We’ve all heard the buzz word “digital,” and I am often asked
questions about how to analyze and oversee the risks of enterprise-wide digital
transformation. While a possible nuisance to the person asking, my first answer
tends to be a question.

What do you believe it means for your enterprise to become

Only once your company answers that question can the
challenges and risks associated with a well-managed transformation be weighed.
Invariably, the answers to this question are unique and divergent. The answers
also, by necessity, should include insights into these added threads:

  • How do we manage digital transformation risks
    without taking our focus off cybersecurity?
  • What is the role that cybersecurity plays during
    digital transformation?

Cybersecurity and digital transformation are two areas that
are rife with risk, and are shaping challenges around enterprise risk
management (ERM) that are both divergent and orthogonal.

In order to reengineer the enterprise for digital
excellence, cybersecurity risks must be considered hand-in-hand with the risks
inherent in disparate digital infrastructures. Our consumers and stakeholders
expect mobility, with just-in-time, just-in-context service. They also expect
the digital experience to include interaction expected anywhere in the world
the consumer may happen to be located, while at the same time responding
immediately to changes in consumer behaviors.

No pressure, right?

Digital transformation is critical to most enterprises, but
how can the board successfully oversee these the management of these new risks?
First, the board should consider the operational changes that come with digital

Enterprise-Wide Digital Transformation

To achieve the new digital paradigm, enterprises embrace new
technology models to deliver a digital experience for end consumers. These
models often require vast adjustments to the organization, business, and
technology operating models to be successful.

Consider this example. To meet consumer demands for digital
experiences, enterprises are embracing cloud services as a platform to
accelerate delivery of a product or service. This means that there is no physical
data center lurking in a corner of your corporate headquarters where your
technology operations team goes to provision, configure, and adjust wiring and
floor space. There are no blinky-lighted servers on site that developers and
the business historically have monitored.

What does this change bring?

  • Operating model change.
  • Technology model change.
  • New risks.

Continuing with the example, infrastructure-as-a-service
capabilities like the ones offered by Amazon Web Services (AWS), Microsoft
Azure, and Google Cloud Platform provide enterprises a “virtual data center,” an
environment where developers can begin to create code for a new product
immediately. This increases the speed to launching a new digital service.

What happens next? Everything changes again. The company
would now need a development operations (DevOps) team with combined software
development and information technology operations skills to shorten the systems
development life cycle (SDLC)—all while delivering features, fixes, and updates
frequently in close alignment with business objectives.

Where is the segregation of duties? Where is the old SDLC
waterfall process of requirements (design, build, test, then deploy software)
all run by separate teams with a set of controls that source documented

Oh yeah, we don’t do that anymore as a digital organization.

Once an organization begins the process of digital
transformation, the technology operating and control models change, business
objectives have to adjust to consumers’ digital demands, and the roles and
talent requirments needed to function absolutely evolve.

We’ve seen too often that enterprises that rely on digital channels can be interrupted and burdened by cybersecurity missteps. Without an imperative to transform cybersecurity prior to operating the enterprise in a new digital format, disasters are bound to happen. As reported by Bloomberg, one example of many things that can go wrong with the shift to digital operations  was the breach at Uber Technologies. The company was utilizing a private Github repository—a cloud-based development resource—for its code. A careless developer left logon credentials of users open to bad actors, allowing them to access Uber users’ data on AWS.

While this is a fairly simple illustration of the disconnect
between digital transformation and cybersecurity practices, your cybersecurity
program and controls need to evolve to a new method of operating digitally and
provide an appropriate set of controls that enable strong risk management.

Don’t allow your management team to make the mistake of
accelerating digital transformation without first analyzing the readiness of
your company’s cybersecurity program to manage these new digital operating
models and domains.

Sequencing Digital
Change With Digital Cybersecurity

Cybersecurity risks and challenges are omnipresent, and the
risk and threat landscape continue to evolve at the pace of our digital
environments. Making the move to embrace digital operations only expands your company’s
attack surface.

While your company once was operating out of a data center
with its own server hardware, the move to the cloud means that the company’s
data operations may now be functioning in “rented,” multi-platform environments
such as native cloud, software as a service (such as Salesforce Cloud), or
outsourced, provider-managed environments.

One essential question that directors can ask the technology
and security leaders of their companies is, “Have we built new cybersecurity
capabilities to secure our increasing attack surface and the new digital
environments and channels?”

The answer in many cases is that your cybersecurity program has
not transformed digitally and could be unprepared for a new digital paradigm.

The previously effective cybersecurity program you had in
place was not purpose-built to enable a digital transformation. It was instead
built for a world of data-center centricity and simple service offerings
managed from a web application storefront—all solutions that are protected by
on-premise firewalls, endpoint security, denial of service security, content
filtering solutions, and a host of other appliances managed in the company’s data

Therefore, it’s important to consider a risk assessment to
determine the readiness of the company’s cybersecurity program to secure its new
digital domains and environments—on premise and off.

The companies that build a digitally-transformed enterprise
that places the cybersecurity program first, will see greater success in
enterprise digital transformation. They are able to demonstrate to the market
that they are operating with a well-managed risk posture, and are able to move
faster to achieve safe, sound digital success.

Overseeing How the Risk
Is Managed: A Way Forward

Every enterprise believes that they have a winning strategy
to thrive within the new digital market, but the hard truth is that they will
not all be winners. Those that win will have a digitally enabled cybersecurity
threat and risk management platform operating in harmony with their digital
business strategy.

The risks of digital transformation and cybersecurity are
clearly impacted by ensuring the right sequence of digital strategies while
managing the risks during this transition. As board members, it’s our
imperative to ask the questions of enterprise digital readiness for
cybersecurity and having purpose-built cybersecurity for digital environments.

Here are my suggtestions for questions to ask your
management team to determine if the cyber- and enterprise-wide risks of digital
transformation are being properly conceived of and managed:

  1. How are we defining digital transformation for our
    enterprise with regard to the business and technology operating models?
  2. What are the cultural impacts on the personnel
    and teams affected by digital transformation? How are we considering the
    organizational risks as we require new talent and roles to operate digitally
    and manage risk during the transition to digital operations?
  3. Have we performed a risk assessment to determine
    the impact of the changes to the business, technology, and cybersecurity
    operations required to become digital? How is our attack surface expanding with
    the movement to digital operations and how are we managing the risk?
  4. How are we sequencing required changes to
    digital operating models for cybersecurity, technology, and the business?
  5. How are we measuring the effectiveness of our
    cybersecurity program with the transformation to digital? Are we making the
    right investments in cybersecurity to manage digital cyber risk?

Like the nuisance question at the beginning of this
statement, getting the right answers will be the key to sound oversight of a
successful digital transformation program at your company.

Tony Spinelli is CEO and
founder of S7 Advisors LLC, and is a board member of Blue Cross Blue Shield
Association, director of Peapack Gladstone Financial Corp., and board member of
Per Scholas. He previously served as chief information security officer at
Capital One Financial Corp. and has served on the board of advisors for several
organizations, including the National Security Agency, Cisco, Coalfire, and