At EHJ & SJ Consultancy, we have been involved in working with clients that have Enterprise IT
systems that span geographically and consist of privately-owned Data Centres combined with hybrid
Often, we are brought into to evaluate and assess these landscapes to determine the security posture
and highlight the risks present within these environments. The issue with the approach of bringing in
a Cyber Security Consultancy at a later stage in any transformation is often the requirement for security
has not been built into those environments nor into the organisation to adopt in securing the new landscape.
To be a digital-ready and innovative is now increasingly important given the current situation relating to
the COVID-19 (coronavirus) situation. The term ‘business as usual’ will forever need to adapt to a new age
whereby a return to normality will never be the same as before. The evidence behind this statement is
supported by the increase in remote working and the need to access applications and systems remotely. This
inevitably places a huge strain in the availability and the need to secure these systems to prevent data
breaches and prevent an organisations IT infrastructure from being exposed to potential attack vectors. The
concept here is previously companies would operate with limited access to their IT infrastructure and allow
a minority of remote user’s access via a company build laptop and a corporate VPN connection. The challenge
now is everyone is now having to migrate to this approach and therefore VPN servers, bandwidth considerations
and the overall security of home users’ networks now become a potential area for attackers to manipulate and
Another recent change brought into consideration by the current lockdown is Consumers are increasingly turning
to the internet and are increasingly spending more on e-commerce sites. This brings issues regarding payment
card information that requires compliance with PCI-V3.2.1 and an increase in malicious actors that will be drawn
to e-commerce sites and will look to potentially exploit vulnerabilities in the application. With an increase in
internet traffic to a particular site, malicious hackers will always be drawn to the crowd to look for ways to
exploit a situation and this requires organisations to be both aware and to ensure their public-facing applications
are as secure as possible.
With these changes in mind, the process for undertaking a digital transformation now faces a new set of security
challenges that were not previously considered. The summary of these challenges is:
- Remote working is often considered somewhat
difficult when needing technical users to agree and
work cohesively on a project
- The difficulty in engaging with security SMEs at the
start of a transformation project is likely to increase with remote working due to communication breakdown and
approach to working in isolation
- Access to Cloud infrastructure now has to happen from multiple access points rather than be geographically centrally accessed, making it harder to trace malicious traffic
- Lack of early engagement relating to having defined security requirements means digital transformation projects often do not meet compliance needs nor are deployed to a satisfactory security baseline
- Undertaking a risk assessment prior to designing a cloud-first approach without assessing any potential risks
- Lack of security governance to adopt within a transformation programme
- Unknown migration patterns whereby business applications have not been identified and checked for migrating. This often leads to last-minute adjustments in a transformation programme leading to corners being cut in regard to security assurance
Whilst these challenges are common observations from working with current and previous clients, this is often because
of a lack of engagement with a security- based SME present.
There are of course other problems when faced with undergoing a digital transformation and these have long been known
as common issues many businesses are facing, these being:
- Security is never easy and often requires time & effort to implement and therefore is often left out or ignored – Path of least resistance
- Justifications for additional spend don’t always support a business case. Security is about prevention and is not a guarantee that a breach or malware attack won’t happen
- Appointing the right individuals with the required skills is difficult given the short timeframes transformation programmes last
- Cloud security changes daily as does the threat surface making it difficult to tally a viable solution – again security is never easy!
All is not lost!
Performing or undergoing a transformation programme is not a lost cause when it comes to addressing the security gaps
mentioned. Some measures within an organisation can often lead to significant impacts and this starts at the top!
Support at the Board Level
Security in any transformation programme is often successfully implemented when an organisations C-level board
‘buys into’ security as a need for the organisation. Here at EHJ & SJ Consultancy, whilst we remain a technical
consultancy, we also support the strategic aspect of cybersecurity and have had success stories in providing oversight
and advising CISOs, CTOs, CFOs and COOs with guidance surrounding the need for implementing security into a transformation
programme to ensure a ‘value add’ service is provided. This has led to ensuring budgets are allocated for specialist
resources or seeking investment in small changes within the deployment process, e.g. introducing security tooling in
the deployment processes.
Security is never easy?
Whilst security is admittedly a difficult area to tackle given the constraints it poses on IT delivery teams; it is in
place to ensure governance is implemented and also aims to safeguard the resultant delivery from being targeted by malicious
threat actors. The key to addressing this obstacle is to engage with the relevant security SMEs at an early stage within a
digital transformation. By introducing security at the onset of a programme, there is a greater success than obstacles generated
by the introduction of being secure by design and adopting security governance will become less of a barrier and move the
programme to become more innovative.
Our team of security architects have been fortunate enough to be involved in assisting clients undergoing such transformations
and being able to influence our client’s perception of introducing security at the earliest stage possible. This by far has the
greatest impact in evolving both cultural perceptions on addressing security and ensuring the benefits of securing your enterprise
systems is done in accordance to a governance model to achieve a secure by design system. We believe in not only providing technically
experienced security architects but individuals that champion security to ensure we manage stakeholders appropriately and spread the
message for securing your designs and deployments.
Utilising the right skills to fight security in a Digital Transformation
Whilst transformation programmes can last between a short-time frame to several years, obtaining access to the right skillsets
is often difficult since the requirements are requesting for specific security architect skills combined with knowledge about
migration programmes that incorporates multiple functional disciplines. This is where a security-based consultancy can be utilised
to undertake a high-level view of any transformation programme and coordinate the necessary security steps required to secure the
end product. E.g. assisting with the security of migrating IT assets into a new environment typically cloud and on-premises based.
Support at the Board Level
Additional benefits in utilising a cyber security consultancy is being able to plug the skills gap whereby they can be brought in
for short/long term durations whilst providing cutting edge advice and guidance in securing your environments and deployments processes.
Cloud Security Changes Daily!
Whilst embedding security into the design and deployment process for any digital transformation is an absolute must, the key output
is to also ensure that the new world also supports operational security. Achieving this in the cloud is somewhat open to multiple options
in what security-based solutions need to be in place to continuously monitor your cloud infrastructure for potential malicious activity/attacks
and full-fill security compliance. Utilising a security architect with cloud expertise can be a major benefit in ensuring a secure baseline
can be created to meet the needs of an organisation. This is especially important if an organisation has different maturity-based models regarding
information security governance since the balance between utilising commercial tools or combining commercial with open-source tooling is
dependent on the maturity of ownership, skillsets and experience within an organisation.
Because Cloud changes daily due to continuous deployments that change both the infrastructure and application stack, having the right form of
detection including compliance checking tools is critical for ensuring security in a digital-first world.
Justifying a budget for Security in the World of Digital Transformations?
Whilst businesses performing transformation of IT infrastructure from on-premises to a cloud-first or hybrid cloud infrastructure,
costs can often escalate but the intention is to maximise savings by utilising cheap computational costs and having the scalability
and reliability at the disposal of a click of a button. Whilst these benefits versus agreed budgets can be justified, requesting
additional funding for security is often seen as non-value adding benefit.
If you have concerns related to IT security or are currently planning/undergoing a digital transformation, then please get in
contact for a discussion on how we can assist you in resolving any cyber security related issues.
We offer free cyber health checks to all new customers to provide an oversight into areas of your business that may require
addressing with potential security controls.
Please also visit our website where you can find out more information on the types of services we offer and to also discover our
range of retainer-based models for securing our services on a short to long term basis.