Digital transformation is the process of turning paper-based processes into digital ones or even completely eliminating unnecessary steps via automation. Digital transformation is innovation, but not in the “flying cars”, “trips to Mars”, “brain-computer-interface” type of innovation. It’s a mundane, often boring organizational innovation that has very little technical complexity and a much higher human-and-process complexity.
The long tail digital transformation is the painful transition from notebooks to computers with the help of semi-literate consultants. You don’t hire people with PhD from MIT to move your procurement documents to cloud storage. You don’t hire the best software engineers to integrate a CRM in place of a notebook-with-contacts. You don’t need superstars to have a website that accepts orders and allows their tracking.
But digital transformation is happening too fast. Companies want things done now. The not-superstar-consultants can’t always deliver secure systems, as it’s not something they specialize in. And because of the speed, we, technical companies, haven’t yet created the perfect software to allow non-technical people to just do their digital transformation in a predictable, scalable and secure way. Instead, technical companies sell developer-hours to complete digital transformation projects which involve stitching together a patchwork of solutions and libraries that can barely work without technical supervision. And maybe creating the perfect software platform for digital transformation is not even theoretically possible.
Either way, we are stuck in the reality of too many companies and governments needing their processes rapidly upgraded to the 21st century where the focus is efficiency, scale, and cost. Projects involve a lot of coding, meetings, trainings and hardware. And you rightly noticed that there’s no “security” on that list.
That’s because security is mainly an after-thought with digital transformation projects. The primary goal is getting the business processes right, getting the reports right and getting staff to be trained to use the software. Security concerns only slow these projects down. And that’s not wrong, of course. But it leaves thousands of systems vulnerable to all sorts of security issues. And even if it gets delivered as “mostly secure”, it gradually becomes less secure, because security is a process, rather than a one-time effort. And digital transformation projects are usually scoped as one-time efforts.
Digital transformation is happening too fast for companies to have developed an understanding of the importance of information security and to be aware of the associated risks. IT companies are constantly understaffed, IT personnel is rarely security-trained, and non-IT companies often have very little focus on IT. The IT department is the one that fixes printers and installs Windows, rather than caring for the overall health of the IT systems – that is outsourced if done at all.
At the same time, information security vendors haven’t caught up with the complexity of digital transformation projects – solutions are either too narrow or in turn require a separate, costly digital transformation project. There practically aren’t plug-and-play information security solutions apart from Antivirus software, which by itself is only covering a few of the risks. And nextgen firewalls, nextgen antivirus, SIEMs, automated vulnerability scanners don’t “just work” without supervision. We have done our best to build our secure audit trail solution as a drop-in solution that protects the integrity of data, but no matter how flexible and powerful the tool is, it does require a fair amount of expertise in deploying and configuring before you can leave it to only business stakeholders.
That’s all not necessarily bad – it’s the product of rapid organizational evolution and even though it’s patchy, it somehow manages to keep businesses running, even with an increasingly high risk for their digital assets. The next steps in digital transformation are likely to include information security as an integral part after we realize the risks of having security as an after-thought are too high. And it certainly involves having strong IT teams in even non-technical organizations – teams that can navigate the complex landscape of tools and their configurations.