Securing an AI-Centric Digital Transformation

Digital Transformation has become a hot term again in 2025, with the exponential interest in Artificial Intelligence.  Company leaders mention that they are “becoming digital, innovating in the digital world, building AI strategies, and transitioning to a digital or AI-based company.”  The main benefits are that it makes a business more efficient and agile in the pursuit of greater profitability.  Using technology, especially AI, provides an opportunity to reach customers in various ways and improve the customer journey to loyal users of a product and promoters of a company.  The threat is that if you don’t transform, you’ll be disrupted out of business.  

But as companies expand their use of AI for transformation, the risks to cybersecurity increase significantly. Large Language Models (LLMs), generative AI agents, predictive algorithms, and real-time automation create new attack surfaces—many of which traditional security strategies don’t cover.

The basics

That’s all well and good, but what does digital transformation actually mean?  A few years ago, several folks and I got together to define Digital Transformation. We came up with a definition and the core capabilities needed.  We didn’t get to move it too far beyond discussion, but here’s how we defined it:

Digitalization: Using technology to define, differentiate or enable an organization’s strategy to achieve desired outcomes.

In addition, we noted that there were four capabilities necessary to achieve the type of digital innovation organizations essential to have a “digital business.”   The four core capabilities needed are: 

1. Hyper-aware (See all, know more)

2. Informed decisions (Make better choices)

3. Fast Execution (Stay ahead of the curve)

4. Mitigated Risk (Trust that we’re safe and secure)  

For a little more detail, we’ll review below:

1.     First off is allowing the business to be hyper-aware.  That is, the organization can see all there is to see about their business and the customer impact and “know” more than anyone else about those customers.   This means the ability to get more data from more places, including traditional and advanced internal sources, new technologies (like the Internet of Things), and previously unrelated or unknown external sources such as data analytics providers.

The AI Impact: But with AI models ingesting massive volumes of data, organizations must now also be hyper-aware of where their data originates, how it's being processed, and how models may be exploited (e.g., via prompt injection, model inversion, or data poisoning). Zero trust principles and continuous monitoring of model inputs and outputs are no longer optional—they're foundational.

2.     Secondly, executives need to develop their business strategy not just initially but continuously. This involves making more frequent decisions to leverage feedback from the outcomes of those decisions. Strategy is about choice. To make wise choices among the multitude of options available, relevant information and intelligence must be synthesized in increasingly complex ways. 

AI Impact: The "insight" derived from AI is only as good as the integrity of the system producing it. If adversaries manipulate training data or poison public datasets, it can lead to catastrophic decision-making. Secure model training, provenance tracking, and explainability in AI outputs are now key to trust.

3.     Thirdly, once you make those choices, you must execute quickly to gain first-mover advantages or, depending on the organization's state, potentially to keep pace with competitors.  Generally, executives want to stay ahead of the curve in business, with that curve being the precipice of exponential growth. 

AI Impact: AI enables acceleration, but it also introduces automation risks. Without proper governance, an AI system might unintentionally act on flawed assumptions or biased data. Security protocols must be built into every stage of execution—from the model to the infrastructure to the human-AI interface.

4.     And finally, (isn’t security always last) is to trust that all stakeholders are safe and secure in any interaction with the company.  That means executives, employees, and customers feel comfortable moving forward toward mutually beneficial goals.  It’s really about mitigating the Risk for the organizational ecosystem.  

AI Impact: With AI, risk management now includes adversarial AI threats, intellectual property leakage, shadow AI (unauthorized AI usage), and insider misuse. Companies need not only endpoint and network security—but AI-specific threat modeling, ethical use policies, and internal AI security audits.

Interestingly, in a study published by Cisco several years ago, nearly 40% of executives stated that they had stopped mission-critical initiatives due to cyber security issues, and 71% said cybersecurity concerns were impeding innovation in their industry.  Fast forward to 2025, with the rash of ransomware and fraud that has gripped the world, one can only imagine what the percentages would be.   

Give ‘em what they want

From a security professional’s standpoint, we have to give the different functions in the business (including ourselves) what’s needed to enable the business to grow with as little friction as possible.  So, what do teams want in digital transformation initiatives?  Starting with security and IT, they want early inclusion in projects to help determine security needs.   Risk and Compliance teams want line of business initiatives to be fully compliant and risk aligned, meaning the potential for reward is greater than the risk of loss in the endeavor.   And Lines of business (LOB’s) want the project team to take care of the security details speedily and without trouble. 

The great thing about the line of business folks is if the project is a business critical one. (like digital transformation would be), they have money. Yes, they demand security to be business-enabling, but they’re willing to pay for getting what they want.