As the momentum of DX (digital transformation) increases, many people who are interested in promoting DX are worried that they can not take a step forward due to security concerns .
DX is the transformation of an organization using digital technology. In order to make this big change, you want to take a safe and sure way.
Security is very important in promoting DX. In the reform of DX, it is necessary to review the existing security system.
In this article, we will introduce the security necessary to promote DX.
Table of contents
- Security in DX
- Important points of security in DX
- Eliminate internal and external boundaries
- Accidents caused by security deficiencies
- Traditional DX security challenges
- little interest
- No internal or external boundaries
- Shortage of security personnel
- New Security Measures in the DX Era | Zero Trust Security
- Solutions for Zero Trust Security
- Three points to keep in mind when considering DX security
- Importance of access control
- Balance of convenience and security
- Securing security personnel
- DX Security Human Resource Development Method
- External training
- Securing human resources overseas
Security in DX
In the graph, the vertical (Impact) represents the severity, and the horizontal (Likelihood) represents the probability of occurrence.
On the right are various risks.
Serious Organized Crime Organized Crime
Environmental Hazards Natural Disaster
Human and Animal Health Infectious Disease
Societal Risks Social Risks
For this reason, security is important, and even more important in DX.
Until now, business systems have been operated on servers and databases installed in the company network. Even with advances in digitization, it was common for externally collected data to be used after being aggregated into a database on the internal network.
However, the amount of data that is an important point in promoting DX is increasing explosively due to IoT , cloud computing, and the evolution of devices, and it is physically difficult to aggregate all this data. It’s becoming
To do this, it is necessary to collect, store, and analyze data in various locations, from gateways that connect to networks to data centers and clouds where servers and databases are located.
Due to these changes in the environment in which data is handled, it has become easier than ever to be targeted by cyberattacks. For this reason, it is necessary to change measures for cyber security.
Important points of security in DX
Security in DX has two important points: ” removal of internal and external boundaries ” and ” accidents caused by security deficiencies .”
I will explain each.
Eliminate internal and external boundaries
Due to the influence of the new coronavirus, many companies have switched their operations to telework. This change in the business environment is closely related to security.
Until then, employees who had accessed data by connecting to an internal network that was cut off from public networks began to access data from outside the company due to telework.
Until now, security systems have been designed to crack down on unauthorized access from outside the company. However, the number of accesses from external networks using VPNs, etc. has increased, making it more likely that unauthorized access via employee computers will occur .
Therefore , the conventional system lacks security, so it can be said that a review is necessary.
Accidents caused by security deficiencies
In fact, there are cases where accidents occur due to inadequate security in companies. A typical example is information leakage .
DX accelerates the movement to digitize various data, but due to lack of security, there have been incidents where such data was unintentionally leaked to the outside.
Leakage of personal information is a serious problem that develops into credibility issues for organizations because the information is sometimes misused . In order to prevent such a situation, a review of security is required.
Traditional DX security challenges
Conventional security has three problems: “lack of interest ” , ” no boundaries between inside and outside the company “, and ” lack of security personnel “. I will explain what each of these challenges was.
A survey of companies in Japan, the United States and Singapore reveals that Japanese companies are less concerned about security than their counterparts in other countries.
First of all , there are currently few CISOs (Chief Information Security Officers) .
The result is about 50% for Japan , compared to about 85% for the other two countries .
The CISO is the person responsible for overseeing information security and has executive-level authority.
As security measures become one of the management strategies, it is necessary to take measures while coordinating with each department rather than entrusting security to only a few departments. In such a case, the CISO is responsible for coordinating each department and implementing security measures .
In addition, it is said that Japanese companies have a small budget for security and new measures .
Among IT-related budgets, 30% of Japanese companies allocate more than 10% to information security-related budgets, which is far from the 70% of the other two countries.
In addition, among the information security-related budgets, only 20% of companies in Japan are allocating 10% or more to the introduction of new measures, compared to over 60% in other countries.
From this, it can be said that Japan is not putting much effort into security .
Furthermore, we are lagging behind in responding to the GDPR (EU General Data Protection Regulation) .
While over 70% of companies in other countries have responded, are currently responding, or are considering responding, about 25% in Japan, and about 30% feel that they do not need to respond .
Some companies may think that GDPR is irrelevant to them because it is a regulation set by the EU. However, this may also apply to companies that use the data of users residing in the EU .
For this reason, companies in the United States and Singapore outside the EU are also taking such measures.
Looking at these data, it can be said that Japanese companies do not have enough interest in and measures for information security compared to companies in the other two countries .
Quote: Nomura Research Institute, Ltd. | An era where security becomes a management strategy
No internal or external boundaries
With conventional systems, security holes are created when DX is introduced. This is due to changes in how data is accessed .
Before the introduction of DX, many companies adopted a security system called perimeter security (perimeter model ).
Perimeter security builds internal systems in an on-premises environment .
On-premises is a method of installing and operating equipment such as servers and communication lines in facilities such as offices, separated from public networks.
On the contrary, there is a form of cloud that uses services via the network.
Employees have been working by accessing the system from terminals installed in such an on-premises environment. For this reason, there is a clear boundary between inside and outside the company, and the conventional security system was to protect this boundary and monitor the inside of the company .
However, due to the spread of telework, employees are now accessing the system from outside the company. By using a VPN, you can easily access the company network from anywhere, so at the same time, it may be intruded using the employee’s terminal or network .
In addition, as DX is promoted, some companies are migrating their systems from on-premises environments to the cloud .
With these changes in the business environment, the boundaries between inside and outside the company have disappeared, making it possible to invade and attack in ways never before possible .
Shortage of security personnel
As DX becomes necessary, there is a shortage of human resources. The problem is particularly serious in Japan, where about 90% of Japanese companies are said to be facing a shortage of security personnel.
According to the Ministry of Economy, Trade and Industry, there will be a shortage of about 170,000 IT personnel in 2015, and about 430,000 in 2025.
The main reason for this shortage of human resources is
- Retirement and aging of mainframe workers
- Lack of people who understand old programming languages
- Insufficient supply of cutting-edge IT human resources
There are three.
In order to solve this shortage of human resources, it is necessary to “obtain the cooperation of human resources with specialized knowledge through outsourcing,” “think about personnel strategies from a medium- to long-term perspective,” It is important to secure a reasonable budget.
Furthermore, in addition to the above three, automating security operations themselves will also be required to solve this shortage of security personnel.
New Security Measures in the DX Era | Zero Trust Security
” Zero trust security ” is currently attracting attention in order to respond to the changes in the environment explained above .
Unlike traditional systems, Zero Trust security approaches security with the mindset of not trusting all accesses . In the past, the internal network was separated from the outside world, and trust was placed not only outside the company but also inside the company.
However, in response to the disappearance of this boundary between inside and outside the company, there is a shift to “zero trust security” that protects various information inside and outside the company by setting up various authentication systems without trusting any access .
Solutions for Zero Trust Security
There are four solutions for zero trust security:
- Endpoint security
- network security
- cloud security
- Security monitoring and operation
I will explain each.
Endpoint security is the most important measure in implementing Zero Trust security.
Endpoint security refers to measures to protect terminal devices (endpoint terminals) connected to a network, such as PCs and servers, from threats . In the past, endpoints built inside the corporate network were protected as a whole by protecting the perimeter.
However, with the promotion of DX, these will be distributed inside and outside the company, so it is necessary to equip each with security functions.
Endpoint security mainly includes solutions such as MDM, EPP and EDR.
- MDM (Mobile Device Management)
MDM is a system that manages the system settings of the device .
Since it is possible to remotely add, update, and restrict functions of applications and systems, it is possible to centrally manage the system of terminals used in an organization.
In addition, solutions equipped with GPS functions, as well as functions to remotely lock or erase data when lost, have appeared.
- Endpoint Protection Platform (EPP)
EPP is a solution for protecting devices from threats .
This makes it possible to detect and remove malware.
A service that can detect subspecies and new types of malware is also being developed with a malware detection engine that utilizes AI.
- Endpoint Detection and Response (EDR)
EDR is a solution for responding quickly and minimizing damage when a terminal is attacked .
In the event of an emergency, damage can be minimized by quickly detecting attacks, isolating malware, identifying routes and extent of damage, and restoring devices.
Traditionally, VPNs have been used to connect endpoints to internal networks.
However, intrusions by attackers via VPN allow unauthorized access to the entire corporate network .
Network security is important to prevent such incidents.
- Zero Trust Network Access (ZTNA)
ZTNA is a cloud version of a VPN .
Furthermore, even after accessing via ZTNA, the systems that can be connected are regulated in detail, and the access by authorized locations, devices, and users is closely monitored.
- SWG (Secure Web Gateway )
SWG is a solution that can further enhance the security effect by using it together with ZTNA.
A solution for filtering unwanted software and malware when accessing websites .
In promoting DX, many companies are migrating their internal systems to the cloud.
Since necessary information is gathered in this cloud, it must be protected by taking various security measures.
- IAM (Identity and Access Management)
IAM is a system that permits access after performing user authentication, device authentication, and personal authentication .
Furthermore, access rights are kept to a minimum and limit the number of accesses.
Verify the user by ID, then check if the device is registered, check if there is anything suspicious about the security status and location of the device, and if it is operated by an authorized person To do.
- CWPP (Cloud Workload Protection Platform)
CWPP is a solution for centrally managing multiple cloud services .
As a result, in addition to being able to collectively monitor and protect the various cloud services used by each department, it is also possible to automatically detect access to cloud services that the administrator does not know about.
- CSPM (Cloud Security Posture Management)
CSPM is a solution that inspects the configuration of multiple cloud services .
You can always maintain high security by detecting vulnerable settings in each cloud and evidence of account hijacking.
Security monitoring and operation
Zero Trust security assumes that you authenticate often and are always vigilant.
To do that, you need a solution that automatically monitors and operates your security system .
Automation can reduce the burden on security staff and detect problems instantly.
- SOAR (Security Orchestration, Automation and Response)
SOAR is a solution that enables efficient monitoring and handling of security incidents .
There is a limit to how many security incidents can be dealt with manually. Therefore, by using SOAR, security operations can be partially automated, and security operations can be handled efficiently.
Three points to keep in mind when considering DX security
The following three points should be kept in mind when considering security.
- Importance of access control
- Balance of convenience and security
- Securing security personnel
I will explain each.
Importance of access control
DX also diversifies access to data. Therefore, managing access rights is the key to security.
By authenticating the ID, device, and operator of the user attempting to access, it is possible to prevent intrusion through unauthorized access or hijacking .
Furthermore, in preparation for an intrusion, it is important to finely regulate user access rights to minimize damage .
Balance of convenience and security
In the conventional perimeter type, authentication was only performed at the entrance, but in Zero Trust Security, the number of authentication stages has increased significantly in order to strengthen security.
In this way, when enhancing security, some convenience may be lost .
Therefore, it is necessary to formulate a management strategy that considers the balance between convenience and security according to the current situation of the company .
In the report by JCIC, it is divided into four balance types and their characteristics are summarized. You can answer the presented questions with YES or NO, and you can diagnose which type your company is based on the number of answers.
It is important to use these tools to review the balance between security and convenience of your company in order to formulate a strategy that looks ahead to the post-corona era .
Quote: JCIC | Rebalancing Convenience and Security for 2025
Securing security personnel
What is Security Human Resources?
Security in promoting DX requires security personnel.
Security personnel are defined as follows in reports by the Ministry of Economy, Trade and Industry and IPA.
Among the human resources responsible for the security system, we define “security human resources” as those who are responsible for operations and roles whose main purpose is security measures. In the ITSS+ (security area), “security management (CISO)”, “security management”, “security audit”, “vulnerability diagnosis / penetration test”, “security monitoring / operation”, “security research analysis / research and development” It is equivalent to human resources responsible for each field.
In other words, personnel who specialize in security measures for an organization are called security personnel.
Quote: Ministry of Economy, Trade and Industry, Information-technology Promotion Agency, Japan | Guidelines for building a cyber security system and securing human resources
According to the Ministry of Internal Affairs and Communications, the demand for security personnel in 2016 was 281,000, but there was a shortage of 132,000 . Furthermore, as of 2016, SMEs are estimated to have a shortage of up to 156,000 workers, and it is said that this shortage will increase year by year .
Quote: Ministry of Internal Affairs and Communications | Current Status of Cyber Security Human Resources in Japan
“Plus Security Personnel”
In recent years, “plus security human resources” have been attracting attention.
Plus security human resources are human resources who have knowledge and skills related to security measures while being responsible for work other than security measures .
The promotion of DX has changed the way we work, and it is now necessary for all employees, not just some departments specializing in security, to take thorough security measures .
By cultivating plus security human resources with security literacy and basic skills, we can reduce online accidents and operate safely.
DX Security Human Resource Development Method
Here, as a method of training DX security human resources,
- External training
- Securing human resources overseas
I will introduce three of them.
In order to develop security human resources, it is necessary to learn skills from people and institutions with specialized knowledge.
Companies that provide information security training services have become widely recognized through the promotion of DX.
Some of them can be taken in one day, and there are also services that you can participate in online. By incorporating such training in companies, it is possible to develop security personnel.
By taking and passing the exam, you can improve the skills of your employees and visualize their level.
Examinations related to security human resources include national qualification examinations such as the Information Security Support Specialist Examination and the Information Security Management Examination .
Overseas, there are private exams such as CISSP (Certified Information Systems Security Professional), and you can prove your skills internationally.
Securing human resources overseas
Currently, there is a shortage of security personnel in Japan. Therefore, there is a means to secure such human resources from overseas.
Hiring people with specialized knowledge and a wealth of work experience will make them immediately effective, and it is also useful for in-house training.
What did you think.
When considering the promotion of DX, security issues are extremely important and can be said to be a barrier that cannot be avoided. How about reviewing the current security system with reference to this article?