- Community Home
- >
- Services
- >
- The Cloud Experience Everywhere
- >
- Risk Management: Balancing Strategic Compliance Ma...
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Receive email notifications
- Email to a Friend
- Printer Friendly Page
- Report Inappropriate Content
Risk Management: Balancing Strategic Compliance Management with Tactical Vulnerability Management
Many organizations are finding digital transformation to be a driving force in fueling business innovation and creating a competitive advantage in the digital economy. However, as is the case with any new way of doing business, it carries a level of risk that needs to be understood and accepted by the business.
In speaking with our customers, we find that many are concerned about the same three topics:
- Increasing sophistication of cyber-attacks and the damage that these advanced threat vectors can cause
- Cost and complexity of regulatory pressures, whether industry specific like PCI, or government-led like GDPR
- Lack of in-house skills and process due to shortage of education and awareness, and limited mature adoption of cybersecurity frameworks
Taking a closer look: the real pressures behind the risk
Money, and in this case, the threat of financial penalties for non-compliance, tends to speak loudest, many of the security initiatives that are pushed down from board/senior management level tend to be compliance-led. However, whilst there is no doubt that being compliant is an important step towards cyber maturity, weโve seen regulatory compliance evolving into a cost of doing business, so that security becomes compliance driven, rather than business focused.
The main challenge with basing a security program around compliance is that compliance is often a point in time exercise, frequently associated with an annual assessment โ whilst an organization might be compliant on the day of an assessment, this doesnโt guarantee they are still compliant, or even secure, the following day. Indeed Verizonโs 2017 Payment Security Report told us that 45% of PCI-DSS certified customers needed further remediation within a month or two after certification.
One positive outcome of compliance-led security is that it very often frees up budget for the security department to โbecome compliantโ. Done correctly, this budget can help an organization to adopt an industry-accepted security management framework, for example ISO27001/2 or NIST SP800-53. Basing the security architecture and policies on accepted frameworks means that an organization is going to be better prepared the following time a compliancy requirement comes along, but will also enable the organization to use the mature security position as a way to enable and innovate, and not just treat security as a tick box exercise.
The true way forward
Taking a strategic, management-led approach to compliance and security will assist the security team in becoming allies to other departments, rather than a hindrance. By being involved in the business, the security team will have a better understanding of data assets, and in turn will be able to map these across to business risk. At HPE Pointnext, we have helped many customers to introduce and adopt security frameworks within their organization through the HPE Continuous Security Improvement Service. This service is anchored by an annual security controls assessment based upon ISO 27002:2013, giving customers a head start on preparing for the dynamic threat landscape, and ensuring the appropriate security controls are in place to deal with compliancy and regulatory requirements.
However, especially in organizations where in-house application development is part of creating a competitive edge for the business, itโs also critical to use tactical security controls as part of a technical-led approach to dealing with vulnerabilities. By adding members of the security team into the development process, for example as part of a DevSecOps initiative, vulnerabilities can be identified early on in the software development lifecycle, saving time and money. But itโs also important to be performing periodic and/or continuous assessments on production workloads, and thatโs where our partnership with HPE Pathfinder company Synack and the HPE Vulnerability Analysis Service is gaining a lot of traction with customers.
Our partnership, your advantage
Synack provides a crowd-sourced approach to penetration testing, allowing customers to open up their pen testing engagements to a much wider red team than they would normally be able to use when working with a local security partner. The advantages of this approach are clear โ rather than working with a team of 5 or 6 local security experts, the Synack approach presents each job to a focused team of resources โ typically around 50 to 60 researchers at any one time. Whilst the customer pays a flat fee, the researchers only earn their money when they identify a vulnerability in the target application โ creating an incentive for them to work as quickly and efficiently as possible.
All of the Synack โRed Teamโ have been carefully vetted before being accepted to the program. This is one of the most detailed vetting procedures in the industry, taking up to 6 months to complete and including background as well as technical checks, with an acceptance rate of only around 10%. (Statistics provided by Synack based upon previous engagements)
By blending both strategic and tactical controls together, organizations can benefit by harnessing a security framework to deal with the compliance-led security initiatives, as well as tactical penetration testing to help make enterprise software as resilient as possible from being exploited.
Get started today
If youโd like to hear more about the HPE Pointnextโs approach to strategic compliance management and tactical vulnerability management, please watch the video below, or join us at HPE Discover in Madrid for session B6896 on Tuesday 27th November at 11:00am.
SimonLeech
Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and working in the Worldwide Security and Risk Management Practice within HPE Pointnext Advisory and Professional Services. Simon is active on Twitter as @DigitalHeMan
- Back to Blog
- Newer Article
- Older Article
- Toby_Weiss on: 3 powerful ways to get the most out of containers
- ServicesExperts on: Add a New MVP to Your IT Team: Your HPE Account Su...
- Gerry_Nolan on: Achieving Your IT Fitness Goals: The Power of the ...
- Ed-Burke on: Introducing verified HPE Peak Performance Badges
- ServicesExperts on: The Friendly Face of Personalized Support: Meet Yo...
- GaryThome on: The Future is IT as a Serviceโฆ Delivered to the En...
- Ed-Burke on: Defining the Next Chapter for the IT Industry: On-...
- ServicesExperts on: Consumption-Based IT Just Got Even Better
- Shyam_K_Kannan on: Next-Gen Outage Protection: Harnessing AI and Pred...
- Jim Turner on: DPTIPS: Data Protector 10.03 is here and so am I
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP