Exploring the security side of organizational, digital, and data transformation.
There are a surprising number of companies and individuals who make a living off of à la carte security interventions. Some organizations hire them for compliance reasons, other because they are unwilling to invest the resources in a more in-depth process. These interventions are, for the most part, completely ineffective.
I have had the opportunity to watch the ineffective and sometimes harmful effects when security support is provided à la carte to an organization. Digital-security trainings; audits, assessments, and penetration tests; threat intelligence feeds; and the range of shiny-new hardware and software solutions for digital security monitoring and defense are not ineffective by nature. They are made ineffective when they are offered to organizations as one-off, à la carte, services.
I have been waiting for a reason to write about this, and Alix Dunn, at the Engine Room, recently wrote an informative article on her perspective on how organizational, digital, and data transformations are interconnected. It is a concise piece of writing that should be read by anyone who works helping organizations with their technology, and anyone who wants to get the most out of this article.
When I told Alix how much I appreciated the piece she asked me how I felt her framework connected organizational security. My answer is the same answer I give when I am asked about why I try to talk organizations out of technology focused digital security trainings and other à la carte security solutions. Building effective and sustainable organizational security requires a fundamental transformation of the organization and its staff.
Alix provided definitions for three concepts of transformation that she sees in her work helping groups use data and technology for social change: Organizational transformation, digital transformation, and data transformation. I am going to explore the way that each of these types of transformation impact organizational security and why it is important to distinguish between them when building our your own organizational security plans.
“Organisational transformation is a large overhaul in the way that a team works. It is fundamentally about people. Transformation happens when buy-in, strategy, and resources align to trigger big shifts in thinking, planning, and doing.”
Technology, alone, cannot provide security to an organization. The Chief Information Security Officer (CISO) of any successful corporate information security program will tell you that staff education and behavior change are the cornerstones of organizational security. The primary avenue hackers use to get access to an organization’s networks is through tricking staff into allowing them in. A staff member will click a suspicious link and enter sensitive information into the counterfeit websites those links take them to, or will click past warnings to allow malicious software to run on their computer. Organizations that have responded appropriately to these threat have invested in organizational transformation that has allowed their people to develop a “culture of security.”
This is also where many well intentioned security programs fail. User education without organizational transformation often leads to alienation. Amazing tools exist to allow IT Departments to easily send high-quality phishing attacks to their staff. If done with staff buy-in this can build a culture of security where staff have a shared understanding of what they should be suspicious of and how they should respond when they encounter it. Without buy-in simulation based security awareness trainings can quickly become shame based interventions that alienate staff from those who are supposed to protect them. Staff learn to fear and identify the types of emails sent by their IT department instead of building the security awareness that will allow them to to think constructively about how social engineers target their technology and data and how to act appropriately in the given situation.
“Digital transformation is an organisation-wide capacity to use hardware, software, and online infrastructure to successfully streamline operations and grow engagement with new audiences. It is about internal and external communication infrastructure.”
Unlike the other two transformations, digital transformation and digital security transformations are related, but different in their ends. Digital security transformation is an organization-wide capacity to use the hardware, software, and online infrastructure in a way that is appropriate to their threat landscape and workflow.
Often, even when an organization does identify appropriately secure tools and techniques they do not easily fit their staffs existing workflows. For newly targeted and high-threat organizations, such as civil society organizations in closing societies, developing the organization-wide capacity required to use inappropriate tools or techniques for their internal and external communication infrastructure can lead to communication becoming time-consuming, frustrating, and failure prone. When this is combined with the capacity required to adopt inappropriate tools and techniques for securely using the range of other hardware, software, and online infrastructure they require it can force an organization’s staff into a position where they must choose either protecting themselves, their organization, and those they work with from attack or accomplishing their goals.
That is not to say that appropriate digital security transformation can’t lead to huge security gains without significant loss of productivity. In fact, by harmonizing digital and digital security transformations an organization provides their staff an opportunity to build new workflows that have appropriate security incorporated from the start. This also has the perk of not requiring an organization to build buy-in for two separate digital transformation processes. By incorporating security into existing digital transformation and organization can gain greater security and increased operational efficiency, outreach, and community engagement without making sacrifices to either.
“Data transformation is the organisation-wide process of focusing, organizing, and operationalising consistent collection and use of data that can inform action and assess impact. It is about using structured processes to understand your organisation and your cause.”
Data transformation is the cancer of digital security interventions. If data transformation did not take place and everything else goes well the lack of data transformation will eventually lead to the decay of any digital security transformation. Well implemented digital security transformation can allow an organization to develop appropriate controls to protect itself without decreasing its efficacy. But, without data transformation, there is no way to know if that is the case because there is no evidence to track or analyse if they are protecting against the right threats, and if those protections are working.
These days, the digital security space is saturated by threat intelligence services, which aim to allow organizations to understand the threats that they need to protect against. Before that was SIEM (Security Information and Event Management) which is aimed at allowing an organization to see if they were being attacked and if their defenses were working. These are just two types of services that are widely promoted and, when properly utilized, can be valuable tools if incorporated into an organization’s data transformation process. This brings me to why I wrote this piece instead of sending an email directly to Alix.
Why does distinguishing between all of these things matter?
- “Recognizing how these transformations work makes it easier for organisations and funders to be patient, think long-term, and invest in core data and technology capacities.”
- Engaging in digital security transformations without a data transformation will leave an organization with a false sense of security. As they are inadequately equipped to understand their changing threat landscape and update their security tools and techniques appropriately.
- Focusing on data transformation before digital security transformation can significantly derail the possibility of digital security transformation succeeding. Even the best and most expensive threat intelligence or SIEM service becomes mere cargo-culting if they are not accompanied by data transformation that makes the information they provide actionable.
Effective and sustainable security requires organizational, digital, and data transformations. Security transformations need to be approached in the same manner as any other capacity building transformation undertaken by an organization. Luckily, security transformations can, and should, also be integrated within these other transformations. By approaching your organizational security in this way it is possible to develop a foundation and culture for continuous learning and adaptation that will allow your organization to appropriately and rapidly respond to its changing threat landscape.