Based on our research, a large majority of enterprises admitted that their digital transformation efforts frequently traded security for a streamlined experience and quick time-to-market. But behind this choice made at the altar of velocity lies a hidden truth about digital transformation – no matter how carefully projects are executed, delivering a better user experience almost always results in greater digital risk for the enterprise.
Digital Transformation versus Cybersecurity
A recent study we conducted with Frost & Sullivan unsurprisingly revealed that the fastest-growing enterprises have fully embraced digital transformation and are succeeding, relative to their peers, at delivering satisfying experiences to users in the cloud, on the web, and on mobile or IoT endpoints. But this success has come at a price. More than two-thirds of respondents from these organizations admitted that the unrelenting pressure to release new apps or app updates quickly had negatively impacted quality and security.
In addition, among the most advanced companies – digital disrupters heavily invested in modern architectural patterns such as APIs, microservices and containers – almost 90% reported trouble securing these newer technologies. Clearly, businesses are aware that a serious problem exists, and most are struggling with it.
IT-Driven Cybersecurity Solutions are Band-Aids
Since the advent of digital transformation, the most common response to this challenge has been to delegate it to technology practitioners, which seems obvious, since these professionals tend to be subject matter experts on cybersecurity solutions.
The problem is that in the current era, where “every business is digital”, C-level and other business executives still deputize the entire challenge of cybersecurity, seeing it as a “technology problem” rather than as a critical business imperative. Our study found that very few business executives – only 16 percent – even considered security one of their main challenges. Even more surprisingly, among IT professionals, only a third listed cybersecurity as one of their top 3 challenges.
Our conclusion is that security is most often viewed within the enterprise as “someone else’s problem”, to be solved via tactics and point solutions rather than as a business strategy. But as we navigate an era where a single breach or incident can result in massive liabilities, multi-billion dollar fines, new government regulations, and material impacts on a company’s value, this thinking must change.
The Better the Experience, the Greater the Risk
One of the most compelling reasons that key executives must be involved in cybersecurity decision-making lies in this paradox – delivering a better digital experience in terms of convenience, reduced friction, and customer satisfaction almost always leads to substantially increased exposure to digital risk. This is because current products and services tend to require the collection, storage and processing of vast amounts of sensitive, private information – PII, locations, conversations, behavior, preferences, transactions, financial, and health information. Against this backdrop, brand reputation, consumer trust, and regulatory compliance today are largely factors of how well an enterprise can maintain custody of this data once collected. Breaking this down further, executives must consider and balance this paradox from several different perspectives:
More Data, More Risk
Personal information is often the key to delivering compelling, convenient digital experiences. But individual data elements are also liabilities for as long as they are held, with potential reputational, financial, and legal costs should the enterprise ever lose control of them. Failure to consider these costs strategically can amplify security incidents, as was the case in the recent Capital One data breach, which was made far worse due to the likely-unnecessary storage of seventeen years’ worth of credit applications in a live production system.
More Partners, More Risk
Once data is collected, the “magical experiences” that today’s users demand often require additional processing or supplementary services beyond the ability of any one enterprise to deliver on its own. Examples are everywhere, from mapping and social network integration to outsourced natural language processing, fulfillment, and delivery. Yet every partner that must be integrated to deliver a digital experience substantially increases the cybersecurity threat perimeter for the originating enterprise – and business executives need to be aware of this as another potential liability to be factored into their decision-making.
More Scalability, More Risk
Every enterprise is in the cloud today, and for good reason – the cost-effectiveness, agility, and scalability afforded by today’s infrastructure options are unbeatable. But migrating storage and processing to the cloud often increases operational complexity – and thus data risk – in unexpected ways. In their rush to reduce costs and overhead, many executives fail to appropriately budget and account for increased liability in domains such as privileged access. When business executives choose to collect highly personal information to deliver a digital experience, it is vital that they work with technology practitioners to fully consider the entire lifecycle of that data – no matter where it is stored, processed or transferred.
A New Hope: Consistent Security Across the Digital Experience Lifecycle
To tackle these problems successfully, C-suite and business executives should elevate cybersecurity concerns to the same strategic level as their customer experience – considering both sides equally as they work through the infrastructure and processes needed to deliver a desired digital product or service throughout its design, development, and operation.
Our team models this pipeline as an eight-stage Digital Experience Lifecycle, through which all digital experiences must continuously flow as they are created and iterated.
It’s essential for executives seeking to build trust and reduce risk in their digital transformation efforts to carefully consider cybersecurity and privacy throughout the digital experience lifecycle. Questions such as “do we really need to collect this particular data from customers”, “how long should we keep it”, and “who should be able to access this and how?” should be continuously asked – not just by IT practitioners, but by business executives whose P&L could be drastically affected by the answers.
At Broadcom, we believe that the best technology approach for large, complex enterprises is to seek or build an enterprise-wide platform specifically designed to protect data within the context of the entire digital experience lifecycle, rather than leaving it to IT to tackle individual challenges in separate silos such as identity, authentication, privileged access, and API security. We call this building a new architecture of trust, and I invite you to learn more about it in our short solution brief and two minute video.