CIONET's Trailblazer series features interviews with prominent digital executives among CIONET's members and partners, offering invaluable insights into their vision and thought process on pressing ICT topics. In this episode, Johan Van Looy, CEO of INNOCOM, shares his expertise on the importance of cybersecurity in digital transformation.
What specific security risks or challenges do you see as the major threats to successful digital transformation?
When shaping a digital transformation strategy, companies focus primarily on creating value. However, in this thought process, you should already consider how that value creation can be threatened and how you can protect yourself against it. After all, this will have a major impact on the choices you will make afterwards to support your strategy.
.png?width=256&height=256&name=Johan_Van_Looy%20(1).png)
Moreover, the playing field of cyber criminals is very large and they are often very creative in finding weaknesses. Sometimes there are even full professional business models behind it. So you have to make sure that you close all doors: the digital, physical and human aspects.
Senior IT leaders are indeed confronted with growing concerns and challenges to properly assess the cyber risks of digital transformation is faced against.
This includes but is not limited to early identification of the potential threats to value creation, identification of existing and new security controls required to protect it, but also to response to those threats, as well as the correct choices concerning roles and responsibilities and skills required to support your strategy.
To support this thought process, senior IT professionals with relevant experience and skills are required. There is a scarcity of qualified people to effectively manage and mitigate security risks. Companies should consider these factors when formulating a comprehensive digital transformation strategy, represented by their operating model design and sourcing choices.
Cyberattacks such as ransomware, malware, phishing, and social engineering can cause significant damage to a company's digital infrastructure and reputation. These attacks can lead to the loss of sensitive data, financial losses, and operational disruptions.
Moreover, with the increasing amount of personal data being collected, compliance with relevant privacy laws (e.g., GDPR) must be ensured.
Digital transformation often involves steering away from legacy systems and integrating different or new applications, which can create vulnerabilities if processes are insufficiently safeguarded.
How does your company identify potential security risks and vulnerabilities – preferably in an early stage - in the strategic change process of its customers?
We notice that many companies still struggle to identify and assess security risks during digital transformations. We support clients more and more in adapting their operating models to ensure security is sufficiently embedded in all phases of the changes.
Many companies have moved towards an agile way of working, which raises questions about how security and cyber risks are addressed. Senior IT leaders are struggling to implement principles like “Shift Left” and “Secure by Design” into their operating models.
We emphasise as well a lot on the importance of the practice of “Threat Modelling”, i.e. identify which threats should be assessed and understood. This is also critical to understanding which security controls should be taken into account during the digital transformation.
To help clients embed security into their agile processes, we support clients in setting up Agile Security Architecture capabilities. This involves assessing security risks, requirements, and considerations early enough in the development of new products and services. It also ensures that security is integrated throughout the agile way of working.
How does your company ensure that the right security measures are then integrated into the digital transformation initiatives?
“INNOCOM is the Belgian reference in the field of Enterprise Architecture. Our speciality is precisely this: translating the strategy into certain choices in terms of setup and the right roadmaps to be able to implement those choices. As cybersecurity needs to be integrated as early as possible in the design phase and be as broadly supported as possible: it's an inherent part of what we do.”
So yes, we depart from our accumulated experience in the field of enterprise architecture and digital transformation journeys, which in itself unravels many dimensions of an organisation (fe. business context, business model, organisational structures, core & supporting processes, information models, data and technology systems, technical infrastructure,…). A typical start is to perform a security capability assessment.
From there we can also evaluate the extent to which an organisation can safely perform that digital transformation (its strengths, weaknesses and opportunities for improvement).
Next to that, we always focus on the importance of training and developing foundational cyber skills and knowledge for all employees who need to make crucial decisions around cyber risks and regularly assess threats.
Through tailored In-Company Foundational Cyber Training, we provide growth paths for people who have limited cybersecurity backgrounds but require cyber skills and knowledge to answer complex questions relevant to their day-to-day work. This includes solution architects, project managers, and enterprise architects. Through this training, we offer coaching and support around cyber-specific knowledge that can be used within their daily responsibilities.
Thus, our approach is tailored to each client's unique needs, ensuring that proactive security measures are embedded throughout their digital transformation initiatives and that their employees have the necessary skills and knowledge to identify and address cyber risks.
How do you ensure that all stakeholders, throughout the whole organisation, understand the importance of including security early in the strategic change process?
We cannot emphasise enough the importance of “broad support” early in the strategic change process, as one of the main differentiators for a successful digital transformation implementation.
We aim to focus on:
- the company culture, starting with coaching and customised leadership training, to enhance their skills, knowledge and abilities.
- Defining a clear security strategy, allowing the whole organisation to focus on the right security processes and requirements, always keeping in mind the business objectives
- Organising general interactive security awareness sessions which aim to focus on roles, responsibilities and associated tasks for everyone involved.
- Organising in-depth focused sessions for prioritised items on the security strategy roadmap ( fe. capability mappings, agile security workshops,...). This can be extended by providing masterclasses.
- Report and follow up on a limited but right set of security metrics, mapped to the overall business objectives
A top-down approach can be used to build a security-aware organisation driven by risk optimisation while maximising business value. It is best combined with a bottom-up approach. This enables the prioritisation of security projects that have been identified as part of the architecture assessment.
Can you provide examples of successful outcomes achieved for clients through the implementation of proactive security measures in the context of digital transformation initiatives?
We are helping several customers with their security challenges. One specific case which I want to share here is our strategic support for the Cyber Command of the Belgian Defence. This is in the context of the “ESI” (Essential Security Interests) mission, which is linked to the Defence F35 programme, provided by Lockheed Martin.
As part of this ESI mission, we are now designing a “SOC2SIC” Architecture, paving the road to evolve from a Security Operations Center (“SOC”) to a Security Intelligence Center (“SIC”) to support the longer-term ambitions of the Cyber Command. Belgian Defence needs to adapt and adopt an intelligence-driven defence model allowing them to act earlier during (or even before) an attack. This is achieved through the integration of actionable intelligence into the Security Operations environment as well as increasing collaboration and knowledge sharing.
Our architecture will optimise and integrate the exchange of information from the various systems that the Defence organisation uses. We also work out the required governance model and translate all this into a comprehensive roadmap.
.png?width=3190&height=852&name=logo_CIONET_horizontal_nosignature_white_RGB%20(8).png "logo_CIONET_horizontal_nosignature_white_RGB (8)"){kind=logo}
.png)
-1.png)
No Comments Yet
Let us know what you think