As demand for digital engagement across workforce, partner, and customer personas expands the threat landscape, security breaches and incidents make headlines daily. Achieving operational agility, or more accurately \u201cadaptability\u201d across an organization is difficult, yet essential. When security is layered in to address customer data, intellectual property, and critical infrastructure and systems, it is even tougher.\nBusiness model and IT (Information Technology) transformations in and of themselves are complex. They require a multi-discipline approach and often need to be implemented while supporting \u201cbusiness-as-usual" activities and operational continuity. More importantly, they require organizations to be flexible while managing the inherent risk of transformation and residual risk from their legacy operating model. Today, mature security practices are demonstrating adaptability by driving and supporting the integration of third-party applications, adoption of multi-cloud IT ecosystems, and orchestrating day-to-day operations without degradation of their security posture.\nDriving security transformation\nSecurity transformation is not just about technology. It also incorporates organizational structure and design, culture change, talent acquisition and enablement, and operating model adaptation. As such, I\u2019ll start with the functional areas and key capabilities that drive security transformation.\n\nRecognizing that Security is a broad topic, here are some key capabilities and features that are essential to a successful security transformation.\nRisk and compliance \n\u00a0Two areas of critical importance within the risk & compliance area are risk management and security governance. These require particular attention to implement a successful security transformation.\nRisk management\nThe risk management landscape is changing in several significant ways:\n\n\nRisk management is garnering focus at the strategic objective level, meaning organizations are acutely managing inherent and residual risk associated with business imperatives and their associated implementation (and Day 2 operational) approaches.\n\n\nRisk is being integrated into the IT operating model and brings with it a spotlight at both the individual practice and joint operations levels.\n\n\nSurmounting technical debt impacts solution quality, delaying much-needed modernization, forcing nuanced exception management, and stifling business innovation.\n\n\nAs such, organizations are looking for an extensive risk management framework and approach that can be strategically managed and coordinated at the enterprise level, while leveraging a federated model at the IT practice area and business unit level.\nHere are some critical implementation activities to establish an effective risk management approach within the context of a security transformation initiative.\n\n\nDevelop Real-Time Visibility into the Hybrid IT Ecosystem\n\n\nUnderstand Leading Indicators of System and Service Reliability\n\n\nReduce Technical Debt\n\n\nDeploy Automated Response Framework for both proactive and reactive issue and incident management\n\n\nOrchestrate Cross-Functional Solutions via common SDLC and scaled delivery lifecycles\n\n\nIntegrate Threat Modeling & Risk into Strategic Planning\n\n\nSecurity governance\nThe identity and role of the security governance function is morphing into a catalyst for change and measurable business enablement, while at the same time sustaining continuous compliance and managing risk. Business Units and application development teams are desperately seeking latitude to solve their business problems, while needing to consume critical security-as-a-service features to accelerate time-to-value and ensure alignment with enterprise standards and policy (which is no longer rigid).\nHere are some critical implementation activities to establish a high-functioning governance approach to security transformation.\n\n\nDevelop insights into the functional, operational, and strategic readiness of the security practice and its local operating model\n\n\nEstablish a transformation program team with a governance charter that includes actively managing inherent risk associated with change, continuous compliance, and driving execution and results\n\n\nCreate a learning agenda that facilitates and encourages a \u201cfail forward\u201d ethos\n\n\nEnrich standards and policy management to integrate with real-time learning\n\n\nIdentity and empower critical change agents\n\n\nGain buy-in and enrollment from a cross-functional leadership and executive team\n\n\nCyber defense and security operations\nWhen it comes to the long-term success and sustainability of a security transformation, organizations should prioritize these two capabilities \u2013 patch management and threat & vulnerability management. These two capabilities are of particular interest to a security professional and practice area, as they represent a sizable percentage of their technical debt inventory.\nPatch management\nFor many organizations, patch management is an activity that routinely gets kicked down the road. This is counterintuitive, as sound management yields critical outcomes such as reliable security, uptime and reliability, continuous compliance, and the ability to introduce vendor software and service provider features into the ecosystem.\nTo achieve a high degree of adaptability in this space, there are several capabilities that often require enrichment to achieve patch management excellence.\n\n\nStandardized Security Control Framework\n\n\nData & Application Classification System\n\n\nAsset Management and Well-Maintained System Inventory\n\n\nSoftware-defined Ecosystem\n\n\nAutomated CI\/CD Pipeline\n\n\nImmutable Infrastructure\n\n\nAdvanced Deployment Techniques \u2013 Canary, Blue\/Green, and Red\/Black\n\n\nPatch often. Patch quickly. Patch everywhere, so to speak.\nThreat and vulnerability management\nThreat and vulnerability management is a deep and complex practice. In paradigm of \u201cshift left,\u201d the opportunity starts at the conceptualization of an application and its associated architecture. Once the comprehensive function of an application is determined, one can review the application for potential threats before it is built.\nSelecting and operationalizing a threat modeling method brings security into the conversation at an early stage within the lifecycle of an application. It is highly recommended to choose a consistent enterprise threat model method and classify the types of applications that will need this type of analysis. Not every application would need threat modeling. For third-party applications, ask for a copy of the vendor\u2019s threat modeling analysis or get a report attesting that it is secure.\nAs workloads enter a deployment pipeline there are tests throughout the application level as well as the infrastructure level (infrastructure as code\/policy as code\/vulnerability testing.) The vulnerability tests and compliance tests should be automated to a degree the organization can manage. Automation should promote the \u201cfail fast\u201d action of a pipeline to make changes as quickly as possible to enable an opportunity to optimize or innovate. There are staff implications for this process that must be considered as well. Organizations typically do not have the scale to watch every pipeline in an organization so a security proxy must be assigned so that security requirements are adhered to.\nOnce the workload has been deployed into the environment, vulnerability and compliance controls should be operationalized as well. As such, a continuous scan would take place to allow organizations to detect changes in their, now, pristine workloads. The value of having these mechanisms in place could determine drift (movement from agreed design parameters) or potential actors going around the pipeline.\nHere are some high priority capabilities to consider for integration with the threat and vulnerability management practice.\n\n\nPenetration Testing\n\n\nAsset Management and Well-Maintained System Inventory\n\n\nPredictable Patch Management\n\n\nReal-Time Discovery\n\n\nIntegration of Reliable Threat Intelligence Sources\/Feeds\n\n\nPrioritization Scheme\n\n\nAutomated & Orchestrated Remediation\n\n\nAPI Catalog\n\n\nBottom line\nAs business expectations and persistent adversarial threats drive the need for transformation, security practices must employ deliberate and comprehensive strategies to reduce risk and protect their hybrid IT ecosystems. It all starts with comprehensive visibility, and a deep understanding of the efficacy and integration of people, process, technology, and policy.\nOrganizations should start by defining and measuring KPIs (Key Performance Indicators) and metrics for adaptability and time-to-value, such that they can identify the differentiated investment needed to achieve their target operating model. Keep in mind, security is not the only area that requires transformation. It is imperative that a cross-functional approach be employed to ensure comprehensive transformation that yields measurable (and on-going) business outcomes.\nIf you are serious about reshaping and modernizing your security practice to meet the needs of an adaptable business of the future, HPE has an edge-to-cloud operating model that will help.\nFor further information please visit\u00a0www.hpe.com\/greenlake\/cloud-adoption-framework.\nThis article is one in a series that address the eight capability domains of the HPE Edge-to-Cloud Adoption Framework. The other seven articles can be found here:\nThe Crucial Role of Application Management in a Cloud Operating ModelInsight From Data Everywhere Driving Hybrid Cloud StrategyDoes Your Company Have a Complete Innovation Framework?Five Focus Areas to Transform Your IT OrganizationDevOps and Digital Transformation: Now and FutureAn Operating Model to Support Engagement at the Digital Edge3 Essential Elements of Strategy & Governance to Accelerate a Multi-Cloud Journey\n____________________________________\nAbout Mark Gilmor\n\nMark Gilmor is the Chief Security Strategist for the Security Risk and Compliance Practice at HPE Pointnext Services. Previously Mark built and led the Cloud Security Practice at Cloud Technology Partners, acquired by HPE, with a focus on highly regulated companies. With over 25 years of experience delivering security strategy and business solutions in the Application, Mobile, and Cloud space, Mark focuses on shifting security from a blocker to an enabler of an organization.\u00a0 He leverages agile approaches and thinking to accomplish desired outcomes by implementing security-focused emerging practices to achieve organizational goals that promote adaptability in a complex marketplace.\n\u00a0\nAbout Steve Fatigante\n\nSteve Fatigante is an Information Technology Executive with 28+ years of experience delivering digital transformation and hybrid cloud solutions. He is a driven leader with an extensive background in formulating information technology strategies that emphasize digital transformation, hybrid cloud adoption, information security, flexible & extensible architectures, and service reliability for both regulated and growth-oriented industries. He leverages entrepreneurial skills and a bias for action to deliver measurable outcomes by seamlessly integrating people, process, technology, and innovation. Steven has a knack for making strategic implementations, delivery and execution, and transformation feel tactical and practical. He is an inventor on five US technology patents.