Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?


Cyber Insurance

The VC View: Digital Transformation

After every company goes through digital transformation, their threat model will change in response

After every company goes through digital transformation, their threat model will change in response

The first thing to ask before we talk about digital transformation, is what the heck does “digital transformation” even mean? The reality is that there isn’t a standard definition. Every company is going to have a slightly different path. Many people have different opinions on what it stands for. But the fact that the phrase can be a trigger for folks does say a lot about why we need to talk about it. 

The reality is that digital transformation is going to be different for every company. For Amazon, that is projects like building their own logistics service to be able to deliver ecommerce items quicker. For McDonald’s, that is going from cashiers’ and credit cards’ involved in every order to now a mobile application that allows customers to order, apply coupons, pay and to go straight to the drive through 2nd window for their food.

The reality is that innovators are developing new technology every day to solve problems. As some of those new solutions become commonplace, our expectations across the board continue to change over time: because XYZ has built the self-service functionality that allowed us to avoid waiting in line, we eventually start to expect that same convenience from company ABC.

Digital transformation is impacting the security ecosystem across two primary directions: increased work from home (WFH) and increased business conducted digitally. I’ve written about the impact of WFH on security in a prior article. So, I’ll focus on the security of digital business in this article.

I think the future of securing digital business is going to go beyond the web/appsec/product security + ATO problems that we’re working on today. The future that we’re starting to see are threat actors evolving beyond SQL injections, misused credentials and most recently bots. Instead, I envision security mirroring financial fraud’s evolution.

Misused credentials are like stolen credit card numbers, over time by improving detection and response capabilities, banks have reduced the value of a stolen credit card number over time. And no matter the amount of fraud that they do stop, at the end of the day, they’re willing to accept a certain amount of fraud. It’s better to keep the business running smoothly than to introduce serious barriers that may or may not complete eliminate fraud.

In security, I see something similar happening: after every company goes through digital transformation, their threat model will change in response. It’ll be the responsibility of the security teams to help shepherd these transformations over time with enabling business in mind, while also reducing risk to an acceptable amount. Just like it took time for security breaches to become a common board topic, it’s also going to take time for the security industry to evolve. One day, organizations will be comfortable “accepting” a reasonable amount of risk without the CISO being the scapegoat. 

Advertisement. Scroll to continue reading.

While “accepting risk” is already happening, the latest answer to risk, cyber insurance, isn’t nearly enough. The next step in our evolution is to continue the fraud parallel and to next look to be able to quantify cause and effect: to build security analytics models, like fraud models, with inputs and outputs that actually drive whether a transaction goes through or not. 

For a possible view of what this might look like: The FAIR Institute in my mind is currently the furthest along in building mindshare behind a quantitative model for security risk. I believe that in the future we will have an integration-centric system that takes the output from models like FAIR’s that measure risk and correlate it to models that accurate measure severity (minor, major, critical). This severity will also be easier to measure because with digital transformation tends to reduce layers of complexity (for instance many orgs standardizing on one public cloud, SaaS applications, etc.) With this correlation, I believe we’ll be able to more quickly see cause and effect. So that one day, we’ll be able to not only standardize the security processes and technology that “just work” but also identify the newest malicious tactics as they are happening.

Tying it all together: I believe digital transformation in business is going to drive financial transformation in security.

RelatedCyber Risk = Business Risk. Time for the Business-Aligned CISO

Written By

Will is a Managing Director and a founding team member at ForgePoint Capital. He has been an avid technology enthusiast for decades: building his first computer in elementary school and starting online businesses while completing his bachelor’s degree from the University of California, Berkeley. Focusing on security startups for a decade, he has worked with more than 20 cybersecurity companies to date. In his spare time he’s a foodie with friends, enabling serendipity and building communities.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.