After every company goes through digital transformation, their threat model will change in response
The first thing to ask before we talk about digital transformation, is what the heck does “digital transformation” even mean? The reality is that there isn’t a standard definition. Every company is going to have a slightly different path. Many people have different opinions on what it stands for. But the fact that the phrase can be a trigger for folks does say a lot about why we need to talk about it.
The reality is that digital transformation is going to be different for every company. For Amazon, that is projects like building their own logistics service to be able to deliver ecommerce items quicker. For McDonald’s, that is going from cashiers’ and credit cards’ involved in every order to now a mobile application that allows customers to order, apply coupons, pay and to go straight to the drive through 2nd window for their food.
The reality is that innovators are developing new technology every day to solve problems. As some of those new solutions become commonplace, our expectations across the board continue to change over time: because XYZ has built the self-service functionality that allowed us to avoid waiting in line, we eventually start to expect that same convenience from company ABC.
Digital transformation is impacting the security ecosystem across two primary directions: increased work from home (WFH) and increased business conducted digitally. I’ve written about the impact of WFH on security in a prior article. So, I’ll focus on the security of digital business in this article.
I think the future of securing digital business is going to go beyond the web/appsec/product security + ATO problems that we’re working on today. The future that we’re starting to see are threat actors evolving beyond SQL injections, misused credentials and most recently bots. Instead, I envision security mirroring financial fraud’s evolution.
Misused credentials are like stolen credit card numbers, over time by improving detection and response capabilities, banks have reduced the value of a stolen credit card number over time. And no matter the amount of fraud that they do stop, at the end of the day, they’re willing to accept a certain amount of fraud. It’s better to keep the business running smoothly than to introduce serious barriers that may or may not complete eliminate fraud.
In security, I see something similar happening: after every company goes through digital transformation, their threat model will change in response. It’ll be the responsibility of the security teams to help shepherd these transformations over time with enabling business in mind, while also reducing risk to an acceptable amount. Just like it took time for security breaches to become a common board topic, it’s also going to take time for the security industry to evolve. One day, organizations will be comfortable “accepting” a reasonable amount of risk without the CISO being the scapegoat.
While “accepting risk” is already happening, the latest answer to risk, cyber insurance, isn’t nearly enough. The next step in our evolution is to continue the fraud parallel and to next look to be able to quantify cause and effect: to build security analytics models, like fraud models, with inputs and outputs that actually drive whether a transaction goes through or not.
For a possible view of what this might look like: The FAIR Institute in my mind is currently the furthest along in building mindshare behind a quantitative model for security risk. I believe that in the future we will have an integration-centric system that takes the output from models like FAIR’s that measure risk and correlate it to models that accurate measure severity (minor, major, critical). This severity will also be easier to measure because with digital transformation tends to reduce layers of complexity (for instance many orgs standardizing on one public cloud, SaaS applications, etc.) With this correlation, I believe we’ll be able to more quickly see cause and effect. So that one day, we’ll be able to not only standardize the security processes and technology that “just work” but also identify the newest malicious tactics as they are happening.
Tying it all together: I believe digital transformation in business is going to drive financial transformation in security.
Related: Cyber Risk = Business Risk. Time for the Business-Aligned CISO