Hey you, CISO. Do you know your organization’s business? I mean at the level of knowing the financial numbers, the balance sheet, drivers of revenue and expenses, efficiency ratio. Do you know your company’s market share vs. competitors? What are the trends and benchmarks? What is the growth strategy? Over what timeframe?
What are the business strategic goals for the next year? I bet many of us have not looked. Maybe you did look, didn’t see anything specific to cybersecurity, decided no one cares about protecting the organization’s electronic assets? You know who you are.
"Regardless of what sector we are in, digital transformation is becoming ubiquitous"
Many CISOs feel they are left out of the business strategy loop—and well, a lot of us are. Business leaders define a vision and goals for digital transformation. The Innovation leaders, CIO, CTO and enterprise architecture all start a plan to support the transformation. Then someone thinks about us, the CISO, maybe after days, weeks, maybe months. People seem frustrated that they have to catch us up, and let us do our job. Any frustration they feel is their fault though, right? I say, not so. Maybe time for a look in the mirror, especially if we are consistently being forgotten.
Strategy is determined by senior leadership—executives. Are we, as CISOs, regarded as executives? Not giving credit for the “C” in CISO. Do the executives in our organizations regard us as senior leadership peers, continually mindful of the best interests and strategic direction of the organization? When our boss needs someone to pinch-hit for them on a topic outside security, do they think of us? Do our peers worry about us competing for the boss’s job when they leave? On the other hand, are we the security police who speaks a different language, shows up for the quarterly audit committee meeting to scare everyone? Do we think that is our job?I’m suggesting that isn’t our job—at least not all of it. Of course, we’re paid to identify and manage risk according to organizational risk tolerance and business objectives. At the end of the day, if we want regarded as leader-executives, we help execute business strategy first. If we’re good CISOs, we manage risk appropriately, aligned with business objectives, within that strategy.
Jumping over to the topic, digital transformation as part of business strategy. What is it? I mean specifically to your organization. Not the basic “blah-blah transforming core business to meet customer needs by using technology and data...” Unless you work for one of the major technology disruptors, those in the Facebook, Amazon, Apple, Netflix, Google (FAANG) group, who are doing the disrupting, your organization is probably reacting to, or following those FAANG companies. The reaction is often a very specific and deliberate digital transformation effort.
Describing the situation in healthcare, consolidation carnage has begun. Insurance companies merging with retail and pharmacy organizations. Provider health systems are merging up for even larger mergers. All health organizations are wondering how the FAANG companies, along with the thousand other “health apps” out there will threaten to disintermediate them from their consumers and would-be patients. The days of waiting for a consumer to decide they are a patient, and show up at the door are over. To be a viable health organization, you had better know how to reach consumers and become their provider of choice for any given health service—before they know they need it. That is the premise of digital transformation as part of business strategy in healthcare.
Higher education is another sector under several pressure points. New competitors are entering the market, for the same reasons as in healthcare—they believe they can provide the service better, faster, cheaper with better technology. Higher education costs face the same social and political scrutiny as healthcare. Public, non-profit universities are under pressure to reach at least break-even profitability—without burdening students with huge loan debt. At the same time, the consumer experience—faculty, students and staff is vital to grow and succeed. Digital transformation must address the administrative processes for managing the organization, improve the availability and delivery of course content, and provide the ability to collect data for analysis and planning further transformation. Of course, this must all happen on a highly agile, scalable and appropriately secure platform—in the face of cultural headwinds.
The FAANG companies are challenging every sector, and in some ways have a head start on all of them as most people have a digital relationship with those companies via their smartphone. Many organizations are just now learning how to compete for consumers in a digital world. The specific digital transformation efforts vary from moon-shot level complexity (for healthcare) with native built applications on IaaS and PaaS cloud infrastructure, to just trying to increase enrollment on the existing vendor-provided patient portal.
Regardless of what sector we are in, digital transformation is becoming ubiquitous. Every sector is adapting to this new age. Further disruption from automation, content streaming, social media, self-driving cars, etc., has or will affect every organization in the world. We must prepare.
What does all this mean to the CISO? We need to understand several things.
• We can no longer just be the leader over information security
• We must understand salient details of our organizations’ business processes and digital transformation strategy. For example: specific metrics of success (daily active users, abandoned shopping carts, unfinished processes), cost efficiencies, business process automation goals
• Our companies won’t grow and compete from our own data centers. Cloud infrastructure provides massive computing and storage capabilities, enabling growth and flexibility. Our people, processes and tools must scale accordingly
• The multi-cloud environment is the new digital battlefield. Connectivity providers are the arms dealers. SaaS, IaaS, PaaS and custom-built applications are the weapons. We need to learn how to enable and appropriately secure these technologies for all stakeholders—and we can’t do it the same way we’ve done things in the past
• Legacy security mindset and tools will hinder multi-cloud adoption and digital transformation. Dynamic, automated provisioning and destruction of cloud infrastructure resources based on utilization and capacity needs just outpaces many of our “on premise” security platforms
• Our organizations may adopt different strategies for acquiring technology services than in the past—we must adapt. For most organizations, there will be a mix of building, buying and partnerships for technology services and solutions. We must abandon past bias for or against particular vendors or solutions and do the right thing with our executive partners
• Most importantly, we need to understand how to appropriately manage risk. Go read job descriptions for CIOs, CTOs and other positions involving Digital Transformation. The word appropriate often precedes the word security. The hiring leaders for these positions want security, and understand there is a cost. However, they don’t want a security leader pushing for zero-sum scenarios that stifle functionality and speed-to-market. They want security partners who equip themselves with new skills—technical and leadership, joining the other executive leaders in the organization in successful digital transformation.