Robert Herjavec, founder and CEO of the Herjavec Group and investor on “Shark Tank,” discusses how businesses should navigate digital transformation, cybersecurity, and the transition to remote work.
Where do you see the future of digital headed?
There is no doubt that any organization that wants to scale needs to go through some aspect of digital transformation. Consumer behavior is dictating that organizations need to make engagement more convenient and simpler than ever before. As a result, companies are developing mobile applications and integrating various consumer touchpoints through the buying process. Those touchpoints lead to opportunities to collect data, to conversion, to privacy concerns … you see where I’m going. This is more risk and more data that needs protecting. We’re also seeing enterprises move to more cloud-based tools in order to drive efficiency and security in business operations.
In addition, digital transformation has allowed for many organizations to have a remote workforce. Whether it’s a cultural move for the company or a response to a health pandemic like COVID-19, digital tools like secure remote access solutions and company communications technologies have enabled organizations to ensure the continuity of their business operations successfully.
What should businesses specifically look for in their software partners from a cybersecurity perspective to ensure success?
Businesses need to know what their vulnerabilities are at any given point — this does not limit them to vulnerabilities in their own network, but also the vulnerabilities in their partners’ networks.
Many adversaries use third parties to target specific organizations — your cybersecurity measures could be great, but if your partners’ security measures are not, then adversaries can (and will) use them as a gateway into your networks.
You can’t trust that every technology or service provider accessing your network is as secure as you want them or need them to be. You’ve got to establish a baseline for third-party risk in your organization and undergo regular assessments. Vendors should be put through the test in terms of completing appropriate questionnaires on their own policies and procedures, relative to the data they’re accessing in your organization.
The key things to consider with a third-party risk assessment:
- Does the partner store or utilize client data? If yes, what type of client data?
- Does the partner store or utilize company data? If yes, what type of company data?
- Where is the data stored?
- Is GDPR data in scope? Do they have U.S. Privacy Shield or any additional security certifications? NIST? ISO? SOC certifications?
- What would be the business impact to us if they were breached?
At the end of the day, it’s one thing for an organization to be compliant and have security certifications and processes in place, but it is another to implement them. Businesses in general need to conduct third-party risk assessments on at least an annual basis. Think about it — when was the last time you did one?
Can cybersecurity programs keep pace with digital transformation?
Keeping pace with digital transformation can definitely be a challenge, but there are a number of ways your security programs can keep up. As a business, we encourage enterprise leaders to mitigate the risks associated with digital transformation by focusing on three key programs: identity, threat modeling, and SOAR (security orchestration, automation, and response).
- Identity: It goes without saying that identity is the new perimeter. In response, business leaders need to view security through the lens of identity, not infrastructure. This means taking a contextualized approach to your identity programs – instead of just focusing solely on being data-centric, enterprises must start being user-centric. Think about who is accessing the data, where they’re accessing from, what information they’re requesting, etc.
- Threat modeling: When you’re building a security program, either you build it based on a security framework or the likelihood of an attack occurring, which is threat modeling. I’d recommend using threat modeling because it allows you to take a proactive approach in building your overall security program. It leverages the MITRE ATT&CK framework, which is an industry framework designed specifically to map real adversaries to specific industries and identifying the detection and response capabilities you need to have.
- SOAR: This is a solution stack that allows organizations to collect data about security threats from multiple sources and respond to security events. SOAR technology
can replace repetitive security tasks that humans do, increase response speed, and help your organization better leverage the limited available security talent. By developing playbooks and workflows to address specific security incidents, you can automate the response required and create more efficient processes in turn, freeing up your people to do more critical tasks.
Where do you see cloud-based platforms headed in the next few years? What is the importance of integrating these platforms?
Cloud-based platforms are going to be the norm – there’s no doubt about it. As more and more organizations incorporate a remote workforce, they will need to rely on cloud-based tools in order to make sure that business operations are secure and up-to-date, and that continuity is not disrupted.
At the end of the day, integration of these platforms impacts how well your organization operates. Every department has a specific function and for each function there is a cloud-based tool; however, many departments don’t work in silos. Therefore, integrating the tools each department has ensures that there is fluidity to how each department is productive and efficient. This is also critical for overall security updates and access control. Ensuring ownership over patching, log monitoring, as well as context-based access is a must when it comes to cloud tools.
For organizations looking to explore a remote workforce – what are some of the things they need to consider from a security perspective?
Ask yourself — what business continuity planning, remote access solutions, and 24/7 monitoring do we have in place to support and enable a successful remote workforce?
We are already starting to see a fundamental shift in how teams work. These changes are being driven by the world around us, and have an impact on business continuity, innovation, and expectations.
My team and I recommend five key initiatives for secure and successful telework:
- Implementing secure remote access solutions
- Rolling out multi-factor authentication across your BYOD and remote team members
- Policy preparedness to regulate telework, including acceptable use, technology policy, and overall emergency preparedness planning
- 24/7 managed security services and technology monitoring (configure all remote access and MFA tools to log to SIEM; evaluate use of UBA and DLP tools)
- Partnering with a provider for managed phishing support — email gateway management, investigation, and remediation support
With this in mind, ask yourself: how ready is your organization is to embrace a remote workforce?