As industrial and large enterprise companies leverage technology to improve their businesses, they are investing billions of dollars into digital transformation (DX) initiatives that impact their factory operations, productivity, and customer experience. The global digital transformation market is expected to grow from $470 billion in 2020 to $1 trillion by 2025. As we all know, with great opportunity comes great risk, and these new DX projects introduce business and cybersecurity risks that must be understood and addressed.
The truth is that for many industrial companies that have been around for decades, implementing a DX strategy can be like transforming a caterpillar into a high-tech digital butterfly.
What Is Digital Transformation?
Digital transformation is the adoption of digital technologies by a company to improve business value and customer value. Typically integrated across the areas of a business, digital transformation drives strategic innovation, growth, and changes to a company’s culture. In response to COVID-19, 69% of boards of directors have accelerated their digital business initiatives.
Digital transformation is driving innovation across all industries to solve real business problems:
- Oil and gas operators must address price volatility, forecasting peak demand, and optimizing turnaround
- Electric utilities must forecast generated and distributed load, manage more complex grids, and build closer relationships with their customer
- Mine operators must improve productivity, plant reliability, and increase efficiency with semi-autonomous and autonomous
- Manufacturers must increase production flexibility and be able to respond to the unpredictability of supply chain interruptions
- Healthcare providers must provide a safe environment, treat remote patients with tele-health, and continue to improve patient care in the unpredictable times of the pandemic
- Transportation and logistics companies must adjust to changing demands for both freight and passenger traffic while enabling omni-channel marketing approaches
Often driven from the board of directors or C-suite with big expectations, DX initiatives can significantly improve the enterprise value of a business. For large industrial companies, a small change in revenue, operating costs, or capital utility can significantly increase profitability. Considering revenue multiples by industry, a company with single-digit net margins has an enterprise value (EV)/Sales ratio of one to three. A company with double-digit net margins has an EV/Sales ratio of five to six.
Companies that do not have a digital business strategy will fall behind their competitors.
Assessing Digital Transformation Risks
Digital transformation is not easy, and it involves a lot of new technologies and ways of thinking about the business. For many large companies, a DX project requires new endpoint devices, industrial control systems (ICS), networking equipment, cloud computing infrastructure, and software. The design, architecture, integration, and software development required for DX may demand expertise that the company does not have, requiring hiring outside business consultants, systems integrators, and service providers.
Execution and cybersecurity risks are high for digital transformation projects. It’s no surprise that while 21% of large public firms have hired a chief digital officer (CDO), their average tenure is just 31 months.
De-risking your digital transformation strategy requires understanding the performance and security risks across your end-to-end operations. Organizations should consider the following risks across their IT and operational technology (OT) infrastructure:
- Endpoints: Enterprise, industrial, and IoT endpoints can sit outside the traditional enterprise perimeter. These devices require a strong security architecture and trustworthy machine identities.
- Networks: Many industrial DX use cases require new networks because older network technologies can’t meet the performance requirements of IoT (low power), collaboration (high bandwidth), and robotics (high reliability). Additionally, previously closed OT networks are now being connected to the cloud, increasing the surface of attack. Finally, COVID-19 has increased the need for remote access into networks that were never intended to connect to the outside world. These new business mandates require rethinking network design and architecture.
- Systems: Enterprise IT systems and industrial device management systems (DMS) are relied upon to monitor and manage critical business and operational systems. Digitalization requires a more seamless view and system architecture that flows across OT and IT environments. And while ERP and analytics systems rely on downstream systems, you can’t trust the data if you can’t trust the device.
- Cloud: Whether you’re running your analytics in the public cloud or your own private cloud, the same security concerns exist. You need to be able to protect the data-at-rest and in-flight. Trusting cloud data requires trusting your secrets, secrets vaults, and the entire system used to generate and store machine identities (keys, digital certificates, etc.).
- DevOps: Companies implementing DX projects will necessarily become small software development companies. DX requires a significant amount of constant software development to build new applications and backend analytics and decision-making systems. Companies must address all of the risks across the DevOps lifecycle: plan, code, build, test, release, deploy, operate, and monitor.
Best Practices to De-Risk Your Digital Transformation Strategy
- Assess your risks across IT and OT: operationalizing your digital business strategy means understanding your security and performance risks to ensure reliability, resilience, safety, security, and privacy. Connecting plant operations with analytics platforms requires examining your requests across endpoints, networks, systems, cloud and DevOps.
- Demand trust from your supply chain: leverage tools such as Mitre’s ATT&CK® framework to understand your supply chain risks. Demand that your OEM vendors provide endpoint security, strong authentication, and follow secure coding practices. Include these security practice requirements in your vendor agreements just as you would include feature requirements.
- Expand CISO mandate: ensure that your CISO’s span of control includes both IT and OT environments. The integration of these systems is critical to enabling digital strategies, and it no longer makes sense to allow OT employ a separate security architecture than IT. Expanding the CISO mandate beyond information security is important. The CISO must be responsible for managing security risks across industrial devices, systems, applications and the supply chain.
- Converge your IT and OT security teams: this won’t happen overnight, but industrial companies should begin converging their IT and OT security teams. Digital transformation, supply chain, and digital twin initiatives require a closely integrated security team with common goals. Where many IT security teams are concerned with privacy, reliability, and security, OT teams tend to focus on resilience, safety, and reliability. The success of a digital transformation project relies on your security teams across your corporate, IT, OT, and plant operations being committed to the success of the company’s strategic vision and business goals.
- Look beyond CIA and Zero Trust: typical information security models such as confidentiality, integrity and availability (CIA) and Zero Trust don’t go far enough to protect your systems because they focus primarily on protecting your information rather than also protecting your devices, applications, and embedded systems. Incorporate trustworthy computing and machine identity management (encryption keys, digital certificates, secure silicon, digital IDs) into your security architecture across all functional areas of your security strategy.
Farallon Technology Group assessment, advisory and technology research services across embedded, IoT, industrial, and DevSecOps cybersecurity. Learn more about how we are helping our clients to accelerate their digital transformation strategy.
Great information and guidance. I would add that when scoping your DX strategy, it is also important to consider your customers’ compliance mandates for handeling confidential data. Non-compliance can lead to lost, cancelled or delayed business.