Every 2nd breach in 3 involves some form of failure involving an employee. This is a reality that has been accepted by CISOs and senior management of businesses. Without employee engagement and involvement, there is no way that a cybersecurity program can succeed. With digital transformation and large-scale automation, the stakes are now higher than ever. Is there a way in which businesses can secure digital transformation efforts across the organization by letting employees lead the way? Read on to find out.
What is broken?
As digital transformation efforts involve multiple stakeholders, teams, and objectives, the security aspects often get neglected or are willingly ignored in favor of outcomes that may appeal more to the board and other important stakeholders. Other than this, here are some aspects that are currently in various states of disrepair when it comes to digital transformation cybersecurity:
- Cybersecurity requirements are often decided or chosen by the team responsible for digital transformation with CISOs and security teams donning the advisory role
- Processes, workflows, and tools that have the greatest impact on digital transformation outcomes are often prioritized over security needs
- We have also come across instances where security budgets were channeled into digital transformation projects
- Less number of KPIs are assigned to digital transformation security
- No additional training is provided to employees or even SecOps teams to handle the sudden expansion in threat surface area, rise in risk exposure, and to manage new process level cybersecurity requirements
- In case of operational technology (OT), old inventory lists are relied on to map the device topology across OT networks
- Digital transformation models are often put in place to meet the overall roadmap and institutional requirements
- SecOps teams are not expanded to take into account the new threats and risks
These are just some of the challenges that we came across during our interactions with industry leaders. There are many more out there.
What kind of impacts do such issues lead to? Here are a few outcomes:
- Early-stage reconnaissance where the hacker enters early and stays dormant waiting for a trigger to strike. This trigger could be anything from the transfer of critical data, financial transactions, or intellectual property
- Even if the above doesn’t happen, a late-stage strike could cripple systems in verticals like manufacturing, utilities, and shipping unless system and process redundancies are baked in and used at critical stages to prevent a full-blown attack
- Without adequate security, systems become vulnerable to all kinds of risks and threats out there including rogue insider activity
- Without empowered SecOps teams, security efforts will be fragmented at various levels, and containing threats will present a formidable challenge
- A large scale cyberattack may eat away into cash reserves leading to fewer budgets being available for future digital transformation efforts
So what can be done to empower employees to turn them into cybersecurity champions and defenders of digital transformation gains?
- Tabletop or cyber vulnerability exercises should be done keeping the scenarios as close to reality as possible. This means that if required, teams that are unable to protect their data should be penalized in some form (in a mild way to ensure that the lessons are not forgotten in a hurry). For instance, by not allowing them to access their data for say an hour or so
- Security programs should have a reward element as well. Even employees that do well in detecting an actual attack or an attack conducted as part of an internal exercise should be rewarded to encourage a culture of cybersecurity
- SecOps teams need to be at the decision-making table leading all security aspects of digital transformation efforts in collaboration with nominated employees from across teams who can be trained in security measures to work with the SecOps team.
- During pre-employment interviews, questions about security should be asked. Good responses should have a certain weightage in the final selection.
- Security budgets should be considered sacrosanct and should not be diverted for any other cause. This measure alone will drive home the point around security being an enterprise-level priority
- The first responder team can comprise individuals from multiple teams working in coordination with the SecOps teams
- The digital transformation roadmap should have an element of employee security upskilling and should call out security goals in an unambiguous manner
Digital transformation security on your mind? Talk to our cybersecurity experts about Sectrio’s easy-to-deploy 5-step approach to securing your digital transformation gains.
Have you tried our threat intelligence feeds yet? Find out what your digital transformation project is missing, now: Sign up for FREE 15 days feeds of our threat intelligence feeds.
Participate in the CISO Peer Survey 2022 and make your opinion count now, fill up our uniquely designed survey here: CISO Peer Survey 2022
Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo
Try our threat intelligence feeds for free for the next two weeks.