For most of us, digital transformation has long been little more than marketing jargon. We’re so used to hearing the term thrown around, and yet there’s been no meaningful change implemented at the large majority of organisations. But this will change in the return to normality as businesses across every industry take stock of lessons learned and act to limit any potential disruption.
Business agility will be mission critical in the post-Covid reality, and this will involve businesses kickstarting a journey of transformation – every department will need to be on board if this change is to ushered in effectively. But the reality is far from harmonious, with IDC research revealing that the large majority of UK businesses operate in siloes. Perceptions of security teams as a ‘blocker of innovation, a compliance hurdle, or a necessary cost’ were noted by over a third (36 per cent) of management teams. Taking last year’s data into account, this does appear to be a downward trend, but there’s no denying that the security brand reputation has a knock-on effect to operations – over half of businesses (58 per cent) fail to include the security department into the opening stages of new business projects.
So, what will it take for security teams to shift their ‘business blocker’ reputation?
Think about the long-term
Taking risks is a key part of running a successful business, and many leaders will take a ‘without risk, there is no reward’ approach to business transformation. This makes it hard to push security teams as enablers of digital transformation given the traditional security mindset of ‘block all risk’ – the unfortunate reality is that in the majority of UK organisations, security teams are unable to demonstrate their business value beyond the deployment of technology and threat mitigation.
Today’s businesses operate on a global level, engaging with businesses across the globe and using countless different technology solutions. While these tools are typically designed to boost productivity, they can easily have the reverse effect as a result of platform proliferation and the maintenance burden that comes with poorly deployed technologies. To make things even more complex, the security habits of the large majority of UK workers remain questionable even amid a rising number of data breaches, with password reuse commonplace across different platforms and workers falling prey to phishing attacks. As a result, security teams are having to focus on everyday firefighting rather than the long-term optimisation projects which will give them a seat at the table of business transformation.
To shift the perception of security teams as business blockers, they must be proactive in demonstrating their impact – but how can this be achieved?
A focus on risk management
A good place to start would be to focus on the areas seen as adding the most value by board members. IDC research shows that almost half of UK enterprises (42 per cent) see risk management as the key value from security teams, and harnessing identity and access management (IAM) provides teams with key opportunities to prove themselves in this area.
There are various tools available to make the IAM experience as seamless as possible for users. Having a tightly-knit security environment is essential and involves a combination of multiple elements – key components include single sign on (SSO) capabilities, multifactor authentication (MFA), enterprise password managers (EPM), as well as management dashboards. Together, these tools help to limit the potential knock-on effects of poor security awareness and reduce risk at a general level by minimising the impact of insider threats.
That being said, the deployment of disparate tools can be counterproductive and add to the complexity when done badly. Security teams are already struggling under the burden of managing conflicting technology environments, and so these tools need to be implemented intuitively if they are to provide the most business value.
Curing platform proliferation
There are clear opportunities to deliver this transformation through the adoption of a unified security approach. By this, we mean the integration, rationalisation and centralisation of security environments into a holistic ecosystem. Adopting such an approach can help improve the operator experience and make things simpler for the teams charged with maintenance – while also providing a cure to the headaches caused by platform proliferation.
Not only this, but a unified security approach is a key enabler in helping security leaders engage at the board level by delivering cost transformation. An integrated security environment will serve to streamline operations for security teams, allowing staff to focus on higher value tasks while automating repetitive processes. In business terms, this means clawing back up to 155 days’ worth of effort for the average UK security team. Clearly, cost reduction and operational efficiencies are central to demonstrating business impact, but they should be viewed as a starting point rather than a security teams’ entire value proposition.
Resonating with the board
Adopting a best-of-breed approach to identity offers countless benefits for businesses as a result of more effective risk management and improved cost efficiencies. In addition, this provides ample opportunity for teams to prove their value. It’s up to security leaders to engage with the board to ensure general awareness of these approaches at the necessary levels.
This means using the appropriate language, refraining from focussing too much on technical KPIs such as the volume of data transported or the number of systems with known vulnerabilities. Instead, they should adopt KPIs which relate to business outcomes in order to measure their impact and resonate the most at the board level – think risk mitigation, cost reduction and workforce utilisation.
As businesses begin to reopen their doors, it will be crucial for senior management to ensure mistakes are not repeated in the event of any future crises. Above all, business agility will be crucial to limit disruption, maintain continuity and accelerate growth in a fragile landscape – and this means delivering on the promises of digital transformation.
For security leaders, this means taking steps to change the perception of their teams by demonstrating how they can usher in change and innovation. Educating employees around security awareness will be an important first step if they are to distance themselves from everyday firefighting activities. Ultimately, security teams will need to have the necessary credibility among the board if they are to earn their seat at the table on new business projects, and this will mean speaking their language.
Barry McMahon, Senior Manager of Identity and Access Management, LastPass