When Covid hit, companies had to accelerate their digital transformation process out of necessity. But now, almost three years after the initial shutdown, most organizations have embraced digital to the point where they are now maintaining new technologies rather than implementing more.

Cybersecurity is a crucial component of a company’s digital transformation. But have organizations stalled out on adopting new cybersecurity innovations, or is security a totally separate entity? What happens now?

The end of the digital transformation

It’s safe to say that in January 2020, most organizations were making the digital transformation gradually. Going fully digital involves transitioning more tasks to computer-based technologies like cloud and mobile, and changing corporate culture and business processes. The project requires methodical planning and organizations must complete it in stages, spelling out strategies and budgets. In this way, organizations and their employees could adjust to new technologies and procedures over time.

In March 2020, everything changed. If your organization wasn’t accelerating its digital transformation process, it was falling behind — if it could survive at all. A report from Celerity found that 63% of organizations began or hastened their digital transformation sooner than planned because of Covid-19, and 49% said that digital transformation was not a strategic priority before the pandemic but quickly became one.

“In short,” the report said, “leaders were enthusiastic about investing in tech at the start of the pandemic, largely because it was the only way to preserve business continuity while ensuring employee safety.”

That was three years ago. As we moved into 2023, J.R. Cunningham, a chief security officer with Nuspire, predicted that this year, we can safely say the digital transformation is done.

“We are digital,” Cunningham said in a webinar. “The transformation is not some up-and-coming future thing. It happened.”

Cybersecurity and the digital transformation

The digital transformation brought new levels of attention to cybersecurity. According to a 2020 Ponemon Institute study, the digital transformation increased cyber risk, especially since those within the organization tasked with cybersecurity — only 24% of CISOs had a prominent role — weren’t actively involved with the process.

Third parties, such as cloud vendors, play a huge role in digital transformation, contributing to increased cyber risk. However, people weren’t ready. Some 58% of respondents said they did not have a cyber risk management program, and 63% said they couldn’t ensure a secure cloud environment. This reliance on third-party vendors with poor security results in cyber incidents. In fact, 55% of the Ponemon study respondents admitted that a security failure with a third party resulted in a post-digital transformation breach.

Remember, the Ponemon study took place during the height of the digital transformation push, when everything was in flux. Organizations embracing new technologies didn’t totally ignore cybersecurity, but they left weak spots to be exploited, both internally and externally.

The need for rethinking cybersecurity within the digital transformation process did eventually happen. Leadership began to realize that adding new technologies required the need for restructuring employee security awareness training programs and that remote work required organizations to revamp their cybersecurity strategy. They onboarded cybersecurity tools, in part because of the chaos and in part because of the disparate workforce. But due to the urgent timeframe, many organizations used these tools straight out of the box without customization.

Cybersecurity in a post-digital transformation world

If we have truly moved to a post-digital-transformation environment, as J.R. Cunningham predicted, this could be a positive moment for cybersecurity. In fact, we could be witnessing a cybersecurity transformation period.

In the “before” times, a well-executed digital transformation was planned based on business goals and growth. During the pandemic rush, the main objective was to keep the enterprise up and running. This meant that technology moves were based on current business needs rather than planning for long-term success. If the transformation happened, organizations should now be in a maintenance rather than an implementation pattern.

After the pandemic’s changes, leadership can start building a cybersecurity program that meshes with business operations and goals. During the transformation, the security team should have someone designated to do a deep dive into each digital endpoint to identify potential risks. Post-transformation, with these endpoints already known, organizations can build security around the actual technology in place and as it expands.

With the baseline of the technology already in place, security teams can evaluate relationships with third-party vendors and take a deep dive into the cybersecurity of the supply chain.

Look at the risks circling around APIs, for example. APIs are a vital part of the digital transformation, the backbone of mobile and web applications. A single vulnerability in an API could lead to catastrophic events for a company. The problem is discovering exactly where that vulnerability lies. Most organizations don’t have an inventory of all the APIs used across their applications and devices. They certainly don’t have visibility into APIs across the supply chain. Shifting the budgets and hours once reserved for the digital transformation to instead focus on re-evaluating the supply chain and vendors’ security practices could better identify and decrease potential risks.

The future is digital

The digital transformation has changed the way organizations work. Organizations will continue to build on the technologies they’ve introduced into their business operations, and they will shift their objectives to better adapt digital assets to work culture and hybrid situations.

But the hardest part is over. The pandemic forced everyone to jump ahead two, three or five years in their strategic planning and processing stages. Cloud, mobile, web — the baseline is now in place. Now we have to ensure that our cybersecurity platforms stay one step ahead of the new era of digital maintenance.

More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…