AMS Blog

Strategic Approaches to Digital Platform Security Assurance

Written by Yuri Bobbert | May 12, 2021

Nowadays, it is impossible to imagine a business without technology. Most industries are becoming "smarter" and more tech-driven. We live in the era of the "platform society." For example, Coursera has become the world's most prominent online educator, collaborating with over 200 leading universities and companies. Platforms are becoming increasingly powerful and concentrate on collecting more and more data to cross- or upsell services. Ranging from small individual tech initiatives to complete business models with intertwined supply chains and "Platform" based business models. New ways of working, such as Agile and DevOps, are introduced, leading to opportunities and unknown risks.

These risks do not restrict themselves to the technology domain; new challenges arise by teams working together in a distributed manner to deliver high paced value at a higher pace by reducing the time to market. We see smart cities emerge, and society is taking a more holistic view of the regulation of such high-tech developments.

New risks also emerge from a cybersecurity perspective: who protects our digital sovereignty and our "digital heritage"? Technology is no longer a domain that is shrouded in mystery; instead, it is an essential business discipline here to stay. Business schools worldwide include cybersecurity into their curriculum since roles emerge, and HR professionals need to equip themselves with new insights and understandings of these changing roles. It is also a professional discipline that has got the attention of analysts and supervisory boards.

During the Master research thesis phase of the MSc education at AMS you always discover talented people that can make significant impact in their field of expertise. During 2018-2020 I was honored to supervise 4 talented business executive that did research in Digital Platforms, Distributed Agile and Software development: Maria Chtepen, Dennis Verslegers, Tapan Kumar and Yves Vanderbeken. Their work stands out by the extensive literature examination in academia, as well as practitioner-oriented publications, that could contribute in new strategies towards addressing the problem of securing digital industries. Next to the examination into literature all 4 managed to develop artefacts business leaders can use to improve:

  • design and building digital platform-oriented businesses
  • ways of working in globally Distributed agile teams (this seems more important during lockdowns)
  • architecture software pipeline that pass audits and survive data breaches/hacks
  • methods for securing the technological stack in Continuous Delivery Pipelines to ensure safe software.

Together with these 4 alumni, I’ve written a new research book that addresses the significant problems when transforming an organization by embracing an API-based platform model. It offers comprehensive Design Science Research approaches from the five of us to, on the one hand, extensively examine the problem and, on the other hand, offer pragmatic solutions that can serve both academia and practitioners. Every section discusses the status quo and current challenges. It formulates core success factors and approaches that academic researchers and businesses can use. The book follows the structure below.

Strategies in the Domain of Business Platform Models; Defining the Practices to Design a Perfect Government Business Model
by Yves Vanderbeken, DXC, Belgium

Business models shift more towards technology driven industries. In this first chapter we elaborate on the multiple business models out there which rely on technology. How the technology contributes to the business goals of in this case governments. We specifically zoom in to Governmental platform services and the key practices they should apply. We focus on this since we see tech-born companies already making the step and disrupt other business models. Governments still need to make this step, therefore examining what practices they should apply in order to become relevant for citizens, appears to be a relevant research lens.

This chapter examines critical success factors that we have turned into practices that every organization immediately can apply.

Strategies in the Domain of Agile Methodologies
by Tapan Kumar, Cognizant, The Netherlands

Establishing platforms happens more and more in collaboration with multiple teams producing products. A challenge here is to not lose efficiency and create waste as result of distributed teams working with multiple Frameworks (Less/Safe/Scaled Agile) and multiple regulatory requirements. This chapter examines the blind spots and efficiency factors. It proposes key practices to improve team efficiencies while working in agile teams on platforms. These practices can be applied by practitioners or examined in more detail by academics.

 

Strategies for the Domain of CI/CD and DevOps on Security Compliance
by Maria Chtepen, BNP Paribas Group, Belgium, Belgium & Yuri Bobbert, Antwerp Management School, University of Antwerp, Belgium, ON2IT Netherlands

Regulatory requirements vary from industry and country. Working with multiple teams on products requires proper alignment in Frameworks, controls and architecture principles in order to be end-to-end protected throughout the connected platforms. This chapter examines the multiple compliance frameworks and architectural principles that can be applied to agile way of working and more precise to CICD pipelines. It proposes key practices that practitioners can take into consideration.

 

Strategies for Security Assurance in DevOps
by Dennis Verslegers, Orange Cyberdefense, Belgium, Belgium

When working more agile in producing products that serve the business goals it becomes evident that this needs to be done securely and risk free. Working agile in small teams encourages autonomy of the team and the individual and requires everybody to adhere to certain principles (e.g. Agile Manifesto, Security Frameworks like NIST or best practices such as OWASP). This means each team should have clear guidelines and boundaries in which they can make decisions (e.g. implement security, scalability or continuity measures) to develop and release code. This chapter examines the current practices out there in the field and proposes key practices that enable speed and quality without losing money and efficiency. These practices are plotted on the SecDevOps cycle so practitioners and scientist can work from that. The key practices are highly technical and directly applicable in real life. 

Why and for who is this book relevant?

This research book aims to contribute in several ways. It addresses the significant problems when transforming an organization by embracing an API-based platform model (a function of the organization). It also goes in-depth into making use of small(er) DevOps teams (construction of the organization) and leveraging proven technological architectures (design of the construction). This technology is built and maintained using software-based production streets, also referred to as Continuous Delivery Pipelines (engineering of the design construction). This book aims to follow the thread of the function of our business all the way to the basement of the individual organization (engineering) working in an eco-system of platforms. This is needed since CEO/CIOs need to provide reasonable assurance over this entire chain down to the nitty gritty details.

 The field of digital transformation and the associated risk and security management is rapidly changing due to emerging technologies and upcoming regulations. Organizations want to ensure speed and quality of technology delivery in order to serve customers, citizens and other stakeholders. This book offers comprehensive Design Science Research approaches brought to you by AMS Researchers to on the one hand extensively examine the problem and on the other hand, offer pragmatic solutions (artefacts) that can serve both academia and practitioners. It formulates core success factors and approaches that academic researchers as well as business researches of R&D departments of Cybersecurity and IT audit- and consulting firms can use.

I personally found great joy in supervising the work of Maria, Yves, Dennis & Tapan, working together with them on this new research book and enjoyed guiding them into making impact in their further careers at Euroclear, BNP Paribas, Cognizant, DXC and Orange. Their topics, myself as promotor but especially the Antwerp Management School brought them together. Hope this project inspires both students as well as professors at Management Schools.