Managing enterprise risk amid digital transformation

Digital transformation has expanded the need for security, continuity and resilience. Today’s business must embrace an enterprise risk management strategy that includes legal, regulatory and political considerations.

In an interview with Networks Asia,  DXC Technology’s  Art Wong, Senior Vice President and General Manager, Security (Global), answers questions about managing enterprise risk amid digital transformation journeys:

As companies embark on their journeys of digital transformation, does security have to continue being a top priority? We’ve been maintaining the confidentiality, integrity and availability of data in all these contexts: on premises, in the cloud, and in hybrid environments, so do needs change with digital transformation?

Enterprises today face a significant level of security challenges across their organizations. IT is no longer a secondary priority; it is now at the very heart of the enterprise and is becoming more complex. In the current landscape, security considerations have grown from preserving data confidentiality and maintaining core applications and networks to become a much larger conversation around managing organizational risk and exposure, including cyber resilience and readiness in the face of attacks.

A recent DXC Technology survey found that investments in cybersecurity vary by region: 50 percent of respondents in Asia-Pacific say they will increase or start using cybersecurity tools — 56 percent in North America and 61 percent in Europe, the Middle East and Africa (EMEA).

Digital transformation has expanded the need for security, continuity and resilience. Today’s business must embrace an enterprise risk management strategy that includes legal, regulatory and political considerations. All levels of the organization should be involved in the discussion. Decision makers should include the chief risk officer, CIO, CEO and line-of-business executives. Furthermore, with companies moving to different environments — from multi-cloud to hybrid cloud — newer considerations must be acknowledged. Companies need to have complete visibility across their traditional and cloud environments, extremely well-defined access controls and owners, and even separate security strategies for on-premises systems and cloud applications.

Take the case of hybrid cloud environments, for instance, where identity is absolutely critical. Inadequate security risk assessments, failure to authenticate and identify, and lack of risk profiling exercises are some of the threats associated with hybrid cloud today. Such environments need thorough security protocols, from the basics, such as least privilege, to more advanced protocols that can safeguard against vulnerabilities. Additionally, technology concepts such as BYOI (Bring Your Own Identity) are becoming mainstream: BYOI has the potential for risk and cost reduction, customer acquisition and income generation for the business.

In the end, the benefits of protection are well worth the commitment. Beyond keeping a business safe, strong resilience delivers strategic advantages and greater confidence in the pursuit of new business opportunities.

In a digital world — we’ve been told that the classic, contained enterprise network no longer exists, so security must be embedded into all applications as the first line of defense. Digital transformation provides the opportunity for security, regulations and compliance issues to be considered and included at the outset of a project. Currently popular is a DevSecOps approach – where security is considered as code and written into the application to make this possible. But is this the way forward for applications and enterprises?

Digital transformation has allowed for security to be taken into account right at the outset of a project. In this age of digital transformation, DevSecOps is an appropriate approach. What’s great about the DevSecOps is that it embodies the concept of placing equal importance on security as it does on development and operations, thereby underscoring how security should be integrated into every part of a product or process, as opposed to being bolted on. DevSecOps helps bring together everyone involved in the security conversation every step of the way, making ownership a joint responsibility. It encourages developers and business decision makers to understand the importance of security and make use of security tools while simultaneously encouraging security/IT to constantly engage with these teams and help them apply the latest standards and best practices.

Looking at this from another vantage point, it is imperative to also put in place a more data-centric approach to security. This emphasizes security of the data itself rather than the security of networks, servers, or applications. With a data-centric security approach at the heart of security policy, the enterprise’s core is adequately safeguarded.