Nov. 06, 2019
Many companies are paying attention to digital transformation (DX), which aims to transform existing businesses and create new business models by utilizing digital technologies. However, if we neglect information security measures while promoting DX initiatives, significant damage might be caused by cyber-attacks and other factors. We spoke to Ken Sato of NRI Secure Technologies (NRI Secure) about the importance of information security and the key measures in the DX era.
Information security in the DX era requires an understanding of business models
--- Many companies are currently working on DX, but what should they be aware of when it comes to information security measures?
Until now, information security has been considered mainly in terms of how to prevent attacks against vulnerabilities such as bugs and misconfigurations. However, I am concerned that once a new business is created by DX, attacks will be launched to exploit the weaknesses of that business model.
For example, a single service may be secure, but it can pose a risk when combined with other services or technologies. In addition, there may be problems with the logic of the business that provides such services, so it is necessary to examine information security risks based on an understanding of the entire business model rather than only looking at information systems.
--- What information security measures should be taken when promoting DX projects?
DX projects often proceed in a style called "agile development," in which small projects are started and gradually expanded. At that time, information security must be ensured depending on the progress of the project.
If we neglect information security because a project or a service has just been commenced, we may face major risks in the future. Information security should be taken into account at the idea development or the PoC (Proof of Concept) stage, and incorporated into information systems and business models.
Information security personnel should be assigned to DX projects
--- What points should we pay attention to when considering the advancement of DX projects using the agile development method?
Agile development is characterized by the practice of dividing the development work of an information system into small tasks, releasing them in a short period, and then repeating it to complete the entire system. Since the development cycle is shortened in this method, it is difficult to ensure information security. NRI Secure provides specific advice on what to consider during each phase of the development process and supports agile development with built-in information security.
In addition to leveraging external forces, it is essential to develop human resources who are in charge of information security within each company or individual project. They don’t have to be technically proficient, but they must at least be able to lead the information security activities and promote measures to improve security levels. If you don’t have such resources in your project teams, you cannot work on DX projects in a timely manner.
The information security risk in DX should be recognized as a management issue
--- What kind of support does NRI Secure provide for the realization of safe and secure DX?
As I mentioned earlier, security in the DX era requires consideration of the business models and the logic contained therein. We believe that NRI Secure is the only company that can provide consistent information security services, from the aspects of technology and business model. Our main services include consulting services to support projects related to DX from the information security perspective, and "S-SIRT (Service-Security Incident Response Team)" to specifically address issues and vulnerabilities.
When we talk to our clients, we often hear that they don’t know how to deal with information security while proceeding with DX projects. Especially in Japan, information security measures tend to be placed on the back burner because agile development efforts are lagging behind those overseas.
We believe that information security risk is an important management issue in an era where DX drives our business. NRI Secure will continue to leverage its knowledge as an information security vendor that covers everything, from managed security services* to consulting, and even the development of services and software to support the success of DX projects while working together with our clients.
- * Managed security service: A fully outsourced service that includes designing a secure network, introducing security devices, and monitoring operations 24x7.