of the pandemic, airlines had to quickly adjust to a new reality by launching a completely touchless experience at airports to make customers feel comfortable about flying again. By designing proper security controls, CISOs can help organizations become fast, resilient, and adaptable to change, without creating friction for customers or increasing costs.
Stay ahead of the competition
We’ve seen how the role of modern CISOs in digital transformation is itself transformed, and with the uncertainties and constant change introduced by COVID-19, it’s becoming crucial to business success. With the shortage of security professionals and the industry move to cloud-native, there is a need to transform security by making it architecturally embedded and highly automated and by breaking old silos to make security part of the DevOps psyche. Without these changes, you will move too slowly—creating the risk of disruption by nimbler competitors.
Successful CISOs will be those who are willing to embrace the change, trust their colleagues, provide optimized security practices as part of DevOps automation, and make the decision on when risk requires a response. Organizations that get this right will be best equipped to move fearlessly forward in the new digital landscape.