McKinsey: Cybersecurity – Linchpin of the digital enterprise
Executive summary
Two consistent and related themes in enterprise technology have emerged in recent years, both involving rapid and dramatic change. One is the rise of the digital enterprise across sectors and internationally. The second is the need for IT to react quickly and develop innovations aggressively to meet the enterprise’s digital aspirations. Exhibit 1 presents a “digitisation index”—the results of research on the progress of enterprise digitisation within companies, encompassing sectors, assets, and operations.
As IT organisations seek to digitise, however, many face significant cybersecurity challenges. At company after company, fundamental tensions arise between the business’s need to digitise and the cybersecurity team’s responsibility to protect the organisation, its employees, and its customers within existing cyber operating models and practices.
If cybersecurity teams are to avoid becoming barriers to digitisation and instead become its enablers, they must transform their capabilities along three dimensions. They must improve risk management, applying quantitative risk analytics. They must build cybersecurity directly into businesses’ value chains. And they must support the next generation of enterprise-technology platforms, which include innovations like agile development, robotics, and cloud-based operating models.
Cybersecurity’s role in digitisation
Every aspect of the digital enterprise has important cybersecurity implications. Here are just a few examples. As companies seek to create more digital customer experiences, they need to determine how to align their teams that manage fraud prevention, security, and product development so they can design controls, such as authentication, and create experiences that are both convenient and secure. As companies adopt massive data analytics, they must determine how to identify risks created by data sets that integrate many types of incredibly sensitive customer information. They must also incorporate security controls into analytics solutions that may not use a formal software-development methodology. As companies apply robotic process automation (RPA), they must manage bot credentials effectively and make sure that “boundary cases”— cases with unexpected or unusual factors, or inputs that are outside normal limits—do not introduce security risks.
Likewise, as companies build application programming interfaces (APIs) for external customers, they must determine how to identify vulnerabilities created by interactions between many APIs and services, and they must build and enforce standards for appropriate developer access. They must continue to maintain rigour in application security as they transition from waterfall to agile application development.
Challenges with existing cybersecurity models
At most companies, chief information officers (CIOs), chief information-security officers (CISOs), and their teams have sought to establish cybersecurity as an enterprise-grade service. What does that mean? They have consolidated cybersecurity-related activities into one or a few organisations. They have tried to identify risks and compare them to enterprise-wide risk appetites to understand gaps and make better decisions about closing them. They have created enterprise-wide policies and supported them with standards. They have established governance as a counterweight to the tendency of development teams to prioritise time to market and cost over risk and security. They have built security service offerings that require development teams to create a ticket requesting service from a central group before they can get a vulnerability scan or a penetration test.
See the full report for more…
Link to Full Article:: click here
Link to Source:: click here