Any transformation creates potential risks. New technologies mean new risks as well. What we can do is to study the new security risks looking for effective security solutions and trying to anticipate the possible future threats.

The potential risk is that the value drivers of the transformation - accessibility, agility, mobile workforce etc overwhelms the rational risk assessment and mitigation of cyberthreats - thus during the process, transition trumps security.

Often operations teams are incented to deliver on the goals of the transition, and security becomes a "we'll deal with that later" problem. Having executive sponsorship from the CSO etc helps temper that.

Few potential risks of digital transformation , but not exhaustive,

• Next-generation devices are now deployed in potentially vulnerable environments such as vehicles, hospitals, and energy plants, vastly increasing the risks to human welfare
• Concerns about such devices being hacked, turned into botnets, and used to attack targeted computers and organizations are growing as well.
• Vulnerabilities in the supply chain
• Explosion of connected environments where perimeter protection is no longer enough
• Building Visibility on Insider Threats
• Understanding between the organization’s cybersecurity professionals and those who provide application security
• Protecting Open Systems

Cybersecurity should be the part of digital transformation. This is one way to address the risk before it actually occurs.

Hitesh:

That is a big question and not enough space to list all of the potential risks. As Paolo, mentioned any transformation has a cyber security component and requires a focus on design, implementation, transformation, and operation. As an example, an organization will need to plan for compliance, downtime, and security posture. Leverage best practices, access to experts, and proven methodologies to ensure a successful outcome.

If you wanted to list the individual risks, that would take a lot more space, indeed.  I think that chain begins with a fairly simple beginning:  secure by design, ergonomically balanced, user-enabling.  There can be no question about the functionality and user-enabling aspects - the application will not be successful without proper attention to these attributes.  But this must be achieved on balance with "security by design" - the active threat environment-agents seek to take advantage of the huge number of poorly managed websites, and are seldom disappointed.

I think companies leap ahead often blindly because they are afraid they will not be able to capitalize on an opportunity fast enough, and find themselves lost due to poor planning.  Companies that have staying power stay because they plan well and execute better.  Companies that run into serious trouble, like Uber, do so because they move too fast and never take care of the basics that make for staying power.  Our tech giants have it because they do the basics very well, and that frees them to move forward with their visions.

In our digital society, we cannot lose sight of these principles.  At the pace it tends to move, doing that gives no quarter and takes no prisoners.  My simple beginning is a beginning point precisely because the velocity we experience today will not allow us to "go back and clean up":  we either do it right the first or not at all because we will not get a second chance.  Designing your cybersecurity in is no longer the option or "do it later" item it used to be.  Things like HIPAA, FINRA, GDPR make clear that doing it from the outset is the only choice we have any more.

So, doing cybersecurity right from the beginning, as well as doing it correctly, is not only an enabler, but can be the pivotal technology that actually makes it possible to do it at all.  

I believe the biggest risk is privacy. Nowadays mind prisons created by some governments like China are enormous. For example they have a points system for their citizens that is based on their good and bad deeds kind of and affects their social status exponentially. There is no way to access that system, so that drives everybody to be very careful about what they do.

I don't mind credit Karma after I learned about that system.

So, back to the point. One's privacy is going to be a huge concern as people will have to buy fancy brands (e.g. Apple products) to guarantee their privacy, while normal people who buy Android devices are going to be exposed to vulnerability. Corporations need to dummy the level of explanation for their users and spread awareness on how to eliminate vulnerabilities to everybody, regardless of the attack's/vulnerabilities' sophistication calculations, cause it happens, everybody can learn anything on the web.

Rule number one: Take Moore's Law of obsolescence into account from the start of any large digital transformation. All the gear and software you buy today will be "old" in a very short time, as far as the accountants are concerned. I think the approach is to scrutinize each purchase with Moore's Law in mind. Invest in the most flexible platforms in the market.

IT folks have to keep an eye on the horizon to see the best upgrades for operations and cyber security are identified and demonstrated before purchase. How many of us bought Kaspersky for security. In hindsight it looks silly we put our information in the hands of a Russian company. But I'm so old I remember the cold war, so I had a bit of a head start.

Careful purchases and constant examination of operations day-to-day are the answer to such a transformation.
Brian A. Cashman

The issue with Cybersecurity is there is not be all, end all solution. What works today, is hacked tomorrow. As mentioned before, no longer can something be obsolete by a manufacturer without making that known upfront. A secure solution needs to be cared for and fed constant updates, or it starts having cracks that make it non-secure. If a product is non functional after a period of time (Say a thermostat, water sprinkler/refrigerator connected to the net, that needs to be disclosed up front. My bet is that manufacturers will have to support the product a lot longer, once lawmakers understand what to do. Cyber security is a journey, not an endpoint.

It is equally important to think about the risks of not going this route. That brings risks due to use of old technology (potentially not patched), but worst:

• Rogue IT enablement of the old IT systems - quick and dirty, error ridden, full of security holes in a list so long I'm not even going to start
• Social Engineering: for instance if these services are now going to be made available through human intervention. Entrance into systems via humans is one of the larger cybersecurity risks.

The above list are just examples, and is not intended to be exhaustive at all.

In conclusion: Doing nothing may potentially be more dangerous. Take that into consideration when you make a risk analysis.