This month the Ponemon Institute published the 2022 Global Report on Closing the IT Security Gap. Itโs the third time the study has been published, after previous reports in 2018 and 2020, and the third time that HPE has sponsored it.
I always enjoy reading the report and drawing my own conclusions from the data that is presented. Itโs a refreshing change from other studies which look into the cost that cybercrime has on our ability to survive as businesses, and instead looks at the preparedness of organizations to survive in a constantly changing threat landscape.
The study has identified nine best practices of โhigh performing organizationsโ. Ponemon has identified 30% of respondents to the survey as falling into this category, meaning they are highly effective at keeping up with the constantly changing threat landscape, which Iโll get into in a moment, but first letโs define what is actually meant by the โIT security gapโ.
The report defines the IT security gap as โthe inability of an organizationโs people, processes, and technologies to keep up with a constantly changing threat landscape. It diminishes the ability of organizations to identify, detect, contain, and resolve data breaches and other security incidents.โ So in other words, the ability of an organization to be โcyber resilientโ. Cyber resiliency is something my HPE colleague and Distinguished Technologist Tim Ferrell and I have discussed in our article on the subject, and relates to an organizationโs ability to withstand a cyber incident without having too much of a negative impact on operations. Itโs a natural evolution of traditional security models which tended to focus on keeping the bad guys out, to an acceptance that the bad guys are everywhere, breaches will happen, and therefore the defining factor in security strategy is how you handle the inevitable.
So the difference between the highly performing organization and the rest of the organizations who responded to Ponemonโs questions is how efficiently they address cyber resilience. There are a couple of key takeaways that I noted when reading through the report that reinforce this:
- High performing organizations say security technologies are very important for their digital transformation strategy. It should be clear by now that any organization contemplating a digital transformation needs to be following a โsecure by designโ approach to security. By addressing security up front in a digital transformation, both costs and timelines will be reduced, and efficient threat modelling will help to redefine the customer experience into something that reduces overall risk. At HPE we believe that customers are ready to address digital transformations via a โCloud Everywhereโ experience, and this is central to our strategy for the HPE GreenLake edge-to-cloud platform. However itโs also very clear to us that whilst a customer can outsource their operations to a third party, they will never be able to fully outsource organizational risk. So itโs critical for customers who choose to work with a partner that security is well represented in the digital transformation during the design and build phases, and the run and operate phases of any project. At HPE, taking this approach allows us to demonstrate to our customers that we are reducing the level of risk introduced by outsourcing to a level that the customer can accept, and HPE security, risk, and compliance services help us to do this.
- High performing organizations are more likely to implement a Zero Trust model. What surprised me most here is not the 38% of the sample who have a Zero Trust model, but the 39% of the sample are either not interested in implementing Zero Trust (21%) of who feel that it is too theoretical to be implemented (18%). Whilst Zero Trust is certainly based upon a lot of theory, if an organization addresses it holistically, and treats it as a new approach to security architecture defined by the business rather than as a technical problem, then benefits will be realized. Perimeter-based security models are no longer effective enough to keep all attacks at bay, and moving to a model where trust should be explicitly earned allows distributed organizational models to adopt a secure way of working. At HPE weโve started to introduce the concepts of Zero Trust into our infrastructure products with technologies from Aruba a Hewlett Packard Enterprise company, and HPE GreenLake Lighthouse featuring Project Aurora, but weโve also developed a business-led consultancy model within HPE Pointnext to advise customers on how to best approach the adoption of Zero Trust.
- High performing organizations are more aware of the benefits of automation. With the customers we consult with, there are two major benefits that stand out when talking about security automation. The first is the value of integrating security automation into build pipelines so that security becomes built-in by design. We call this security transformation and modernization, and my colleague Mark Gilmor has written about exactly this. Secondly is the role of security automation in the SOC and something that plays a key role in the Managed Security service we deliver to our customers via HPE GreenLake Management Services.
Iโve only touched the surface of the data points in the study, and I encourage you all to download a copy for yourselves. How do you feel you shape up against Ponemonโs definition of a โhigh performerโ? Is your organization proactively addressing cyber resilience to a level where you are confident that you wonโt become another statistic?
As always, if youโre interested to find out more about how HPE Pointnext Advisory & Professional Services can help you on your security transformation journey, please feel free to reach out to me, or to your local HPE account manager.
SimonLeech
Simon is Deputy Director in the HPE Global Security Center of Excellence. He is responsible for bringing together cyber experts from across HPE to support the vision of an open and secure edge to cloud platform, and works with HPE's enterprise customers worldwide, evangelising the strategy of HPE Global Security and articulating our โSecure by Designโ and โOperationally Secureโ principles. Simon has worked in the IT security industry for over 25 years and is well versed in many areas of IT security, including network security, operational security, malware, cyber threats, vulnerability management, hybrid cloud security, container security, zero trust security, and cyber resilience. Simon is active on Twitter as @DigitalHeMan
