Is your information security team providing the core digital transformation attributes such as convenience, personalization, outstanding customer experience, agility, and cost savings?
"Digital transformation" (Dx) as a buzzword may be approaching the end of its life, but the fundamental concept—continuously improving the use of technology and data to provide value to customers—is real and critical to the survival of businesses. If information security teams don't evolve to deliver the same Dx value and benefits to our organizations, then we risk losing our "customers" to intentional circumvention or preference for shadow IT systems. Make sure your information security organization provides the core Dx attributes:1
- Convenience
- Personalization
- Outstanding customer experience
- Agility
- Cost savings
Does your information security organization leverage the tools, data, and communication channels used by your customers to ensure that information security is considered during the early stages of a project rather than being a last-minute hurdle that needs to be cleared just prior to production? For example, consider hooking into your Institutional Review Board's administrative system so the board's coordinators can pull you into the security review cycle seamlessly when they are first reviewing research protocols. Coordinate with your procurement group's vendor-management system so you can share reports and the status of vendor reviews in one central location. Provide easy-to-read guides that indicate "which data where" for pre-approved platforms your end users can leverage according to data sensitivity and desired functionality. Make it easy to initiate a discussion with your information security office via a monitored departmental email account or Slack channel, or post a calendar where people can schedule appointments with you.
Providing a personalized and tailored risk assessment yields an exceptional customer experience that can help your information security department maintain a positive brand with internal stakeholders. The following are two of my favorite questions to ask when assessing the possible security risks of a new initiative:
- What are you doing today versus what you're proposing?
- What's the risk if we don't move forward with this?
The answers to these questions provide perspective into potential losses associated with missed business opportunities and set a baseline for improved security controls. Helping your business partners to think about anticipated "normal" business patterns and potential anomalies will also improve their business controls and threshold monitoring, both of which add business value. These are discussions you should conduct face-to-face, on the phone, or via video chat, but not back and forth through email. Tailor your security recommendations to the project goals and offer a brief summary of your report to address potential areas of confusion or concern.
Gain agility by standardizing or automating repeatable processes and positioning them where your partners can use them. Find ways to fast-track and reward the use of preferred paths and tools. For example, if you're migrating on premise to cloud-based services, provide your DevOps teams with security APIs for automated code review and configuration checks within those environments. Enable self-service wherever possible, and facilitate straight-through processing of standard requests and account provisioning, such as for common research platforms or managed payment card industry (PCI) storefront accounts. Leverage scripting to parse and analyze user-reported phishing messages received in your central mailbox, and alert your team when certain thresholds or characteristics that require quick attention are met.
Finally, save yourself the costs of team burnout and project delays by right-sizing your information security team's involvement within projects. If the risk level doesn't rise to a defined threshold—based on categorized data sensitivity or functionality—then make sure projects move forward with predetermined security controls rather than delaying them for an unwarranted security review.
For more information about information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional Dx resources through the Digital Transformation page.
Note
- For more guidance on bringing cybersecurity into closer alignment with Dx goals, read Sandy Silk, "How Cybersecurity Can Better Support Digital Transformation Business Goals," ISACA Now (blog), ISACA, n.d. ↩
Sandy Silk is Director of Information Security Education and Consulting at Harvard University.
© 2019 Sandy Silk. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.