Many organizations around the world have been talking about, thinking about or undergoing digital transformation. It has been an oft-used buzzword for the past two decades, but what does it really mean?

Digital transformation is a paradigm shift from a traditional approach of strategic business operations to a new culture of agile leadership, innovation and thinking through technology change. That all sounds great, but many organizations still struggle with common IT challenges that preclude them from completing the digital transformation journey.

Common Barriers to Digital Transformation

A recent International Data Corporation (IDC) report titled “Future Business: Unleashing Your Talent” found that cultural resistance to change was the main barrier to digital transformation, with legacy IT systems and retaining critical talent ranking second and third, respectively.

Let’s take a closer look at these obstacles and consider factors that can help security professionals improve their digital transformation programs.

Cultural Resistance

How do organizations deal with the difficult challenge of cultural resistance during digital transformation? The most successful programs start by communicating a clear strategic vision and maintaining an open dialogue. It’s important to recognize the importance of end-state digital capabilities, operating models and processes. Security leaders must communicate the strategy in a way that is easily understood to obtain executive buy-in. According to McKinsey&Company, organizations in which senior leaders communicate about digital transformation are eight times more likely to be successful.

Meticulous planning and prioritization are also critical. Focus efforts on delivering digital capabilities that provide business value and protect the most critical assets. Leading a digital transformation effort is comparable to urban planning because it involves building digital landmarks to anchor the strategy and removing roadblocks to facilitate efficiency with the agility to change direction as required.

This planning goes hand in hand with defining measures for success and tracking the business impact of the digital transformation. The intangible elements of culture change can make this measurement difficult to define and assess, but it is important to establish both quantitative and qualitative goals with key indicators of success. Security professionals should regularly communicate these measurements to all stakeholders, use metrics to evaluate progress and make changes where necessary.

Finally, it’s crucial to continuously seek to improve and become more agile. The challenge does not end when the new capabilities have been delivered through your digital transformation. Instead, the focus shifts to ensuring that employees are constantly challenged, technology does not become obsolete, and processes are regularly reviewed for suitability and updated to improve efficiency. Security leaders need to ensure that the organization is agile at scale and capable of thriving amid continuous change.

Legacy IT Systems

IBM estimated that more than 80 percent of the world’s enterprise data resides on mainframe systems, a technology that is more than 50 years old. So it is easy to see why legacy systems represent another key barrier to transformation. The services they deliver are often considered too risky or complex to change while remaining stable and performing critical actions. However, if they are factored into the transformation strategy, both new and old systems can coexist during a transformation journey.

The first step is to embrace the cloud. Many organizations are eliminating their cumbersome and costly data centers and moving their technologies and applications to cloud providers that deliver software-as-a-service (SaaS), infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS). These migrations helped evolve development platforms, mobile and Internet of Things (IoT) integrations, and digital adoption across all industry sectors.

Next, security leaders should apply business intelligence and analytics to make informed decisions on how to deal with legacy IT issues. Many organizations conduct two-tier or parallel transformations in which new systems are delivered while legacy IT is slowly decommissioned.

When the organization’s digital capabilities reach a certain level of maturity, it becomes crucial to use golden sources of data. This means gathering big data and amalgamating outputs into decision-making processes. The IoT, artificial intelligence (AI) and machine learning are starting to help global businesses become “digital industrial.” This powerful data can help security professionals make meaningful, measured decisions to fulfill strategic goals.

Retaining Critical Talent

As specific capabilities have become more vital, the supply of critical skills has not kept up with the rate of change. Some organizations are finding themselves in the difficult position of fighting for the best talent in the industry, ensuring a strong cultural fit and retaining key individuals.

One of the best ways to retain this critical talent is to identify strengths and gaps in cyber skills. Assess the current and targeted capabilities of individuals in both technical and soft skills. This can help pinpoint potential cultural issues as well as technical ones. Retaining key talent is critical, but not all the skills will be found in-house. It may be beneficial to seek help and guidance from expert contractors and industry thought leaders.

Security leaders should also promote cross-functional coordination and foster collaboration. Building strong digital capabilities requires skillful coordination and communication across business units, divisions and functions. For example, developing a new information security operations capability requires new technologies, a skilled workforce, business processes and governance. Successful coordination involves human resources, IT, procurement, finance and leadership teams to understand the strategic vision and support cultural change.

Providing meaningful learning and development for employees can go a long way toward creating a culture of security. Delivery methods such as training, shadowing, coaching and mentoring can also shape behavioral change messaging. These learning options should be integrated into formal training and development pathways, including soft skills and commercial awareness development, to embed the right mindset and emotional intelligence required to cultivate a positive working environment.

Arkadi Kuhlmann, founder and CEO of ING Direct USA, applied a successful new approach to retail banking by recruiting thousands of new employees without directly sourcing them from competitors. “If you want to renew and re-energize an industry, don’t hire people from that industry,” Kuhlmann told Harvard Business Review. “You’ve got to untrain them and then retrain them. I’d rather hire a jazz musician, a dancer or a captain in the Israeli army. They can learn about banking. It’s much harder for bankers to unlearn their bad habits.”

A Growing Divide

There is a now growing divide between digital transformation top performers and laggards. According to BCG, this gap will become even more visible between now and 2020.

Investing in technology alone may not equate to long-term success if the organization’s people do not change their mindset and behaviors. While improving the culture may be the most difficult challenge in any enterprise, a strong and clear message from top leadership is critical to a successful digital transformation.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…