Transforming Digital Transformation
Posted by: Romke de Haan
Throughout my 25 year career I have worked on several large digital transformation projects that have included helping rebuild e-commerce platforms for large retailers as well as working with government agencies to digitize their paper-based processes. These projects are massive and involve many departments, consultants, and software vendors. It takes careful planning and proper management to ensure that all of the pieces are stable and address the user and business needs.
In many of these cases security became a second-level citizen within the overall roadmap. We were primarily focused on solving the problem and then looked for ways to provide security.
Since my time with GuidePoint I’ve really embraced a Security First methodology. Part of this has been because cloud is maturing and providing strong frameworks to allow organizations to embrace secure methodologies. In a post from 2017 CIO Insight reported that 69% of digital transformation and innovation projects where forcing major changes to their security model.
How does innovation impact security models ?
Four years ago I was working with a large national retailer that stated “Innovation dies here.” After being around for over 100 years organizational debt was a major contributor to the roadblocks impacting innovation within the company. When new players such as Amazon entered into and transformed the marketplace this retailer felt the burn much like everyone else in the industry. This prompted the CEO of this company to mandate that every business unit define and embed innovation into the DNA of their organization. This challenged the organization at its core. They began to question every aspect of their delivery model and tried to define how they would not only catch up but also stay ahead of the falling market.
In the office of the CIO, one of the ideas that was created was to abstract their external core functions into APIs. This strategy allowed the organization to be able to build and test various engagement strategies with customers without disrupting the organization’s overall infrastructure. They had now designed a competitive strategy that removed friction and increased market validation.
The transformation efforts carried out by this company had a successful impact on the company’s bottom line. However, what the organization did not account for was how the digital innovation efforts would impact their proven and matured information security program. Years after the success of their innovative transformation one of their new initiatives had fallen to a public data breach.
Where to start?
How do we ensure that the pathway to innovation does not impact security at the same time ensuring that security does not hinder innovation? Identifying the starting point is always the most challenging step into beginning any digital transformation effort. Based on our experiences, we wanted to provide you with a few steps to start thinking about Security First within digital transformation in the cloud.
Allow your employees to play in secure sandboxes
Testing and validating ideas is critical in maintaining a competitive organization. With many legacy enterprises teams are not allowed to use corporate resources for fear of breaking privacy or policy regulations, which the organization has every right to fear. A way to solve both requirements is to allow tiers of sandboxes in which teams can test and run ideas. For example, cloud.gov allows any government employee to use a secure PaaS infrastructure that is managed and cleansed every 90 days. This is perfect for a team to test and validate an idea quickly in order to see the impact and be able to take the concept to stakeholders.
Your organization could establish a secure sandbox policy allowing teams to spin up various tools and services needed to test and validate ideas.
Create an API strategy
The power behind the cloud is not just its elastic nature but the API framework provided to manage and deploy your infrastructure. By converting some of your internal services to APIs it can provide more resiliency and access to your teams. This also gives you a way to manage and expose endpoints that can be securely monitored. This will allow you to quickly take new services to market while establishing proper security controls like API Key access and Key Management. A mature API strategy will allow you to control the data that is exposed publicly.
Create a secure CI/CD pipeline
Having a strong and secured development environment for your teams can help identify security vulnerabilities earlier within the application’s lifecycle. There are a slew of third party security tools that help provide solutions like pre-hardened AMIs to code analysis performed during the build process. When creating greenfield applications or modifying brownfield ones pipelines are a critical piece to streamlining the process.
Implement a DevOps practice
DevOps not only helps create a robust Infrastructure-as-Code model but it really helps with keeping an active pulse on your organization’s roadmap. In your DevOps practice you can actively monitor and promote new and updated applications. Keeping a collaborative and open environment will help keep the lines of communication open for any challenge your team may have. This will ensure security is always an active part of the conversation.
In Summary
Innovation and Digital Transformation are key factors to staying competitive in today’s market place. We hope that some of these stories and tips will challenge your organization to start on a Security First methodology when starting on your digital transformation journey. If you have any questions or comments hit me up on twitter @romke.
About GuidePoint Security
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.
Contributing Author
Romke de Hann, Principal Consultant, GuidePoint Security
Romke E. De Haan is an innovative and results-oriented technology leader and executive with over 20 years of experience managing digital experiences for some of the world’s largest brands, organizations, and startups. He is a thought leader and top digital strategist with strong expertise in the area of IT modernization. His divergent thinking ability and holistic approach to management and problem-solving make him an asset to organizations seeking leaders who can level-up technology operations and provide a competitive edge.
Romke de Haan
Romke de Haan has over 22 years of experience as a technical & business leader and technology strategist. Romke has worked with commercial corporations such as Microsoft, Razorfish, & Kohl’s as well as federal agencies including the General Services Administration, Environmental Protection Agency, and Transportation Security Administration.
Romke has provided technology leadership in digital transformation and innovation through the design of data driven and UI-focused systems hosted both in the cloud and on-premise. In working with federal agencies such as the TSA, Romke helped lead cloud migration initiatives by transforming organizational practices from siloed structures and waterfall methodologies to Agile delivery methods such as DevSecOps through CI/CD pipelines.
Romke’s skillset not only includes technology but also includes UI design and business strategy allowing him to better align digital transformation initiatives with the needs of the business. Romke has served in various roles including application architect, developer, mentor to startups across the US and South America, and civic initiatives such as being a founder member of Milwaukee’s Code of America chapter.