man on a tightrope over a cliff
PHOTO: Casey Horner

A client recently asked me why their digital transformation efforts had been missing every delivery target. On paper, they were doing everything right: They worked directly with the people who the systems were designed to help. They understood their information. They even had created new, digital, representations of their old, bulky, paper forms. Everything was done according to agile principles, so they could adjust quickly.

Then I talked to the development team.

Seems like every time they were close to releasing new features, the security group would tack on additional, last minute requirements. These requirements would consume resources and slow the entire process down. When they met the requirements, the security group would introduce new ones. While some of the requirements were straightforward, many were quite involved. 

The security team seemed to have lost track of the most important precept: if the business is not successful, they won’t have anything to protect.

Progress vs. Paralysis

Getting businesses to embrace the concept of “better” over “perfect” is a challenge. However, it's the only way to keep moving forward. Whatever you define as "perfect" today may be outdated in a year. A better approach is to take steps forward one at a time, allowing for things to improve without committing to a final destination.

The same concept applies to security. A seasoned security expert will tell you: if someone wants to get into your systems there is nothing you can do to stop them. Nothing.

It is simply a matter of time and effort. Their time may not be adequately rewarded, but they will get in eventually. That is why the concept of “perfect” security is a red herring. You can never achieve it, even if the definition of perfect doesn’t change. This means it is important to keep moving forward, making things more secure over time but not slowing down the business.

Related Article: Uniting Risk Management With Strategic Planning

How Much Security Is Enough?

Every consultant will tell you "it depends." This isn’t avoiding the question, it really does depend on what you are protecting.

  • Is it customer contact information?
  • Can payment information be stolen?
  • Is there enough information for their entire identity to be stolen?
  • Are your customers well-off financially, making them juicier targets for hackers?
  • How long do you keep information?

If you can’t answer these questions, security has earned the right to dictate requirements. However, if you can measure the risk a data breach would carry for your customers and the company, you can start with an intelligent security plan.

The obvious starting point is to encrypt everything. More importantly, don’t store passwords or any payment information. When extracting data to perform marketing analysis, don’t allow extraction of any personally identifiable data or payment information.

Lock-down all of the individual systems so gaining access to your network doesn’t mean access to everything. This may seem obvious, but leaving the default user and password for an application in the development environment often finds its way into production.

If you aren't meeting these reasonable requirements, your security team may have a point. Security questions clearly need more visibility in your everyday work. Nobody wants to end up in the news like Marriott.

So if security starts devising requirements on how to prevent a rogue administrator from stealing or destroying everything, ask them what the security team is doing:

  • Are they monitoring and analyzing network traffic?
  • What are they doing with all the audit information you are saving (at their request) to find suspicious behavior?
  • Has security shared how each team is addressing these security requirements so the teams can leverage each other’s efforts?

Security’s job isn’t just to make sure you build secure content and information management systems. They must contribute to the solutions if they are to add value to the business.

Related Article: Privacy Is Your Organization's Most Valuable Resource: Treat it as Such

Effective Digital Transformation Creates Security

For any of these new systems to succeed, they have to be easy to use and fit well into the entire process. If a content management tool makes it too hard to add or manage documents, people will save documents locally and share them via email. If they can’t see information about a client in their customer support ticketing system because it is locked in a siloed system, they will make copies of that data and add it to the ticket system after their buddy in sales emails it to them.

How secure is any of that?

Digital transformation efforts focus on user experience. A good user experience improves security by keeping information where it belongs. When people place information in unknown locations, security becomes a major problem. While security cannot be ignored, the headlines prove security measures must facilitate, not impede, the user or the improvement of systems.

Otherwise before you know it, someone will misplace a thumb drive that has all of the customer data from the past year.