Plugging the gaps in digital transformation

The appetite for digital transformation (DX) is certainly high with around three quarters of global businesses listing it a top IT priority last year. But this hunger is also causing businesses to run before they can walk, and in their haste some of the key steps to success are being left untrodden.

This was one of the key issues explored at Infosec Europe 2023 during a CISOs’ digital transformation session. “Prioritise transformation,” advised David Cartwright, CISO and head of technology operations at banking giant Santander.

“There are so many instances where I see people say ‘we’re going digital’, without actually thinking what that means,” he added.

At Europe’s largest information security event held in Excel London last month, a panel of four C-suite execs discussed the nuts and bolts of DX, outlining the core components for a framework that they claim works.

Double-edged sword     

It’s widely acknowledged that the Covid-19 pandemic led to substantial change in the way companies functioned digitally in just a matter of months.

The secret ingredient to this success, according to Cartwright, was that businesses learned to operate in a more agile way, changing things incrementally, often based on what would return the most investment.

A drawback to this quick transformation, however, is that firms weren’t prepared for new threats, new infrastructure or software challenges and didn’t have the capabilities to deal with them, as fellow panellist Anil Varghese, senior operating advisor at Francisco Partners pointed out.

Camilla Winlo, head of data privacy at professional services company Gemserv, added that often businesses make the mistake of discarding the human aspects of  DX projects.

Predicting the needs and behaviours of employees and customers, as well as how they might interact with a new system, should be considered as part of the transformation plan. The data privacy head also urged businesses to weigh up the risk of a transformation project in terms of staff and the end user.

In terms of GDPR legislation, which was introduced five years ago, organisations need to ensure projects are secured, data is available and processes aren’t impacted during transformations.

Cartwright recalled to delegates an incident where a contact centre nearly gave someone’s personal data away. “I said to them, ‘Why was this employee even allowed to see their data?’ The company said ‘it’s our fault isn’t it? We shouldn’t have made that possible…’”

Employee buy-in

Failing to onboard all employees with DX training is another common mistake, according to Winlo who added that while around 90% of employees actually complete a programme most are eventually let loose on the new system – which inevitably leads to errors.

The solution, Cartwright said, lay with getting users involved from day one: integrate employees at the start of a project so they can help design it –  whether it be advising on workflows, any friction points etc – and this can also reduce the overall amount of training staff require.

One thing at a time

CrowdStrike’s CTO Zeki Türedi recommended taking the time to ensure digital strategies are developed correctly instead of implementing one project after the other.

Cartwright recalled working with a large telco based in the US that acquired a number of organisations. At one point the company had to stop and take stock because it realised none of the many technologies they had accrued integrated with each other.

“There comes a point where you have to make the exec and the board understand that we can’t just go at break-neck speed forever. We have to pause for breath,” he said.

The Santander exec believes that the secret sauce to digital transformation was in doing things in manageable chunks “because sometimes something turns out not to work”.

From a data protection perspective, for instance, failing in an agile way means that businesses are able to contain the impact of this failure.

While some may define failure as a project falling on its knees, according to Cartwright it doesn’t have to be that catastrophic. It could just be about discovering that actually something turned out to be too slow, and businesses can only discover this once a project has been greenlit.

For Türedi, it’s about identifying what’s not working, dealing with it as quickly as possible and communicating with those involved “because the last thing you want is still be working on a project that fails six months later because you didn’t fix it.”

Cartwright added that businesses should also communicate what’s working and what’s not with customers, as well as what the potential impact might be. “Communicating with the right people will make the difference and this should be predicted before a project is underway.”