While digital transformation is understood to be critical, its rapid adoption, as seen with cloud providers, IoT and shadow IT, is creating significant cyber risk for most organizations. Today, these vulnerabilities are only exacerbated by misalignment between IT security professionals and the C-suite.
The research by CyberGRX and Ponemon Institute surveyed 900 IT security professionals and C-level executives covering financial, healthcare, industrial, public sector and retail industries.
Digital transformation is increasing cyber risk
Digital transformation is increasing cyber risk, and IT security has very little involvement in directing efforts to ensure a secure digital transformation process. Such misalignment of resources is illustrated by 82% of respondents believing their organizations experienced at least one data breach as a result of digital transformation.
Fifty-five percent of respondents say with certainty that at least one of the breaches affecting their organization was caused by a third party.
Digital transformation has increased reliance on third parties
Digital transformation has significantly increased reliance on third parties, specifically cloud providers, IoT and shadow IT; and many organizations do not have a third-party cyber risk management program.
Sixty-three percent of respondents say their organizations have difficulty in ensuring a secure cloud environment and 54% of IT security professionals say avoiding security exploits is a challenge.
Additionally, 56% of C-level executives say their organizations find it a challenge to ensure third parties have policies and practices that ensure the security of their information.
IT security and C-suite misalignments
Conflicting priorities between IT security and the C-suite create vulnerabilities and risk. These two groups do not agree on the importance of safeguarding risk areas, including high value assets.
IT security respondents are more likely to say the rush to produce and release apps, plus the increased use of shadow IT, are the primary reasons their organizations are more vulnerable following digital transformation.
But in contrast, C-level respondents say increased migration to the cloud and increased outsourcing to third parties makes a security incident more likely. The majority of C-level respondents do not want the security measures used by IT security to prevent the free flow of information and an open business model.
Budgets are, and will continue to be, inadequate to secure the digital transformation process. The majority of organizations do not have adequate budget for protecting data assets and don’t believe they will in the future. In fact, only 35% of respondents say they have such a budget.
Because of the risks created by digital transformation, respondents believe the percentage of IT security allocated to digital transformation today should almost be doubled from an average of 21% to 37%. In two years, the average percentage will be only 37% and respondents say ideally it should be 45%.
“If there’s one major takeaway from our research, it’s that digital transformation is not going anywhere. In fact, organizations should expect—and plan for—digital transformation to become more of an imperative over time,” says Dave Stapleton, CISO, CyberGRX.
“For this reason, organizations must consider the security implications of digital transformation and shift their strategy to build in resources that mitigate risk of cyberattacks.
“Based on these findings, we recommend involving organizations’ IT security teams in the digital transformation process, identifying the essential components for a successful process, educating colleagues on cyber risk and prevention, and creating a strategy that protects what matters most.”
Security personnel and senior management need to unite
The research identifies trends and best practices from organizations that had mature digital transformation programs in place. These findings suggest that across organizations, flexibility and collaboration—particularly between IT teams and C-level executives—will be key to ensure digital transformation that is both efficient and secure.
Going forward, it is imperative that C-level executives comprehend the level of risk they take on when they become vulnerable to reputational damage brought on by security incidents involving third-party relationships.
At the same time, both security personnel and senior management need to unite on a strategy that lowers the organization’s cyber risk profile while keeping key business goals and operations in sync. Finally, significant investments in skilled personnel and the technologies that secure and protect data and assets must be made to reduce third-party risk.