About Darklabs Security Transformation
We’ve broken the steps to successful digital transformation down into five critical areas of consideration:
Discovery: It’s Not Only an IT Issue!
The first step is to acknowledge change; IT and Security cannot take all responsibility. For example, you may have recently embarked on a Data Classification project where the stakeholders in the business became data owners. They communicated their concerns, aligned their needs, and rolled out a practical solution to the challenge.
The Digitalisation task is the same on a much broader scale. Without these data owners once again collaborating with their security team, the results will be users not having access to the correct applications, inappropriate security controls reducing productivity, and unsanctioned applications being used, increasing risk. For instance, Frank in Finance can’t send payslips out because he doesn’t have access to sage. Compliance requirements aren’t met, security challenges arise, and the organisation’s needs are not achieved.
The next stage should be formulating these business drivers into written policies. Remember when you brought in that Data Protection Officer (DPO) to help with GDPR? Like most DPOs would, traditionally, a great place to start is a framework of rules and regulations: as a result of something happening, here is an actionable procedure to remediate.
Taking this a step further and enforcing the rules and policies we have now made with software support, automating specific processes; will ultimately limit human error and reduce potential threats. As Dave Barnett (Head of CASB at Forcepoint) said, “Think about cloud security and the policies that CASB can do as guard rails on the side of a bowling alley, what you want is that bowling ball to go down the middle and to hit those pins and everyone’s happy, what you don’t want is the ball to go spinning off the side.” Pre-defined policies (guard rails) for cloud applications that work will prevent your users from straying into areas that may cause the organisation risk.
This is a journey, and we’re not simply implementing a solution or product. The organisation needs to continually change and drive an adaptive risk architecture, where security controls can be dialed up or down depending on the level of risk posed to the organisation. Variable risk: regulations & business drivers change, mergers & acquisitions bring new challenges, suppliers & contractors arrive, old ones leave.
Trust but Verify
At this point, the question you should now ask is, who manages the security manager? With a mixture of service providers, vendor solutions, and disparate networks in your environment, you need a single pane of glass to oversee all operations, manage these solutions, provide you with visibility of where controls have changed, and potential gaps have opened. That way, you can continually test the strength of your security posture.