Organisations consider security one of the greatest challenges in implementing digital transformation. But what happens when business overrides security and severely curbs its sphere of influence?

The digitisation of an enterprise flips the organisation — as well as past IT processes — on its head. A fundamentally new course must be set for business models, organisation and competencies. The thesis of Marcus Beyer, advisory lead for Resilient Workforce at DXC Technology, must hit companies’ security departments like lightning: “A paradigm shift is taking place in the relationship between IT security and business within a digitised company. In the future, IT will no longer tell employees what they are allowed to do and what tools they have to use. Rather, the business will set the tone and demand that IT run suitable implementation and security.”

So, it’s about nothing less than a complete change in the way IT sees itself and sets its priorities.

Delayed development

This paradigm shift will completely change the self-image of both the business and security, but so far, either the message has not been received, or it is simply being ignored. Perhaps companies will also ignore the explosive consequences of not having updated security.

According to the DXC study Digital Agenda 2019, 71 per cent of companies in Germany, Austria and Switzerland carry out digitisation projects, but progress is sluggish. The issue of security is proving to be the biggest obstacle: Companies lack, among other things, suitable security strategies and behavioural guidelines for employees.

Stand-alone IT security?

To overcome the security obstacle in digitisation projects, it is advisable to focus on the topic of security, anchor it firmly within the company and, perhaps, rethink it as well. IT security encompasses much more than just securing infrastructure and end devices. In the context of digital transformation, topics such as business continuity and data integrity are becoming increasingly important.

“This is about protecting the company from risks and building the company strategically in such a way that it is resilient and prepared for crises related to the continuation of the business process,” explains Beyer.

Firstly, Beyer recommends separating security from IT. “As a staff unit within the company, information security must be well-networked and operate at eye level with its stakeholders,” says Beyer. “Because business drives digital transformation, information security quickly becomes the recipient of orders. It will receive the order to make the specified requirements secure. It often even loses its veto and right of co-determination, which has so far brought many projects to a standstill. If the security team doesn’t pay attention and take countermeasures, the power and the opportunities to participate are quickly taken away.”

“You can’t be a doubter anymore”

Beyer gives an example from his own experience that clarifies where the paradigm shift is affecting everyday business life: A medium-sized mechanical engineering company had set up a “future workplace” as part of its digital transformation. The team would not accept the project, because the subject of unpatented data affects nearly half of the employees. However, management would be surprised that employees can’t use the cloud to do this and would ask the information security department to find a solution.

“The business will define which security aspects or projects are to be tackled, and the security team must see how this is achieved. It cannot continue to be a doubter, but must be present and able to execute — to the best of its knowledge and belief — according to the current state of technology, at eye level and with healthy pragmatism. This is the paradigm shift,” states Beyer.