The paradox and paranoia of security in the digital transformation era

The digital world can at times seem one of contradictions. Apps are essential and enable us to enjoy the benefits of mobility, and the network is the vital mechanism for enabling apps and delivering them to digital-hungry end-users. So enterprises must be open to the outside, to embrace cloud, allow more devices and apps onto corporate networks and give users freedom – but to do so in an era with more sophisticated cybersecurity threats than ever. How do you find the right balance?

It’s not “just” about technology

There is more than technology to today’s cyberthreats - attackers sometimes have political intentions, with institutionalized crime by state bodies a reality. It’s a paradox that trust has been undermined by those very institutions that citizens rely on to provide it. Some malware and ransomware tools developed by these state bodies can be purchased relatively cheaply on the dark web and used on-demand by hackers. The cyberthreat world has evolved past all recognition.

Meanwhile, flexibility, scalability, speed and business enablement remain fundamental drivers of digital transformation (DX), so enterprises must now regard cybersecurity from a strategic business angle and factor in risk management to address it effectively.

Digital transformation: rewards far outweigh the risks

According to Fortinet’s 2018 Security Implications of Digital Transformation Report, 92 percent of Chief Information Security Officers (CISOs) say digital transformation is having a “somewhat large” or “extremely large” impact on their organizations, but 85 percent also say security issues are the biggest barrier to successful DX. A stark recent example occurred in Singapore, where hackers stole a third of Singapore's healthcare data, including the Prime Minister's, and were attacking the database for eight days before being discovered.

Bring Your Own Device (BYOD), the Internet of Things (IoT) and the cloud are some of the key elements driving DX. But BYOD and IoT in the enterprise present a far larger risk surface than what has been faced previously. Embracing the cloud also means opening up to increased risk. Meanwhile, in more mechanized sectors like mining and electronics, moving towards the Industry 4.0 model and deploying robots on production lines or using autonomous vehicles in mines come with a greater exposure to risk.

The paradox here is that DX has made workers more productive and organizations more agile, but made the lives of the IT department and CISO more difficult and burdened with more devices to police and manage.

The compliance factor

Regulatory requirements also now impact security best practices: data protection initiatives like GDPR in the EU or national regulations recently implemented in Singapore, China and Australia add pressure to companies already battling to reinvent business models for the digital era to remain competitive and drive innovation and growth. The paradox here is that while regulation is intended to help improve security and make operations simpler, regulation also generally makes life more complicated for organizations.

Innovation outpacing response

One of the challenges of the DX era: innovation moves at a much faster pace than security can respond to new threats. Gartner forecasts that 60 percent of businesses will be the victim of a major service failure by 2020, due simply to being unable to manage digital risk. A change in philosophy and mindset is needed: enterprises must have established, mature cyberdefense strategies in place that are far-reaching in scope and all-encompassing in personnel. At the same time, all staff must be trained and know their role in protecting against attacks, to the point of being paranoid about security and not leaving it to others or the IT department.

Industry seems to be recognizing this, with companies spending 7.6 percent more on IT security in 2017 versus 2016, while focus is shifting too, with 60 percent of budgets in 2020 set to be used for rapid threat detection and response versus just 20 percent in 2015.

There has also been a shift from Managed Security Service Providers (MSSPs) to Managed Detection & Response (MDR) Providers: managing traditional IT assets like firewalls, proxies and intrusion detection probes has become a commodity, but managing events, data and threat intelligence feeds from those assets, and backed up by analytics that embrace AI, machine learning and automation to respond and retaliate to threats, has become a new trend. Cybersecurity has become a strategic tool rather than just an insurance policy companies “have” to have.

Finding talent remains tough

Finding top class security staff has always been a challenge, and today 45 percent of organizations say they have problems recruiting cybersecurity experts. Concurrently, managed security services are on the rise, predicted to be worth $27 billion by 2020, at a CAGR of 11.8 percent.

So as a consequence of DX, companies are now concentrating on simplicity and are increasingly consolidating security vendors. 10 percent of companies will drop RFPs from security programs by 2022 and implement more agile selection processes: security providers will have to show agility in addressing customer needs and deliver pay-per-use offerings – a long way from their heyday of long, multi-year contracts. The paradox here is that while it was always considered crucial to keep security in-house, today more companies than ever are outsourcing it.

A complicated time of opportunities

If all this seems daunting, don’t worry. At Orange our dedicated security arm, Orange Cyberdefense, has the necessary expertise across the security risk lifecycle and we recognize that our customers need to defend not just end-users but also their identities, remote access and data, whether stored on legacy systems, private clouds or public clouds. Orange Cyberdefense operates around agility and collaboration with the IT industry at large, since we know this is a fight that cannot – and should not – be fought alone. So we have built on our managed security service to strengthen the native security of public clouds like Azure and we provide market-leading threat intelligence capabilities to help customers monitor and investigate emerging threats, fraud and data leaks.

No one security industry company has the keys to the whole kingdom now. Only through solid collaboration and information sharing between security companies – and customers - can we keep businesses safe. Furthermore, security in the DX world is now, and will always be, a dynamic activity that evolves perpetually. A final paradox: success in cybersecurity no longer means being the one company that avoided being attacked: today everyone being successful in preventing attacks means we are all safe. The old rules have changed. We must change with them.

Paranoid about security? Find out how you can boost your organization’s security today

Nicolas Drogou

Head of Security Practice
Orange Business Asia Pacific

Nicolas Drogou is the head of Security practice in Asia Pacific for Orange Business. With more than 17 years of wide-ranging international experience across communications technology, he is now responsible for enhancing the company’s security footprint in the region by leveraging global and local capabilities across managed security and integration services.