Digital Transformation Increases Cyber Risk
by Frank Ohlhorst
Many enterprises are discovering that the path to digital transformation has many stumbling blocks, some of which are only discovered deep into the journey. While it may be difficult to predict where the trouble spots are along the journey, digital transformation champions can avoid some obstacles by taking a look at some recent research.
For example, a recent report from CyberGRX and the Ponemon Institute identifies some of the challenges of digital transformation in the context of cybersecurity. The report surveyed more than 800 IT security and C-suite executives and identified two critical themes among enterprises:
- Businesses’ drive to achieve digital transformation has significantly increased their reliance on third parties, despite the majority having no third-party cyber management program.
- A hazardous misalignment exists between IT security teams and the C-suite, especially regarding the importance of securing assets and other areas of risk.
Both themes prove troubling for those looking to maximize their digital transformation efforts.
Take, for example, the increased reliance on third parties to enable the digital transformation process. When third parties are involved without proper oversight, it becomes all too easy for critical security elements to fall through the cracks. Some 58% of respondents said that despite the increased risk, their organizations have not deployed a third-party cyber risk management program—more than half of those that responded have no way to fully measure their level of cyber hygiene. What’s more, 63% of respondents say their organizations have difficulty ensuring there is a secure cloud environment.
Those two statistics speak volumes when it comes to threat management and mitigation. Businesses that can’t identify and measure potential vulnerabilities may quickly become the victims of cyberattacks. Even more troubling is a lack of teamwork when it comes to cybersecurity hygiene—only 24% of respondents claim that the CISO is the most involved person in the digital transformation process. That means some three-quarters of businesses are accelerating digital transformation without the watchful eye of the organization’s cybersecurity professionals. What’s more, some 82% of respondents believe their organization has experienced a breach due to their digital transformation efforts.
“Digital transformation is driving utilization of third parties, which can introduce significant risk to your organization. In fact, over 60% of breaches today are linked to a third-party,” said Dave Stapleton, CISO of CyberGRX. “With this stat in mind, it’s no wonder that a multitude of potential third-party cyber risk management (TPCRM) solutions have been developed. Sorting through these tools and arriving at the right fit can be a challenge for cybersecurity teams.”
The question becomes one of how businesses can mitigate the potential cybersecurity problems introduced by reliance on third parties for their digital transformation objectives. As Stapleton noted, it may come down to implementing TPCRM solutions.
TPCRM, as the acronym implies, is all about equipping an enterprise with the tools to establish risk management practices that extend to the third party; in other words, taking a holistic approach to cybersecurity that incorporates controls, policies and protections across internal, external and third-party systems.
Yet, as with any technology, there are a few best practices that enterprises can pursue to make sure a TPCRM solution addresses their primary pain points:
- Leverage automated tools: Large organizations can have hundreds or even thousands of third parties, ranging from cloud vendors that serve an entire company to contractors that work for just one department. Proper due diligence can be a labor-intensive process and automation can greatly reduce the man-hours required.
- Collect structured data: Third parties can be notoriously difficult to deal with when it comes to defining security hygiene. A security intelligence tool may be able to collect the needed data and can collect the sort of structured data needed to automatically assess risk.
- Rate risk: Assigning risk ratings can be a tremendous time-saver when it comes to dealing with cybersecurity issues. Since all vendors do not pose the same level of risk, a rating will help cybersecurity professionals to prioritize how to solve problems.
- Real-time monitoring: Enterprises need to continuously monitor their security posture and the security posture of third-party tools; otherwise, assets may be exposed to breaches or zero-day attacks.
Slaying cybersecurity demons can only be achieved by using a holistic approach that brings automation into the picture. The CyberGRX/Ponemon report offers additional insights into the problems that enterprises may face in the near future on their digital transformation journey.