Risk Management: Balancing Strategic Compliance Management with Tactical Vulnerability Management

Many organizations are finding digital transformation to be a driving force in fueling business innovation and creating a competitive advantage in the digital economy. However, as is the case with any new way of doing business, it carries a level of risk that needs to be understood and accepted by the business.

In speaking with our customers, we find that many are concerned about the same three topics:

• Increasing sophistication of cyber-attacks and the damage that these advanced threat vectors can cause
• Cost and complexity of regulatory pressures, whether industry specific like PCI, or government-led like GDPR
• Lack of in-house skills and process due to shortage of education and awareness, and limited mature adoption of cybersecurity frameworks

Taking a closer look: the real pressures behind the risk

Money, and in this case, the threat of financial penalties for non-compliance, tends to speak loudest, many of the security initiatives that are pushed down from board/senior management level tend to be compliance-led. However, whilst there is no doubt that being compliant is an important step towards cyber maturity, we’ve seen regulatory compliance evolving into a cost of doing business, so that security becomes compliance driven, rather than business focused.

 The main challenge with basing a security program around compliance is that compliance is often a point in time exercise, frequently associated with an annual assessment – whilst an organization might be compliant on the day of an assessment, this doesn’t guarantee they are still compliant, or even secure, the following day. Indeed Verizon’s 2017 Payment Security Report told us that 45% of PCI-DSS certified customers needed further remediation within a month or two after certification.

One positive outcome of compliance-led security is that it very often frees up budget for the security department to ‘become compliant’. Done correctly, this budget can help an organization to adopt an industry-accepted security management framework, for example ISO27001/2 or NIST SP800-53. Basing the security architecture and policies on accepted frameworks means that an organization is going to be better prepared the following time a compliancy requirement comes along, but will also enable the organization to use the mature security position as a way to enable and innovate, and not just treat security as a tick box exercise.

The true way forward

Taking a strategic, management-led approach to compliance and security will assist the security team in becoming allies to other departments, rather than a hindrance. By being involved in the business, the security team will have a better understanding of data assets, and in turn will be able to map these across to business risk. At HPE Pointnext, we have helped many customers to introduce and adopt security frameworks within their organization through the HPE Continuous Security Improvement Service. This service is anchored by an annual security controls assessment based upon ISO 27002:2013, giving customers a head start on preparing for the dynamic threat landscape, and ensuring the appropriate security controls are in place to deal with compliancy and regulatory requirements.

However, especially in organizations where in-house application development is part of creating a competitive edge for the business, it’s also critical to use tactical security controls as part of a technical-led approach to dealing with vulnerabilities. By adding members of the security team into the development process, for example as part of a DevSecOps initiative, vulnerabilities can be identified early on in the software development lifecycle, saving time and money. But it’s also important to be performing periodic and/or continuous assessments on production workloads, and that’s where our partnership with HPE Pathfinder company Synack and the HPE Vulnerability Analysis Service is gaining a lot of traction with customers.

Our partnership, your advantage

Synack provides a crowd-sourced approach to penetration testing, allowing customers to open up their pen testing engagements to a much wider red team than they would normally be able to use when working with a local security partner. The advantages of this approach are clear – rather than working with a team of 5 or 6 local security experts, the Synack approach presents each job to a focused team of resources – typically around 50 to 60 researchers at any one time. Whilst the customer pays a flat fee, the researchers only earn their money when they identify a vulnerability in the target application – creating an incentive for them to work as quickly and efficiently as possible.

All of the Synack ‘Red Team’ have been carefully vetted before being accepted to the program. This is one of the most detailed vetting procedures in the industry, taking up to 6 months to complete and including background as well as technical checks, with an acceptance rate of only around 10%. (Statistics provided by Synack based upon previous engagements)

By blending both strategic and tactical controls together, organizations can benefit by harnessing a security framework to deal with the compliance-led security initiatives, as well as tactical penetration testing to help make enterprise software as resilient as possible from being exploited.

Get started today

If you’d like to hear more about the HPE Pointnext’s approach to strategic compliance management and tactical vulnerability management, please watch the video below, or join us at HPE Discover in Madrid for session B6896 on Tuesday 27th November at 11:00am.