18th annual e-Crime & Cybersecurity Congress
3rd & 4th March 2020 • London, UK
How digital transformation is merging cybersecurity, privacy, compliance and fraud
Digital transformation (DX) is upending companies' treatment of IT, security and information risk.
In the old model, IT is a toolset which provides necessary but non-profitable services. Data is almost just a waste product of this service provision, and cybersecurity is limited to the defence of specific pieces of technology or 'crown jewel data'.
As budgeting and seniority reflect, it's not viewed as a strategic imperative, nor is it seen as a major threat to the business. Traditional operational and business risks - such as Brexit, the US-China trade war, and incidents such as the Max 737 crashes - are all far higher up the priority list than data loss or a DDoS attack.
But that is starting to change. Post-DX, companies interact with their customers and supply chain digitally. It may even be the primary - or at least most profitable - way that they do so.
In this post-DX business, technology and data are no longer discrete tools useful to, but separate from, the business. They are the way the business delivers. Without them, there is no business.
At this point, cybersecurity is not just about a loss of data, and the consequences go beyond a blip in customer confidence, share price and reputation. It finally becomes the major business risk that CISOs and vendors have been warning of.
DX turns cybersecurity into a serious business risk. So what next?
In the post-DX business, old models of security, privacy, fraud and data integrity are untenable.
Cybersecurity has grown up as a piecemeal function, and primarily a technical one. It's often still treated as a matter of managing and monitoring an ever-more-complex stack of solutions, with maybe a SOC and some SecDevOps thrown in, and different solutions and procedures put in place to protect specific pieces of tech or data.
Intimately related activities such as fraud detection and prevention, data management, PCI DSS and data privacy are often still siloed away from each other and from security teams.
And from different sides of the spectrum, both the business and security teams have failed to understand - or explicitly rejected - the idea that cybersecurity is just another form of operational risk management, which must be prioritised, analysed and managed like other (often more business-critical) risks.
All of this has to change.
The end of cyber-exceptionalism, the start of cyber-transformation
First, cybersecurity must lose its exceptionalist mindset. Cyber threats are generally not existential. Losses are survivable and risk does not need to be reduced to zero.
Second, cybersecurity needs to be integrated into normal operational risk management and business continuity planning. It needs to operate according to standard risk management practices.
Third, cybersecurity must enable and secure the data centralisation, analytics and visibility required to deliver truly digital services.
And last but not least, in digital companies, cybersecurity must be integrated into the anti-fraud effort, where previously both organisation and corporate culture have often meant that these functions rarely collaborate.
In short, a new level of business orientation and rigour is needed to shape a new era of cybersecurity. And the effects on CISOs, their staff, and the entire function will be profound.
The 18th annual edition of the e-Crime and Cybersecurity Congress will address these and other key issues for its audience of senior information security stakeholders. Featuring strategic guidance, case studies, animated panel discussions and more from the real business leaders in the space, we'll be looking at where cybersecurity is going, and how CISOs can keep up.