At its core, digital transformation drives a dramatic shift in traditional business processes from analog to digital. Today's security and risk professionals are tasked with finding a balance between harnessing advancements in technology and navigating an ever-changing risk landscape.
"What we're hearing from customers is that the complexity of architecture is putting more stress on identity and response," says Ben Desjardins, VP of Product Marketing, RSA, during a recent webinar on the top security and risk trends of 2019.
"The landscape has expanded so drastically and is moving so quickly [that] organizations need to be seriously thinking about adopting security analytics," says Dr. Branden Williams, Director, Cybersecurity, MUFG, in response to the changes security teams need to make to adjust to the adoption of new digital services. For many organizations, the answer to this challenge is automation. To help "lower dwell time," Dr. Williams says automation is becoming an integral part of identification and response strategies and is being built into many threat detection tools. The increased adoption of automation also becomes a needed tool for addressing the growing skills gap. According to the Gartner report, Top Security and Risk Management Trends, January 2019, "The number of unfilled cybersecurity roles is expected to grow from 1 million in 2018 to 1.5 million by the end of 2020."
In addition to the resource strain, the shift to digital has a dramatic impact on the traditional IT perimeter. "Today, there is no more perimeter," says Dr. Williams. "It's been poked full of holes." As organizations adopt more mobile technology and embrace technology with more endpoints, the security team's job is made even harder. The result: organizations need to be honest about "what risks are associated with the innovations they're adding into their environment" before adopting it, advises Dr. Williams.
This echoes conversations heard from security and risk professionals at RSA Conference earlier this year in San Francisco. There is a need for open dialogue between security and business leaders. "[Organizations] embark on digital transformation without understanding the risks." explained Otavo Freire, President and CTO of SafeGuard Cyber, underlining the reason why collaboration is needed to avoid the creation of potential vulnerabilities.
As companies continue to undergo digital transformation, the growing amount of data (and the responsibility to manage it) is, no doubt, overwhelming today's security teams. Because organizations are "drowning in a sea of data," security teams need to focus on the right data set, which is why investing in tools that can help the SOC identify, assess and respond to risks quickly is crucial, says Dr. Williams.
Adding to the list of security team responsibilities: the cloud. Although not a new trend, IT teams are continuing to migrate services to cloud environments. In the Gartner report, Top Security and Risk Management Trends, January 2019, a survey of technical professionals based primarily in Northern America found that "40 percent of respondents indicated their organizations would be spending the majority of new or additional funding on the cloud." But are cloud adoptees prepared to manage the associated risks that could impact the business? When it comes to migrating a workload to the cloud, Williams explains it's imperative for organizations to do more research upfront to understand what the process involves. In his view, organizations need to ensure "[they're] getting the benefits [they] were promised." The mindset needs to shift away from "right click and migrate to cloud" to organizations driving the migration through strategic planning.
What trends will next impact security and risk professionals?
As the skills gap grows and adversely challenges lean security teams, many are taking on an "agile mentality" as a way to "get around processes," said Williams. This trend was first realized in the focus on DevOps. Because IT moves faster than security teams, they're often "maneuvering" around standing policies that are in place to help "deliver predictable outcomes." This maneuvering is creating both cyber and digital risk – all of which is avoidable.
What's the solution? It starts by wiping the traditional negative view of risk teams. "For years, risk management teams were strictly seen as the 'compliance team,' but organizations need to get beyond that thinking," argues Desjardins. Instead, he offered that risk needs to be playing a larger role in helping IT and the business plan for the future. Going forward, as opportunities arise to digitally transform your organization, how will your security and risk teams manage the risks?
Source: Gartner, Top Security and Risk Management Trends, Peter Firstbrook, Brian Reed, et al., 31 January 2019.
# # #
Learn more by watching the replay on Demystifying Digital Risk.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity