How to avoid the security debt

In the race to digitisation, those that invest most take the spoils – the top 10% winning some 80% of revenues in their sector. But the faster your company evolves the greater the security threat as new areas of risk open up. This is the security debt, where protection measures don't keep pace with the growing use of new technologies. But avoiding the debt in the first place will pay off, says Thorsten Stremlau, Lenovo’s CTO Commercial Space. 

Digitisation pays. You’ll know that, if you’re one of the companies investing in it. You have the competitive advantage, picking up the majority of revenues in your industry.
So, why are we not all doing it? In particular, why in Europe are we lagging behind the rest with only 18% of companies fully investing in digitisation?
Currently, we’re at the centre of a perfect storm. Employee rights and data privacy regulations, like GDPR, make it difficult to jump right in and transform your company. Add to that the previous lack of investment and constant pursuit of annual reductions in IT budgets. The only option for CIOs is to extend the life of their legacy systems. 
Compare that with countries where regulation is less restrictive, such as China. They have a culture of change that’s developed by introducing regulation that encourages digital transformation, while relaxing regulations that don’t.

Any spare QR code?
It even is evident on the street. Regulation has created a cashless economy where small traders or even beggars get payments and ‘spare change’ by accepting QR codes.
But this is only the beginning.
While digital transformation offers a first-mover advantage today, companies will need to keep evolving to maintain that difference.
Just as the move to the cloud and online trading revolutionised the way companies did business in the early 2000s we’re now at the next level in a digitisation arms race. 

The result is that intelligent business transformation should be our number one priority today.
It’s central to any new business model.

Shop, don’t stop
Take the revolution in retail experience that’s highlighted by Amazon Go stores and our own checkout-free prototype stores in China.
Walk-in to the stores and artificial intelligence with camera surveillance will monitor what you take off the shelf. There’s no scanning, no stopping at a pay point.
Similarly, companies are looking for new models where they can extend the customer experience. For example, an entertainment park in the US, where visitors typically spend a day – and up to $1000 dollars – wanted to extend the experience a week or two either side of the customers’ visit.
This was intended to make customers enjoy the experience more, while generating new revenues. Among the ideas, were arm bands that would double up as messaging apps, customised T-shirts from rides, and so on.  


Getting into (security) debt
But as your company evolves you are open to greater risk.
The wearable tech you may have introduced to provide a better customer experience is storing someone’s private information that can be hacked. 
Similarly, with a cloud platform or the employee-free retail store, the security issues and data privacy concerns are greater.
Beside the traditional questions of how to protect against viruses and manage security patches, there are new issues. How do you protect user data? How do you make sure you don’t violate any privacy regulations?
When you’re under pressure to transform digitally and move faster in the market, it’s easy to take shortcuts, such as not having any security measures in place, right from the start. 
This is the security debt.
You can get to market faster, and fail faster, at lower cost. But you also run the risk of much greater cost later, through data loss, hack attacks or other problems that can destroy the company and its reputation. Even if you have the good fortune to avoid such difficulties, retro-fitting security to successful new business models is around ten times more expensive than having security built-in from launch.

Getting out of (security) debt
The best way to avoid this security debt is not to incur it in the first place.
Any new business launch should include security measures that follow the DIODe principle adopted in Lenovo’s own end-to-end security solution, ThinkShield.
This provides companies with data protection, identity protection, online protection and protection on any device they’re using.
But risks change as rapidly as business models – and security solutions have to evolve just as quickly, as I’ll show in my next blog. [add link once available]
In the meantime,join the discussions to hear more about how you can avoid the security debt. 

Thorsten Stremlau - Authors

Thorsten Stremlau

CTO and Senior Engineering Staff Member, CISSP

Commercial Portfolio, Intelligent Devices Group, Lenovo


Thorsten Stremlau is a Senior Engineering Staff Member and CTO within Lenovo’s Intelligent Devices Group PC & Smart Devices business.  He is responsible for technical strategies for devices, software and cloud services globally.  In this role, Thorsten identifies and drives integration of current and future technologies, integrating them into the product development processes, and specifically drives innovation into the security capabilities of Lenovo’s commercial portfolio.

Thorsten has been part of TCG (Trusted Computing Group) from its inception and has helped drive acceptance of the TPM products for security in EMEA and many parts of AP

Thorsten’s career has been dedicated to identifying solutions and strategic implementations for Lenovo’s customers in all aspects of IT.  As an engineer in both IBM and Lenovo for nearly 25 years, his broad experience enabled him to assist thousands of our customers to digitally transform their environments using Lenovo technology.

Thorsten holds a Bachelor in Industrial Manufacturing/Finance and Electrical Engineering.  Thorsten lives in Morrisville, North Carolina with his family.