An Organizational Approach to Cyber Security in Digital Transformation

5 min readDec 19, 2017

Digital Transformation imposes on Companies a radical transformation of their way of dealing with the outside world. Digital and Connected Businesses 4.0 must open their IT systems to allow interoperability to exchange informations with Customers, Suppliers and Partners. They have to deal with the increasingly amount of data by process digitization and dematerialization.

These challenges impose a new level of corporate IT security no longer limited to simple intrusion management, or protection against computer viruses or security backups. Cyber Security needs to be developed by setting up more complex and sophisticated organizational security strategies.

Proactive and Reactive Strategies

To evolve the level of IT security of the Company we must rely on a programmatic and preventive approach that allows to plan the incident management strategies in advance.

We consider important the preliminary assessment phase of potential risks through the compilation and constant updating of the Cyber Risk Assessment that we will ascribe to the Proactive actions.

Nevertheless the Reactive phase of management of the possible incident cannot be addressed after the occurrence. We need to evaluate the impact through the compilation and constant updating of the Cyber Emergency Response Plan.

Both documents are the culmination of a series of in-depth assessments resulting from a cognitive process regarding issues related to IT security.

Proactive Security: Cyber Risk Assessment

If we know our enemy we have more chances to beat him. This is the meaning of the preventive analysis carried out through the Cyber Risk Assessment.

The document resulting from the identification, evaluation and management phases will allow to map in detail all the types of incumbent risk on the business activity and the relative weight in terms of damage.

A qualified team will be created with internal resources and external consultants for the initial drafting, while monitoring can be carried out by internal resources with periodic checks. All the critical points and the vulnerabilities of all the information systems, the connection methods, the level of potential damage and the necessary changes to make them safe will be mapped. The structural interventions necessary to make IT systems reasonably secure will be planned.

Reactive Security: Cyber Emergency Response Plan

After setting up the preventive measures, analyzed the threats and mapped the risks, it’s necessary to plan the resulting actions from any incidents that, if any, may occur.

This phase that we will ascribe to the Reactive Process, is defined and explained in the Cyber Emergency Response Plan. This document will contain the actions to be taken in case of an incident related to Cyber Security. It will guide the Company in the treatment of any unauthorized data breaches or intrusions and will be compiled after the Cyber Risk Assessment by the same work team. Both documents will be synchronized to acquire any updates at the same time.

Cyber Security and Business Cloud

After the preventive planning phase of the IT Security, the components of the IT infrastructure will be evaluated to verify the migration to the Company Cloud.

The Cloud today is an appropriate choice to acquire many of the effective security practices. The major Cloud Services providers design their Data Centers in a Secure by Design way; IT security is designed from the beginning and is not seen as an auxiliar deal. This allows to delegate a large part of the necessary actions to the safeguard of the data to third parties, premising an effective management policy of the authentication.

Migrating part of the infrastructure to the Cloud allows the company to focus on its processes and not on technological best practices.

Secure by Design: Agile Software Development

In an effective IT security management plan, will be a must to work on the code as it is the manager of all the informations. Many algorithms need to be rewritten as they will result fallacious in the Cyber Risk Assessment. We will need to make them Secure by Design. Here it’s useful to adopt the Agile Software Development Process with dedicated iterations.

Being an iterative and incremental process, it’s possible to dedicate a loop of iteration only to security. Requirements analysis is extended to information security and the last iterative loop is used only for data protection management and not for their manipulation. The Secure by Design approach in the software development helps to eliminate most of the security issues related to data breaches.

Secure by Design: RESTful APIs and OAuth 2.0

For interoperability and software cooperation components, whether in the Cloud or locally, authentication problems arise because they cannot be ‘opened’ for everyone.

Here can be interesting to use the OAuth protocol in its latest version, the 2.0. OAuth is a protocol oriented to guarantee the authentication without sharing authentication informations. Simply, the company authorizes the Alpha supplier’s software to access the Beta data without sending it the username and password.

Using also the REST — REpresentational State Transfer architecture for the interoperability components, we will obtain significant advantages in terms of application efficiency by federating the cooperating components through the use of Gateway APIs.

RESTful APIs and OAuth 2.0 an agile and efficient binomial for the needs of interoperability and application cooperation.

In conclusion, thanks for reading, sorry for any english mistake (I’m Italian natural language) and follow me on Medium and Twitter ( https://twitter.com/antgrasso or @antgrasso ) if you found useful this document.