We’ve all heard the buzz word “digital,” and I am often asked questions about how to analyze and oversee the risks of enterprise-wide digital transformation. While a possible nuisance to the person asking, my first answer tends to be a question. What do you believe it means for your enterprise to become digital? Only once your company answers that question can the challenges and risks associated with a well-managed transformation be weighed. Invariably, the answers to this question are unique and divergent. The answers also, by necessity, should include insights into these added threads: • How do we manage digital transformation risks without taking our focus off cybersecurity? • What is the role that cybersecurity plays during digital transformation? Cybersecurity and digital transformation are two areas that are rife with risk, and are shaping challenges around enterprise risk management (ERM) that are both divergent and orthogonal. In order to reengineer the enterprise for digital excellence, cybersecurity risks must be considered hand-in-hand with the risks inherent in disparate digital infrastructures. Our consumers and stakeholders expect mobility, with just-in-time, just-in-context service. They also expect the digital experience to include interaction expected anywhere in the world the consumer may happen to be located, while at the same time responding immediately to changes in consumer behaviors. No pressure, right? Digital transformation is critical to most enterprises, but how can the board successfully oversee these the management of these new risks? First, the board should consider the operational changes that come with digital transformation. Defining Enterprise-Wide Digital Transformation To achieve the new digital paradigm, enterprises embrace new technology models to deliver a digital experience for end consumers. These models often require vast adjustments to the organization, business, and technology operating models to be successful. Consider this example. To meet consumer demands for digital experiences, enterprises are embracing cloud services as a platform to accelerate delivery of a product or service. This means that there is no physical data center lurking in a corner of your corporate headquarters where your technology operations team goes to provision, configure, and adjust wiring and floor space. There are no blinky-lighted servers on site that developers and the business historically have monitored. What does this change bring? - Operating model change. - Technology model change. - New risks. Continuing with the example, infrastructure-as-a-service capabilities like the ones offered by Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform provide enterprises a “virtual data center,” an environment where developers can begin to create code for a new product immediately. This increases the speed to launching a new digital service. What happens next? Everything changes again. The company would now need a development operations (DevOps) team with combined software development and information technology operations skills to shorten the systems development life cycle (SDLC)—all while delivering features, fixes, and updates frequently in close alignment with business objectives. Where is the segregation of duties? Where is the old SDLC waterfall process of requirements (design, build, test, then deploy software) all run by separate teams with a set of controls that source documented evidence? Oh yeah, we don’t do that anymore as a digital organization. Once an organization begins the process of digital transformation, the technology operating and control models change, business objectives have to adjust to consumers’ digital demands, and the roles and talent requirments needed to function absolutely evolve. We’ve seen too often that enterprises that rely on digital channels can be interrupted and burdened by cybersecurity missteps. Without an imperative to transform cybersecurity prior to operating the enterprise in a new digital format, disasters are bound to happen. As reported by Bloomberg, one example of many things that can go wrong with the shift to digital operations was the breach at Uber Technologies. The company was utilizing a private Github repository—a cloud-based development resource—for its code. A careless developer left logon credentials of users open to bad actors, allowing them to access Uber users’ data on AWS. While this is a fairly simple illustration of the disconnect between digital transformation and cybersecurity practices, your cybersecurity program and controls need to evolve to a new method of operating digitally and provide an appropriate set of controls that enable strong risk management. Don’t allow your management team to make the mistake of accelerating digital transformation without first analyzing the readiness of your company’s cybersecurity program to manage these new digital operating models and domains. Sequencing Digital Change With Digital Cybersecurity Cybersecurity risks and challenges are omnipresent, and the risk and threat landscape continue to evolve at the pace of our digital environments. Making the move to embrace digital operations only expands your company’s attack surface. While your company once was operating out of a data center with its own server hardware, the move to the cloud means that the company’s data operations may now be functioning in “rented,” multi-platform environments such as native cloud, software as a service (such as Salesforce Cloud), or outsourced, provider-managed environments. One essential question that directors can ask the technology and security leaders of their companies is, “Have we built new cybersecurity capabilities to secure our increasing attack surface and the new digital environments and channels?” The answer in many cases is that your cybersecurity program has not transformed digitally and could be unprepared for a new digital paradigm. The previously effective cybersecurity program you had in place was not purpose-built to enable a digital transformation. It was instead built for a world of data-center centricity and simple service offerings managed from a web application storefront—all solutions that are protected by on-premise firewalls, endpoint security, denial of service security, content filtering solutions, and a host of other appliances managed in the company’s data center. Therefore, it’s important to consider a risk assessment to determine the readiness of the company’s cybersecurity program to secure its new digital domains and environments—on premise and off. The companies that build a digitally-transformed enterprise that places the cybersecurity program first, will see greater success in enterprise digital transformation. They are able to demonstrate to the market that they are operating with a well-managed risk posture, and are able to move faster to achieve safe, sound digital success. Overseeing How the Risk Is Managed: A Way Forward Every enterprise believes that they have a winning strategy to thrive within the new digital market, but the hard truth is that they will not all be winners. Those that win will have a digitally enabled cybersecurity threat and risk management platform operating in harmony with their digital business strategy. The risks of digital transformation and cybersecurity are clearly impacted by ensuring the right sequence of digital strategies while managing the risks during this transition. As board members, it’s our imperative to ask the questions of enterprise digital readiness for cybersecurity and having purpose-built cybersecurity for digital environments. Here are my suggtestions for questions to ask your management team to determine if the cyber- and enterprise-wide risks of digital transformation are being properly conceived of and managed: 1.) How are we defining digital transformation for our enterprise with regard to the business and technology operating models? 2.) What are the cultural impacts on the personnel and teams affected by digital transformation? How are we considering the organizational risks as we require new talent and roles to operate digitally and manage risk during the transition to digital operations? 3.) Have we performed a risk assessment to determine the impact of the changes to the business, technology, and cybersecurity operations required to become digital? How is our attack surface expanding with the movement to digital operations and how are we managing the risk? 4.) How are we sequencing required changes to digital operating models for cybersecurity, technology, and the business? 5.) How are we measuring the effectiveness of our cybersecurity program with the transformation to digital? Are we making the right investments in cybersecurity to manage digital cyber risk? Like the nuisance question at the beginning of this statement, getting the right answers will be the key to sound oversight of a successful digital transformation program at your company. Tony Spinelli is CEO and founder of S7 Advisors LLC, and is a board member of Blue Cross Blue Shield Association, director of Peapack Gladstone Financial Corp., and board member of Per Scholas. He previously served as chief information security officer at Capital One Financial Corp. and has served on the board of advisors for several organizations, including the National Security Agency, Cisco, Coalfire, and IBM.