Mitigating the hidden risks of digital transformation

New, cross-discipline risk management techniques are necessary to securely reap the benefits of transformative technologies.

Mitigating the hidden risks of digital transformation
Thinkstock

Companies are looking to grab any technology-driven advantage they can as they adapt to new ways of working, managing employees, and serving customers. They are making bigger moves toward the cloud, e-commerce, digital supply chains, artificial intelligence (AI) and machine learning (ML), data analytics, and other areas that can deliver efficiency and innovation.

At the same time, enterprises are trying to manage risk — and the same digital initiatives that create new opportunities can also lead to risks such as security breaches, regulatory compliance failures, and other setbacks. The result is an ongoing conflict between the need to innovate and the need to mitigate risk.

“There is always going to be some amount of tension relating to managing risk and engaging in digital transformation work,” says Ryan Smith, CIO at healthcare provider Intermountain Healthcare.

Ryan Smith, CIO, Intermountain Healthcare Intermountain Healthcare

Ryan Smith, CIO, Intermountain Healthcare

“As organizations pivot to increase the level of digital access offered to consumers and workforce members involving personal and business-oriented information, it creates entirely new forms of risk that must be mitigated compared to traditional ways of conducting business,” Smith says. “These new engagement models, enabled through digital transformation, require different risk management approaches.”

Here are four key areas where digital transformation efforts can introduce risks — and how organizations can address them.

Multicloud or hybrid cloud infrastructures

More organizations are shifting to IT environments supported by multiple cloud services, often from more than one provider. This can include software-as-a-service (SaaS), platform-as-a-service (PaaS), or infrastructure-as-a-service (IaaS) offerings.

Regardless of the types of clouds being used, hosting vital data and applications outside the organization’s own defensive perimeter introduces considerable risk, especially when multiple locations, services, or vendors are involved. Aside from data being lost or stolen, companies can run into problems with data privacy regulations, not to mention the risk of cost overuns that result from poor cloud management practices.

“The most frequent risks we see here involve governance of the cloud environments: Which cloud provider? Which protocol? Thresholds for creation, utilization, size, etc., for [development] environments to optimize use,” says Ola Chowning, a partner at technology research and advisory firm ISG, adding that it’s much easier to tackle governance issues such as these at the onset rather than post-implementation.

Emal Ehsan, director, Cervello Cervello

Emal Ehsan, director, Cervello

A multicloud strategy “tends to bring increased complexity and disjointed management and automation tools,” says Emal Ehsan, director at business analytics consultancy Cervello, a unit of global management consulting firm Kearney. That complexity can introduce risk of breakdown in operations.

Moreover, IT services historically were procured from company-owned and -operated data centers, with IT providing oversight of the procurement process. Now, cloud services such as PaaS can easily be purchased and deployed by business users without architecture or security reviews, Intermountain’s Smith says. IT and business leaders need to mitigate this by controlling which services are turned on and available to users.

“A best practice is to ensure that for all requested cloud services, [the services] are subjected to proper architecture and security reviews on any IaaS, PaaS, or SaaS vendor platforms, before being approved for use in the enterprise,” Smith says. “Guidance and guardrails must be established before any public cloud vendor tools can be provided to the organization, including ongoing monitoring of all usage.”

IT, cybersecurity, and legal must all work together to keep in front of all efforts of business users to procure and consume new cloud services, Smith says.

Digital supply chains and sales channels

Enterprises are increasingly relying on a variety of technologies to enhance and manage their supply chains, including end-to-end digital connectivity, cloud services, blockchain, robotics, autonomous vehicles, and advanced analytics tools, among others.

This digital transformation of the supply chain can increase efficiency and visibility, reduce errors and costs, enhance collaboration with business partners, and improve processes. It can also introduce risks, including data loss.

Numerous risk mitigation techniques can be employed by parties involved in business to business (B2B) digital services, Smith says. This includes developing comprehensive business agreements with partners that address the various risks and responsibilities. Companies can also establish cybersecurity and data privacy controls to ensure transmission and storage of data is secure.

“Enterprises typically require that these B2B connections be monitored to ensure policies and procedures are being adhered to,” Smith says. “In addition, best practices recommend that frequent third-party risk assessments are conducted to ensure that all participants in the digital supply chain are adhering to industry security and privacy requirements and standards.”

Ola Chowning, partner, ISG ISG

Ola Chowning, partner, ISG

Companies are also relying more on digital sales channels, such as ecommerce, email, text, mobile apps, and online events to reach customers or prospects.

“Risks we often see here [are] lack of clarity around a multichannel strategy, or if moving completely to digital the lack of strategy to enable the shift by the partner, customer, consumer on the other end,” Chowning says. “Without the strategy fully outlined and driving priorities and investments, organizations can find themselves in a constantly shifting priority situation where effectively none of the channels progresses.”

Some efforts at creating multiple digital channels have even devolved into a form of infighting, Chowning says. “Making the multiple channels the responsibility and accountability of a single leadership team is often a very important mitigation strategy” to help avoid this.

Internet of things (IoT)

Companies in manufacturing, healthcare, retail, and other sectors have begun deploying IoT technologies en masse to track the location of assets, monitor equipment performance, gather data about product usage, and more.

The potential benefits are compelling, including more efficient supply chains and factories, improved maintenance of equipment and products, enhanced customer experiences, and cost reductions from avoidance of lost goods. But the risks are also high. Distributed denial-of-service attacks, for example, have already been blamed on connected devices, and IoT strategies introduce numerous entry points for hacking, including the connected devices themselves.

Connected devices within the enterprise can include potentially anything, from HVAC systems, to servers and other IT equipment, to vehicles, lighting systems, thermostats, appliances, and more. Organizations need to look for ways to secure and mitigate the risk of networked devices to limit the connections these devices have to other devices, Smith says, and in some cases place them in separate networks.

“In addition, special effort needs to be taken to coordinate closely with device manufacturers to help ensure these types of devices are kept up to date for [operating system] patching and have appropriate controls to secure them,” Smith says.

Other best practices include requiring device manufacturers through contracts to provide ways to keep devices up to date and secure; and

scanning corporate networks to detect IoT devices for signs of suspicious activity.

Automation and analytics

Companies are scrambling to automate time-consuming and labor-intensive manual processes as they seek to accelerate operations, reduce errors, and cut costs.

Technologies such as AI and robotic process automation (RPA) can help automate tasks such as data entry, thereby dramatically enhancing the way business processes are handled, but they can introduce risks as well.

Chief among the risk components with analytics, AI, and ML are the datasets being used by data scientists to train the models and the platforms where those models are generated, Smith says.

Risk mitigations range from having well-crafted contracts to manage big data partnerships, to limiting the data used in data sets to the minimum data necessary, and using anonymized data when possible, Smith says.

Some of the risk of automation can come from an inability to scale fast enough or meet expectations.

“The automation ecosystem is undergoing significant change at the moment,” Cervello’s Ehsan says. “Looking back, it began with process outsourcing, then process optimization — Lean, Six Sigma — to RPA. What we are seeing now is a convergence of RPA and AI to solve complex business problems.”

This congruence of AI and RPA is opening new possibilities and use cases that were not possible in the past, Ehsan says, such as intelligent document processing with a capacity of 175 billion machine learning parameters, or the use of neural networks and deep learning to detect anomalies in transactions.

Organizations should set expectations for automation early and engage stakeholders from both the business and IT to create awareness of the possible benefits, capabilities, and uses of automation, Ehsan says. Then they should introduce rapid, small, and short-term pilots that focus on the benefits.

“Leverage highly skilled resources early on by hiring staff or engaging consultants to put in place the governance, frameworks, change management and communication, templates, business engagement, business case formation, and ROI [return on investment] calculation,” Ehsan says.

Digital risk mitigation in action

With any digital transformation initiative, organizations should thoroughly assess risks — including those associated with the technology platforms they will be using — via collaboration between IT, security, risk management, legal, and other interested parties. By determining what the biggest risks are, IT and security leaders can then approach transformation initiatives with that perspective in mind.

David Lloyd, director of IT, Park Industries Park Industries

David Lloyd, director of IT, Park Industries

Park Industries, a provider of manufacturing systems, has several digital transformation efforts under way, including business process automation, enterprise systems integration, cloud migrations, and data analytics related to IoT.

“Information security and data quality are two of the largest risks when dealing with these transformation initiatives,” says David Lloyd, director of IT at Park Industries. “Having an overall data strategy that includes security, role-based privileges as well as identifying single sources of truth assist in the mitigation of these risks.”

Most organizations recognize that leveraging the cloud, AI, IoT, and other technologies can provide substantial benefits such as increased business agility, greater scalability of services, and reduced cost, Smith says. “However, entirely new risk management techniques must be implemented to support these transformative capabilities,” he says.

Copyright © 2021 IDG Communications, Inc.

Watch out for these 6 IT management traps to avoid