Digital transformation is the latest trendy term. But what does it really mean? After 15 years in the cybersecurity field, I must admit that the term refers to nothing more, nothing less than the adoption of formal processes and procedures within a technology organization. The idea here is that the adoption of such processes and procedures in an orderly manner, and the assignment of roles and responsibilities in their corresponding areas, should eliminate much of the mystery surrounding technology management activities, mysteries that have kept us, for decades, speaking a different language than the rest of the organization, especially executives.

Now, what does this have to do with cybersecurity? Well, everything. If there is an area within technology that typically operates in the shadows, it is the security area. Some think that is how we should operate—I do not know if it is because it gives us an air of mystery or makes us feel like secret agents in a movie—but the reality is that security through obscurity does not work, not now, not before, not ever.

The only way we can provide security services to the organizations we work for, or to our clients (in the case of vendors), is through transparency, clarity in the functioning of technologies associated with different technical controls, and understanding that there is no magic solution to the cybersecurity problem. Just as there is no single universal process that covers everything, there is no single technology vendor, nor a single universal methodology that fits everything. We must work on our own processes and refine them until they are as efficient, effective, and economical as possible, and then define the type of controls and metrics that will allow us to determine the return on investment in security.

Now, here is where it gets good. It turns out that for years we have had the necessary reference frameworks within our reach to carry this out. Some are:

  1. ISO27001
  2. COBIT
  3. ITIL
  4. MOF
  5. RACI Matrices

The mathematics is not complicated. When we do not know what to do, we can simply add discretionary criteria that help us reach a numerical conclusion that we can use in our conversations with the business.

Without a common base of clear and agreed-upon criteria between the different areas of technology regarding the assignment of roles and functions, plus the associated processes, it is practically impossible to implement an effective and efficient cybersecurity practice.

Now, this is the part where there are more questions than answers: Who should lead digital transformation? Which reference framework should be used? What cultural changes need to be made? What does the cybersecurity area do while this happens? Can change be forced? Do you think this article is crazy?