“Digital transformation” is the buzz word du jour in industry. But executives at RSA Security* warn that it is also magnifying digital risk in ways that are easy to miss.
Annual customer events are typically ‘rah rah’ affairs. They’re occasions for corporate executives to extoll the amazing achievements of their employees, the wonders of their offerings and the infinite wisdom of the assembled.
So the decision by RSA Security President Rohit Ghai to kick off that company’s RSA Charge user conference in Orlando this week by invoking the looming threat of global climate change and recalling the recent plague of deadly ‘mega fires’ that ravaged California might seem to be a dangerous gambit.
But talking about California’s deadly ‘megafires’ was no rhetorical lark. Ghai and other RSA executives used the annual event to sound a warning of their own: that the eager embrace of ‘digital transformation’ initiatives by the private sector could bring about disasters of a different sort: data breaches, paralyzing malware outbreaks, even the disruption of critical or life-sustaining systems.
“Like climate change, digital transformation magnifies cyber risk,” Ghai warned. Specifically: he and other executives warned that organizations’ enthusiasm for digital transformation initiatives must be accompanied by consideration of the digital risk that those transformations create.
Many trends converge – with uncertain consequences
‘Digital transformation’ is a loose – but popular– term used to describe a number of technology trend lines that are converging across industries. Those trends include the growing use of cloud-based infrastructure and services, the emergence of new types of connected endpoints as part of the “Internet of Things,” the growing embrace of mobility, the continued aggregation by organizations of data and their application of powerful data analysis and machine learning tools to extract intelligence from that data.
Speaking in Orlando on Tuesday, Ghai said that digital transformation threatens to magnify cyber risk in organizations in the same way that a warming atmosphere magnifies natural disasters on Earth. The result could be an intensifying of already familiar problems such as data theft, denial of service attacks and malware outbreaks that turns them from isolated disruptions to true industry- or economy-wide disasters.
Executives at the show pointed to a long list of incidents that underscore that risk: the recent breach affecting Capital One and other firms at the hands of a rogue Amazon Web Services employee, crippling denial of service attacks like Mirai that are linked to massive networks of compromised Internet of Things devices and the long list of incidents traceable third party managed service and hosted application providers.
Ghai and other RSA executives said that challenges abound. Digital transformation initiatives often cross domains within organizations – combining elements of software development, service delivery, networking and operations, for example.
What data there is on the question suggests that cyber risk management is still treated as a separate domain within companies that is rarely top of mind and, even then, narrowly focused on regulatory compliance and separate from development, IT and operations.
A Top Concern, with Little Visibility
A recent survey conducted by the insurance firm Marsh and Microsoft found that 80% of organizations now rank cyber risk as a top-five concern, compared to 62% in 2017. According to that survey, only 11% expressed a high degree of confidence in their ability to assess cyber threats, prevent cyber-attacks, and respond effectively – a decrease of 8 percent since 2017.
Despite that, a majority of board members and senior executives from the 1,500 surveyed firms who were responsible for their organization’s cyber risk management said they had less than a day in the last year to spend focused on cyber risk issues.
Only 17% of c-suite executives and board members said they spent more than a few days in the past year focusing on the issue. More than half, 51%, spent several hours or less, Marsh found.
As digital transformation reshapes IT, barriers between risk, IT and operations need to come down, Ghai said. “Risk teams need to move with the velocity of digital businesses,” he said. “This is a team sport.”
What that means, practically, remains to be seen. One clear message from RSA’s executive team and some of the company’s enterprise customers was the growing need for risk and compliance platforms to help organizations identify emergent digital risks.
Using the firefighting notion of a ‘controlled burn’ as an analogy, Ghai told RSA customers who use the company’s technology that they need to re-orient their thinking about cyber risk to focus on enabling digital transformation while also limiting their organization’s risk.
As with the hotshot crews who battle massive blazes, the goal isn’t to “stop all fires, but to stop megafires,” Ghai said.
(*) Disclosure: This blog post was sponsored by RSA Security for more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.