If one were to go by a report published by McKinsey’s, there could be a reason to believe that this is so. Why? Because organizations often report that the need to enhance digitization effort often clashes with intrinsic behaviour of cybersecurity teams that call for care with the obvious view of protecting the enterprise from malicious attacks.
“At company after company, fundamental tensions arise between the business’s needs to digitize and the cybersecurity team’s responsibility to protect the organization, its employees and its customers within existing cyber operating models and practices,” says McKinsey’s in a report which underscores the need for these crack teams to transform their capabilities.
The only way cybersecurity teams can avoid becoming barriers to digitization and act as enablers is to transform their capabilities across three dimensions, viz., improve risk management by applying quantitative risk analytics, building cybersecurity directly into the organization’s value chains and support next generation of enterprise-technology platforms via innovations such as agile development, robotics and cloud-based operating models, the report says.
The report argues that every aspect of a digital enterprise has important security implications. For e.g., companies need to determine how to align teams managing fraud prevention, security and product development so that they design controls and create convenient and secure experiences for the users.
Similarly, with massive amounts of data sets being created, they need to identify risks that various types of user data can generate. They need to incorporate security controls into analytics solutions that may not use formal software development protocols, instead preferring robotic process automation to eliminate human involvement that heightens security threats.
The report highlights the challenges faced by development teams who were frustrated by the long timeframe required by the security team to validate and approve incremental items in their cloud service provider’s catalogue for production usage. Others were concerned that setting up a server just takes a few minutes but they have to wait for weeks for the vulnerability scan to complete.
This misalignment between development and cybersecurity teams leads to missed business opportunities, as new capabilities are delayed in reaching the market. In some cases, the pressure to close the gap has caused increased vulnerability, as development teams bend rules to work around security policies and standards, the report points out.
This problem is deep rooted and needs serious contemplation from the CXOs. They must questions the actions taken and have the far-sightedness to gauge the worth of the actions. As suggested by McKinsey, the answer of the above mentioned problems lie in the transformation of cybersecurity capabilities. This could be in three dimensions which include:
- Use of quantitative risk analytics for decision making
- Translating cybersecurity into the business value chain
- Enabling the new technology operating platforms that combine many innovations
If done in correct manner, these actions are certain to yield benefits for organisations in becoming better and secure. Organizations are also starting to build cybersecurity into their customer relationships, production processes and supplier interactions. Some of their tactics include:
- Use of design thinking to build secure and convenient online customer experiences
- Educate customers about how to interact in a safe and secure fashion
- Analyse security surveys to understand what enterprise customers expect and create knowledge bases so that sales team can respond to customer security inquiries
- Treat cybersecurity as a core feature of product design
- Take a seamless view across traditional information security and operational technology security to eliminate vulnerabilities.
Done in concert, these actions yield benefits. They enhance customer trust, accelerating their adoption of digital channels. They reduce the risk of customers or employees trying to circumvent security controls. They reduce friction and delays as suppliers and customers negotiate liability and responsibility for information risks. They build security intrinsically into customer-facing and operational processes, reducing the “deadweight loss” associated with security protections, the report concludes.
