- Community Home
- >
- Services
- >
- The Cloud Experience Everywhere
- >
- Risk Management: Balancing Strategic Compliance Ma...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Receive email notifications
- Printer Friendly Page
- Report Inappropriate Content
Risk Management: Balancing Strategic Compliance Management with Tactical Vulnerability Management
Many organizations are finding digital transformation to be a driving force in fueling business innovation and creating a competitive advantage in the digital economy. However, as is the case with any new way of doing business, it carries a level of risk that needs to be understood and accepted by the business.
In speaking with our customers, we find that many are concerned about the same three topics:
- Increasing sophistication of cyber-attacks and the damage that these advanced threat vectors can cause
- Cost and complexity of regulatory pressures, whether industry specific like PCI, or government-led like GDPR
- Lack of in-house skills and process due to shortage of education and awareness, and limited mature adoption of cybersecurity frameworks
Taking a closer look: the real pressures behind the risk
Money, and in this case, the threat of financial penalties for non-compliance, tends to speak loudest, many of the security initiatives that are pushed down from board/senior management level tend to be compliance-led. However, whilst there is no doubt that being compliant is an important step towards cyber maturity, weโve seen regulatory compliance evolving into a cost of doing business, so that security becomes compliance driven, rather than business focused.
The main challenge with basing a security program around compliance is that compliance is often a point in time exercise, frequently associated with an annual assessment โ whilst an organization might be compliant on the day of an assessment, this doesnโt guarantee they are still compliant, or even secure, the following day. Indeed Verizonโs 2017 Payment Security Report told us that 45% of PCI-DSS certified customers needed further remediation within a month or two after certification.
One positive outcome of compliance-led security is that it very often frees up budget for the security department to โbecome compliantโ. Done correctly, this budget can help an organization to adopt an industry-accepted security management framework, for example ISO27001/2 or NIST SP800-53. Basing the security architecture and policies on accepted frameworks means that an organization is going to be better prepared the following time a compliancy requirement comes along, but will also enable the organization to use the mature security position as a way to enable and innovate, and not just treat security as a tick box exercise.
The true way forward
Taking a strategic, management-led approach to compliance and security will assist the security team in becoming allies to other departments, rather than a hindrance. By being involved in the business, the security team will have a better understanding of data assets, and in turn will be able to map these across to business risk. At HPE Pointnext, we have helped many customers to introduce and adopt security frameworks within their organization through the HPE Continuous Security Improvement Service. This service is anchored by an annual security controls assessment based upon ISO 27002:2013, giving customers a head start on preparing for the dynamic threat landscape, and ensuring the appropriate security controls are in place to deal with compliancy and regulatory requirements.
However, especially in organizations where in-house application development is part of creating a competitive edge for the business, itโs also critical to use tactical security controls as part of a technical-led approach to dealing with vulnerabilities. By adding members of the security team into the development process, for example as part of a DevSecOps initiative, vulnerabilities can be identified early on in the software development lifecycle, saving time and money. But itโs also important to be performing periodic and/or continuous assessments on production workloads, and thatโs where our partnership with HPE Pathfinder company Synack and the HPE Vulnerability Analysis Service is gaining a lot of traction with customers.
Our partnership, your advantage
Synack provides a crowd-sourced approach to penetration testing, allowing customers to open up their pen testing engagements to a much wider red team than they would normally be able to use when working with a local security partner. The advantages of this approach are clear โ rather than working with a team of 5 or 6 local security experts, the Synack approach presents each job to a focused team of resources โ typically around 50 to 60 researchers at any one time. Whilst the customer pays a flat fee, the researchers only earn their money when they identify a vulnerability in the target application โ creating an incentive for them to work as quickly and efficiently as possible.
All of the Synack โRed Teamโ have been carefully vetted before being accepted to the program. This is one of the most detailed vetting procedures in the industry, taking up to 6 months to complete and including background as well as technical checks, with an acceptance rate of only around 10%. (Statistics provided by Synack based upon previous engagements)
By blending both strategic and tactical controls together, organizations can benefit by harnessing a security framework to deal with the compliance-led security initiatives, as well as tactical penetration testing to help make enterprise software as resilient as possible from being exploited.
Get started today
If youโd like to hear more about the HPE Pointnextโs approach to strategic compliance management and tactical vulnerability management, please watch the video below, or join us at HPE Discover in Madrid for session B6896 on Tuesday 27th November at 11:00am.
SimonLeech
Simon is Deputy Director in the HPE Global Security Center of Excellence. He is responsible for bringing together cyber experts from across HPE to support the vision of an open and secure edge to cloud platform, and works with HPE's enterprise customers worldwide, evangelising the strategy of HPE Global Security and articulating our โSecure by Designโ and โOperationally Secureโ principles. Simon has worked in the IT security industry for over 25 years and is well versed in many areas of IT security, including network security, operational security, malware, cyber threats, vulnerability management, hybrid cloud security, container security, zero trust security, and cyber resilience. Simon is active on Twitter as @DigitalHeMan
- Back to Blog
- Newer Article
- Older Article
- Deeko on: The right framework means less guesswork: Why the ...
- MelissaEstesEDU on: Propel your organization into the future with all ...
- Samanath North on: How does Extended Reality (XR) outperform traditio...
- Sarah_Lennox on: Streamline cybersecurity with a best practices fra...
- Jams_C_Servers on: Unlocking the power of edge computing with HPE Gre...
- Sarah_Lennox on: Donโt know how to tackle sustainable IT? Start wit...
- VishBizOps on: Transform your business with cloud migration made ...
- Secure Access IT on: Protect your workloads with a platform agnostic wo...
- LoraAladjem on: A force for good: generative AI is creating new op...
- DrewWestra on: Achieve your digital ambitions with HPE Services: ...