‘Digital Transformation’? Sure, But First ‘Disrupt’ Cybersecurity

May 15, 2019  Jeff B. Copeland

Digital Transformation: "The blurring of the physical and virtual worlds...transforming business designs, industries, markets and organizations,” Gartner says. “Technology will be embedded in everything in the digital business of the future.”

That message is being heard loud and clear: In  Gartner’s 2019 CIO survey, 49% of CIOs report their enterprises have already changed their business models or are in the process of changing them, as part of a digital transformation.

And 33% of businesses told Gartner that they are now at the most-evolved stages of “digital maturity” – in Gartner’s terms either scaling up on a well-developed digital foundation or optimizing or even disrupting their digital businesses and venturing out to disrupt new markets.

In Gartner’s terms, that means companies are already enmeshed in complex “eco-systems” that deeply tie them to customers and vendors through technologies such as the cloud, IoT, mobile and applied AI. All that generates enormous opportunities for greater productivity, speed to market and customer loyalty.

And enormous opportunities for threat actors: a much larger target surface area, more attack vectors and more opportunities to exploit more holes in risk management.

The downside of digital transformation and digital business model disruption could be more physical disruption of business operations: ransomware, botnet hijacking, espionage and blackmail.

Cyber risk is business risk, and increasingly so. Or, as Gartner calls it “integrated risk management”, the blurring of the lines between cyber risk management and operational, market and strategic risk management.

Meanwhile, how is the “digital maturity” of cybersecurity practices keeping up with the rest of digital transformation?

At the  2018 FAIR Conference, Jack Jones, Chairman of the  FAIR Institute (and creator of the  FAIR model for quantitative cyber risk analysis), presented some findings from the Institute’s 2018 Risk Management Maturity Benchmark Survey. CISOs graded themselves on their capabilities to make well-informed decisions and reliably execute on a cost-effective security program, based on accurate risk measurement and cost-benefit analysis, for instance through the FAIR model.

The results were sobering. The CISOs rated themselves highly on only one capability, complying with risk management standards—in other words, implementing security controls off a checklist of best practices such as the  NIST CSF, the traditional default position of a cybersecurity program.

Checklists and frameworks assume that more controls equal less risk; a quantitative analysis model like FAIR (the engine that powers the  RiskLens platform) quantifies cyber risk in financial terms to empower decision makers to look broadly across the business.  Gartner has identified cyber risk quantification as one of the  five critical capabilities necessary for integrated risk management.

And truly  business aligned CISOs are increasingly adopting FAIR; data points: 8 of the Fortune 10, 75% of the Fortune 50 and 30% of the Fortune 1000 are represented in the membership of the FAIR Institute.

In reality, cybersecurity as it is generally practiced has a maturity gap – it too, is ripe for disruption and transformation. Jack Jones laid out the problem in a recent speech:

  • “The risk landscape is already complex and dynamic, and we have limited resources for dealing with it.
  • “Making well-informed decisions and executing reliably is critical to risk management success.  But as a profession, we do not enable well-informed decision-making or reliable execution.
  • “Digital transformation is only going to amplify complexity and increase the speed of change… and our resources aren’t going to increase at the same volume or pace.
  • “If we want to have any hope of dealing successfully with digital transformation-related risk we have to mature as a profession… quickly.”

Learn more: 

5 Insights from FAIR Creator Jack Jones on Transforming Your Risk Management Organization