Security digital transformation with James Kaplan

November 14, 2019 | in DevSecOps
| By Hayley Denbraver

As 2019 draws to an end, we are going to be looking back on some great episodes of our podcast The Secure Developer. This post is the first in the series, so keep your eye out for future installments.

The Secure Developer podcast is part of our vendor neutral, security education focused community MyDevSecOps. The community, previously also known as The Secure Developer, meets virtually via our Slack group and virtual events, and in person at DevSecCon events around the world.


About our guest

James Kaplan is a partner at McKinsey & Company and co-leader of its cybersecurity practice. He’s been with the company for 20 years and is one of the lead partners in what they call “McKinsey Technology.” His specific expertise as a leader in the company’s IT infrastructure and cybersecurity service lines informed the topics discussed during a recent episode with the Secure Developer podcast.

In his role, James helps companies in various states of digital transformation and has used that insight to better understand how technology can be used to boost both business and security—and where the two overlap and intersect.

He believes cybersecurity is a business issue, not just a technology issue, and we agree. To that end, let’s dive into where companies and struggling and how they can execute a successful security transformation simultaneously with a digital one.

Old school cybersecurity: the ticketing problem

According to James, there are a few characteristics to look out for when it comes to identifying and improving what he refers to as “old school cybersecurity.” Many security systems are disconnected from the business and siloed. In these instances, security is layered on top, rather than designed into the business processes.

James calls this a “ticket-driven” system, meaning if the business or the rest of the technology function needs something from security, they make a request. Then, at some point in the future, the security team fulfills that request by responding to a ticket in an IT service management system.

This is a less than ideal approach for several reasons:

  • Complexity: It adds complexity to the environment. It leads to excess controls, which can add cost, degrade performance, and create compatibility issues.
  • Speed: It’s slow. Having developers constantly submit requests for security, then wait for answers, slows down the entire business.
  • Security Holes: When security is not woven into the business model, it’s often difficult to mitigate the most important business risks and protect the most valuable assets.

Change on the horizon

Fortunately, changes are coming. In fact, James sees three macro-level changes occuring in the industry. Let’s explore these.

Granular and analytical risk management

It’s important for security teams to develop relationships with the business that enable them to more clearly identify and analyze which risks are of most concern to the business. In doing this, security leaders are able to understand and quantify where the vulnerabilities are. Then, in a structured, quantitative way, they can make decisions about where the institution can most effectively “buy down the risk.” Taking a granular and analytical approach to risk management makes decision-making simpler and outcomes more impactful for the business.

Integrating security into the business value chain

Deeply integrating security into the business value chain helps build the right connections between security, IT, product development, marketing, and customer care. Ultimately, this creates a holistic experience for customers that is both secure and convenient.

This is made up of four main actions:

  • Being able to articulate the company’s security value proposition to their enterprise customers.
  • Taking an integrated view of potential security flaws across operational technology and information technology.
  • Building the capabilities to have visibility into configuration issues and potential attacks on the operational technology that runs a manufacturing process.
  • Interrogating suppliers about how they are safeguarding a company’s data and potentially contributing to risk or not.

Enabling technology delivery capabilities

James advocates for building security into Agile delivery processes. He also recommends identifying someone on the scrum team who can become the security champion, ensuring that key actions are integrated into development processes.

From building the automations and services that enable companies to make use of the cloud in a secure way, to transitioning security itself from being ticket-driven model to API-driven, digital change in the security realm should shift perception from a bureaucratic set of requests and responses to highly automated services around identity and access management.


To read more on Kaplan and his team’s work you can visit McKinsey’s website and look for McKinsey Technology or McKinsey Cybersecurity Practice, as they frequently publish content about their latest security thinking.

MyDevSecOps is committed to bringing excellent speakers like James Kaplan to both our virtual sessions and our podcast, The Secure Developer. If you are interested in learning more about all aspects of security, please consider joining the community