Many organizations around the world have been talking about, thinking about or undergoing digital transformation. It has been an oft-used buzzword for the past two decades, but what does it really mean?

Digital transformation is a paradigm shift from a traditional approach of strategic business operations to a new culture of agile leadership, innovation and thinking through technology change. That all sounds great, but many organizations still struggle with common IT challenges that preclude them from completing the digital transformation journey.

Common Barriers to Digital Transformation

A recent International Data Corporation (IDC) report titled “Future Business: Unleashing Your Talent” found that cultural resistance to change was the main barrier to digital transformation, with legacy IT systems and retaining critical talent ranking second and third, respectively.

Let’s take a closer look at these obstacles and consider factors that can help security professionals improve their digital transformation programs.

Cultural Resistance

How do organizations deal with the difficult challenge of cultural resistance during digital transformation? The most successful programs start by communicating a clear strategic vision and maintaining an open dialogue. It’s important to recognize the importance of end-state digital capabilities, operating models and processes. Security leaders must communicate the strategy in a way that is easily understood to obtain executive buy-in. According to McKinsey&Company, organizations in which senior leaders communicate about digital transformation are eight times more likely to be successful.

Meticulous planning and prioritization are also critical. Focus efforts on delivering digital capabilities that provide business value and protect the most critical assets. Leading a digital transformation effort is comparable to urban planning because it involves building digital landmarks to anchor the strategy and removing roadblocks to facilitate efficiency with the agility to change direction as required.

This planning goes hand in hand with defining measures for success and tracking the business impact of the digital transformation. The intangible elements of culture change can make this measurement difficult to define and assess, but it is important to establish both quantitative and qualitative goals with key indicators of success. Security professionals should regularly communicate these measurements to all stakeholders, use metrics to evaluate progress and make changes where necessary.

Finally, it’s crucial to continuously seek to improve and become more agile. The challenge does not end when the new capabilities have been delivered through your digital transformation. Instead, the focus shifts to ensuring that employees are constantly challenged, technology does not become obsolete, and processes are regularly reviewed for suitability and updated to improve efficiency. Security leaders need to ensure that the organization is agile at scale and capable of thriving amid continuous change.

Legacy IT Systems

IBM estimated that more than 80 percent of the world’s enterprise data resides on mainframe systems, a technology that is more than 50 years old. So it is easy to see why legacy systems represent another key barrier to transformation. The services they deliver are often considered too risky or complex to change while remaining stable and performing critical actions. However, if they are factored into the transformation strategy, both new and old systems can coexist during a transformation journey.

The first step is to embrace the cloud. Many organizations are eliminating their cumbersome and costly data centers and moving their technologies and applications to cloud providers that deliver software-as-a-service (SaaS), infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS). These migrations helped evolve development platforms, mobile and Internet of Things (IoT) integrations, and digital adoption across all industry sectors.

Next, security leaders should apply business intelligence and analytics to make informed decisions on how to deal with legacy IT issues. Many organizations conduct two-tier or parallel transformations in which new systems are delivered while legacy IT is slowly decommissioned.

When the organization’s digital capabilities reach a certain level of maturity, it becomes crucial to use golden sources of data. This means gathering big data and amalgamating outputs into decision-making processes. The IoT, artificial intelligence (AI) and machine learning are starting to help global businesses become “digital industrial.” This powerful data can help security professionals make meaningful, measured decisions to fulfill strategic goals.

Retaining Critical Talent

As specific capabilities have become more vital, the supply of critical skills has not kept up with the rate of change. Some organizations are finding themselves in the difficult position of fighting for the best talent in the industry, ensuring a strong cultural fit and retaining key individuals.

One of the best ways to retain this critical talent is to identify strengths and gaps in cyber skills. Assess the current and targeted capabilities of individuals in both technical and soft skills. This can help pinpoint potential cultural issues as well as technical ones. Retaining key talent is critical, but not all the skills will be found in-house. It may be beneficial to seek help and guidance from expert contractors and industry thought leaders.

Security leaders should also promote cross-functional coordination and foster collaboration. Building strong digital capabilities requires skillful coordination and communication across business units, divisions and functions. For example, developing a new information security operations capability requires new technologies, a skilled workforce, business processes and governance. Successful coordination involves human resources, IT, procurement, finance and leadership teams to understand the strategic vision and support cultural change.

Providing meaningful learning and development for employees can go a long way toward creating a culture of security. Delivery methods such as training, shadowing, coaching and mentoring can also shape behavioral change messaging. These learning options should be integrated into formal training and development pathways, including soft skills and commercial awareness development, to embed the right mindset and emotional intelligence required to cultivate a positive working environment.

Arkadi Kuhlmann, founder and CEO of ING Direct USA, applied a successful new approach to retail banking by recruiting thousands of new employees without directly sourcing them from competitors. “If you want to renew and re-energize an industry, don’t hire people from that industry,” Kuhlmann told Harvard Business Review. “You’ve got to untrain them and then retrain them. I’d rather hire a jazz musician, a dancer or a captain in the Israeli army. They can learn about banking. It’s much harder for bankers to unlearn their bad habits.”

A Growing Divide

There is a now growing divide between digital transformation top performers and laggards. According to BCG, this gap will become even more visible between now and 2020.

Investing in technology alone may not equate to long-term success if the organization’s people do not change their mindset and behaviors. While improving the culture may be the most difficult challenge in any enterprise, a strong and clear message from top leadership is critical to a successful digital transformation.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read