Digital Transformation has become a business imperative, yet rather than pulling together to enable essential change, the friction between network and security teams is increasing. The business needs to move away from data centres and traditional Wide Area Networks (WAN) to exploit the cost, flexibility and agility provided by the cloud and Software Defined WANs (SD-WAN). Chief Information Security Officers (CISOs), especially those working in regulated industries, insist the risks associated with public infrastructure are too high. Stalemate.
Until now. Organisations are pressing ahead with Digital Transformation plans and excluding the CISO from the conversation. But at what cost? Who is assessing the implications for regulatory compliance? At what point will the Chief Risk Officer prohibit the use of the SD-WAN for sensitive data, leaving the business running legacy and new infrastructure side by side, fundamentally undermining the entire Digital Transformation project? A new attitude is urgently required, one based on collaboration, understanding and a recognition that a Zero Trust security posture can safeguard even the most sensitive data, while unlocking all the benefits associated with SD-WAN.
As Simon Hill, Head of Legal & Compliance, Certes Networks insists, it is time for CISOs to take a lead role in the Digital Transformation process – or risk being side-lined for good.
Accept Change
CISOs need to face up to the fact that Digital Transformation is happening – with or without them. Organisations need to embrace the agility, flexibility and cost benefits offered by the cloud, by Software as a Service and, critically, the shift from expensive WAN technology to SD-WAN. For CISOs, while the migration to SD-WAN extends the attack surface, adding unacceptable data vulnerability, saying no is not an option any more. CISOs risk being left out of the Digital Transformation loop – and that is not only adding significant corporate risk but also compromising the expected benefits of this essential technology investment.
Network and IT teams are pressing ahead, insisting the risk is acceptable. How do they know? For any organisation, this is a dangerous compromise: critical risk decisions are being taken by individuals who have no understanding of the full implications. For those organisations operating in regulated industries, these decisions could result in an exposure to $10s millions, even $100s millions of penalties.
Failure to embed security within the initial Digital Transformation strategy is also compromising progress. What happens when the CISO or Chief Risk Officer discovers the business is in the process of migrating from the old WAN to a new SD-WAN environment? Suddenly the brakes are on, and the call is for sensitive data to be encrypted before it hits the network. Adding Internet Protocol Security (IPsec) tunnels will degrade performance – so the business is then stuck using the legacy WAN for data connectivity while still paying for the SD-WAN and failing to gain any of the agility or cost benefits. More frustration. More friction between teams that should be working together to support business goals.
Drive Change
Security is a fundamental component of Digital Transformation – indeed of corporate operating strategy. Rather than avoiding change, CISOs have a responsibility not only to secure the organisation but proactively advocate change, with security as the key enabler of Digital Transformation.
Digital Transformation does not by default create an inherently insecure environment – but it will require organisations to, somewhat belatedly, embrace a Zero Trust model. It has been clear for many years that there is no correlation between ownership and trust. Just because a company owns infrastructure and assets does not automatically infer total trust over data security. Similarly, infrastructure outside the business is not inherently untrustworthy. The key is to build trust into a secure overlay to protect data that will allow a business to operate across any infrastructure whether it is owned or public.
A High Assurance SD-WAN overlay, for example, uses crypto-segmentation to protect and ensure the integrity of sensitive data. With this Zero Trust approach, High Assurance SD-WAN means whether the network is public or private, trusted or untrusted, is irrelevant: the data security team simply needs to define the policy and, with ownership of the cryptography keys, can be confident that data is protected at all times wherever it goes.
Working Together
Adopting a Zero Trust security posture changes the outlook for CISOs – and provides a foundation for vital collaboration with the networking and IT teams. With confidence that the data is secure regardless of network location, everyone involved in Digital Transformation can achieve their goals: IT and network teams can embrace the flexibility and agility of the cloud, SaaS and SD-WAN, while the security team still has control of the security posture.
This can only be achieved if the business embraces a different mindset. It is essential to think about security by design from the outset – and to break down the barriers between network, IT and security. The introduction of the Secure Access Service Edge (SASE) framework provides clear guidelines for the convergence of these teams to drive additional business value but the onus – and opportunity – lies with the CISO to ensure the entire organisation truly understands the Digital Transformation objectives.
This also demands an essential shift away from a regulatory compliance focused security posture – something that is inherently flawed due to the impossibility of creating regulations that keep up with the ever changing security threats – towards a truly business driven approach. Working together to plan the Digital Transformation process may take a little more time up front but it will result in a secure foundation that will remove any constraints to innovation and agility.
Conclusion
It is time for CISOs to change. There is no value in endlessly blocking essential new technology projects; and no upside in being excluded from vital plans as a result. By taking a proactive stance and driving Digital Transformation strategies, CISOs can redefine the role, become a key strategic player within the business and act as an enabler, rather than a constraint, to operational success.
It is time to find a way to say yes to secure Digital Transformation – without compromise.
Simon Hill, Head of Legal & Compliance at Certes Networks
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.