Moving from legacy systems to the cloud, deploying new technologies and making greater use of data can present serious regulatory and security challenges. However, it inevitably pushes the need for a watertight cybersecurity strategy up the corporate agenda too, which is good news for governance leaders keen for cybersecurity to be taken more seriously. Is digital transformation a security nightmare or a hidden opportunity?
Senior stakeholders who might previously have been on ‘team nightmare’ may have switched sides during the pandemic, or at least see digital transformation as less of a threat now. “The world has shifted from risk-based aversion to digital transformation to thinking about it in terms of competitive advantage or a unique differentiator for their business,” says Liam Healy, SVP & managing director of Diligent, a leading governance, risk and compliance software-as-a-service company.
In addition, 83% of board directors recently identified cybersecurity as a top priority, according to research by the Tricor Group and Financial Times Board Director Programme. However, less than half of respondents reported that their boards had actually taken action to improve cybersecurity during the pandemic. This suggests that governance, risk and compliance leaders still have work to do to push cybersecurity improvements over the line. Where should they start?
“They need to understand the obligations of the business – the risks they have to manage to be compliant – but also shift their focus towards the overall strategy of the business, and how to partner more closely with colleagues in the IT and information security team,” Healy says.
They also need to have a good grasp of how information enters and moves through the business, where it is stored and who has access to it. “A great example of this is board papers or any sort of sensitive information that, from a governance standpoint, is curated by multiple individuals,” says Healy. “It’s often not the final version that’s the most sensitive; it’s version ten. And if that version is leaked or sent to the wrong email account, that’s a big risk.”
The security demands of distributed workforces also need to be accounted for. “Is your home network secure? If you’re on the road, is that network secure? Disappearing physical boundaries pose a big challenge for many organisations,” says Henry Jiang, CISO at Diligent.
To solve this challenge, governance, risk and compliance leaders must revisit security strategies and ensure that as well as protecting infrastructure, they are also data centric. “The document someone is pulling up on their laptop, how do you protect that? How do you redesign the security programme so that protection extends right down to the endpoints where data resides?”
A redesign of this scale is no mean feat, especially when carried out in conjunction with all the other elements of digital transformation. “Digital transformation is a massive undertaking,” says Healy. “It’s often a multi-year process that has to be undertaken in bite-sized chunks.” Any security transformation therefore needs to be organised in a sequential fashion that prioritises essential issues so that the business can hit key objectives and milestones without disruption. It should also aim to be a “force multiplier” of good processes, says Healy.
One thing governance leaders can be sure of is that the senior leadership is now likely to be more receptive to their advice. Frequent stories about regulatory fines or compliance gaps were winning governance, risk and compliance professionals a seat at the top table even before the pandemic struck. And with ESG issues now a central plank of many business strategies, there’s never been a better time for these individuals to make themselves heard.
“Governance, risk and compliance professionals have a unique opportunity to capitalise on what the world cares about,” says Healy. “They have the ear of the CEOs and CFOs of many institutions, and directors are asking: ‘What’s our plan here?’ ” In fact, many board members are now extremely well educated on cybersecurity issues. “There are more champions on the board these days than there have ever been,” says Healy.
Of course, no security or governance programme can completely eliminate risk. “Security practitioners like myself need to talk about these risks in a language the board can understand,” says Jiang. However, he advises against using scare tactics when attempting to push for more robust measures. “That said, you should always speak candidly about the risks associated with data.”
He recommends using key risk indicators, data and standards to make your case. But once you have the support of the board, it’s essential to report back with tangible results. “You can’t say ‘give me X amount of dollars,’ and then the security programme stays at the same level,” he says. “Progress has to be made.”
There may also be some push and pull between governance leaders and those in other departments who are keen to roll out innovative new products and services as quickly as possible. “People aren’t asking for less these days,” says Healy. “They want things to be faster and better than they are now…the challenge with all this is that you also need things to be secure. You have to have control over sensitive information even though everybody wants it to be at their fingertips.” Squaring this circle is an ongoing challenge, “especially as cyber threats continue to proliferate,” says Healy.
Success may depend upon how adept governance leaders are at recruiting champions throughout the organisation, namely individuals with the power and influence to push cybersecurity up the corporate agenda and ensure it is an integral part of any digital transformation rather than a ‘nice to have.’ Healy adds: “They’ve got to not just identify who these individuals might be, but secure their buy-in early on in the process.” He adds that an approach along the lines of ‘this is what we need to do, it’s tied to these business objectives, and here’s why I need your help with it’ is more likely to succeed at securing executive-level support.
The role that any partners and vendors will play in an organisation’s digital transformation and cybersecurity strategy needs to be carefully considered when upgrading security practices. “It’s important to have an objective view and lay out what the key priorities are for selecting your partnerships and your vendors,” says Healy.
Granted, none of this can be achieved overnight. But one thing is undeniable: there’s never been a better time for governance leaders to convince senior stakeholders that digital transformation isn’t a security nightmare. It’s a security opportunity.
To learn more about how Diligent’s modern governance platform brings together the disparate tools, data and integrations and processes into one place so that leaders can govern at today’s pace of business, visit diligent.com