The Role of Security Transformation

As demand for digital engagement across workforce, partner, and customer personas expands the threat landscape, security breaches and incidents make headlines daily. Achieving operational agility, or more accurately “adaptability” across an organization is difficult, yet essential. When security is layered in to address customer data, intellectual property, and critical infrastructure and systems, it is even tougher.

Business model and IT (Information Technology) transformations in and of themselves are complex. They require a multi-discipline approach and often need to be implemented while supporting “business-as-usual” activities and operational continuity. More importantly, they require organizations to be flexible while managing the inherent risk of transformation and residual risk from their legacy operating model. Today, mature security practices are demonstrating adaptability by driving and supporting the integration of third-party applications, adoption of multi-cloud IT ecosystems, and orchestrating day-to-day operations without degradation of their security posture.

Driving security transformation

Security transformation is not just about technology. It also incorporates organizational structure and design, culture change, talent acquisition and enablement, and operating model adaptation. As such, I’ll start with the functional areas and key capabilities that drive security transformation.

Recognizing that Security is a broad topic, here are some key capabilities and features that are essential to a successful security transformation.

Risk and compliance

 Two areas of critical importance within the risk & compliance area are risk management and security governance. These require particular attention to implement a successful security transformation.

Risk management

The risk management landscape is changing in several significant ways:

1. Risk management is garnering focus at the strategic objective level, meaning organizations are acutely managing inherent and residual risk associated with business imperatives and their associated implementation (and Day 2 operational) approaches.

2. Risk is being integrated into the IT operating model and brings with it a spotlight at both the individual practice and joint operations levels.

3. Surmounting technical debt impacts solution quality, delaying much-needed modernization, forcing nuanced exception management, and stifling business innovation.

As such, organizations are looking for an extensive risk management framework and approach that can be strategically managed and coordinated at the enterprise level, while leveraging a federated model at the IT practice area and business unit level.

Here are some critical implementation activities to establish an effective risk management approach within the context of a security transformation initiative.

• Develop Real-Time Visibility into the Hybrid IT Ecosystem

• Understand Leading Indicators of System and Service Reliability

• Reduce Technical Debt

• Deploy Automated Response Framework for both proactive and reactive issue and incident management

• Orchestrate Cross-Functional Solutions via common SDLC and scaled delivery lifecycles

• Integrate Threat Modeling & Risk into Strategic Planning

Security governance

The identity and role of the security governance function is morphing into a catalyst for change and measurable business enablement, while at the same time sustaining continuous compliance and managing risk. Business Units and application development teams are desperately seeking latitude to solve their business problems, while needing to consume critical security-as-a-service features to accelerate time-to-value and ensure alignment with enterprise standards and policy (which is no longer rigid).

Here are some critical implementation activities to establish a high-functioning governance approach to security transformation.

• Develop insights into the functional, operational, and strategic readiness of the security practice and its local operating model

• Establish a transformation program team with a governance charter that includes actively managing inherent risk associated with change, continuous compliance, and driving execution and results

• Create a learning agenda that facilitates and encourages a “fail forward” ethos

• Enrich standards and policy management to integrate with real-time learning

• Identity and empower critical change agents

• Gain buy-in and enrollment from a cross-functional leadership and executive team

Cyber defense and security operations

When it comes to the long-term success and sustainability of a security transformation, organizations should prioritize these two capabilities – patch management and threat & vulnerability management. These two capabilities are of particular interest to a security professional and practice area, as they represent a sizable percentage of their technical debt inventory.

Patch management

For many organizations, patch management is an activity that routinely gets kicked down the road. This is counterintuitive, as sound management yields critical outcomes such as reliable security, uptime and reliability, continuous compliance, and the ability to introduce vendor software and service provider features into the ecosystem.

To achieve a high degree of adaptability in this space, there are several capabilities that often require enrichment to achieve patch management excellence.

• Standardized Security Control Framework

• Data & Application Classification System

• Asset Management and Well-Maintained System Inventory

• Software-defined Ecosystem

• Automated CI/CD Pipeline

• Immutable Infrastructure

• Advanced Deployment Techniques – Canary, Blue/Green, and Red/Black

Patch often. Patch quickly. Patch everywhere, so to speak.

Threat and vulnerability management

Threat and vulnerability management is a deep and complex practice. In paradigm of “shift left,” the opportunity starts at the conceptualization of an application and its associated architecture. Once the comprehensive function of an application is determined, one can review the application for potential threats before it is built.

Selecting and operationalizing a threat modeling method brings security into the conversation at an early stage within the lifecycle of an application. It is highly recommended to choose a consistent enterprise threat model method and classify the types of applications that will need this type of analysis. Not every application would need threat modeling. For third-party applications, ask for a copy of the vendor’s threat modeling analysis or get a report attesting that it is secure.

As workloads enter a deployment pipeline there are tests throughout the application level as well as the infrastructure level (infrastructure as code/policy as code/vulnerability testing.) The vulnerability tests and compliance tests should be automated to a degree the organization can manage. Automation should promote the “fail fast” action of a pipeline to make changes as quickly as possible to enable an opportunity to optimize or innovate. There are staff implications for this process that must be considered as well. Organizations typically do not have the scale to watch every pipeline in an organization so a security proxy must be assigned so that security requirements are adhered to.

Once the workload has been deployed into the environment, vulnerability and compliance controls should be operationalized as well. As such, a continuous scan would take place to allow organizations to detect changes in their, now, pristine workloads. The value of having these mechanisms in place could determine drift (movement from agreed design parameters) or potential actors going around the pipeline.

Here are some high priority capabilities to consider for integration with the threat and vulnerability management practice.

• Penetration Testing

• Asset Management and Well-Maintained System Inventory

• Predictable Patch Management

• Real-Time Discovery

• Integration of Reliable Threat Intelligence Sources/Feeds

• Prioritization Scheme

• Automated & Orchestrated Remediation

• API Catalog

Bottom line

As business expectations and persistent adversarial threats drive the need for transformation, security practices must employ deliberate and comprehensive strategies to reduce risk and protect their hybrid IT ecosystems. It all starts with comprehensive visibility, and a deep understanding of the efficacy and integration of people, process, technology, and policy.

Organizations should start by defining and measuring KPIs (Key Performance Indicators) and metrics for adaptability and time-to-value, such that they can identify the differentiated investment needed to achieve their target operating model. Keep in mind, security is not the only area that requires transformation. It is imperative that a cross-functional approach be employed to ensure comprehensive transformation that yields measurable (and on-going) business outcomes.

If you are serious about reshaping and modernizing your security practice to meet the needs of an adaptable business of the future, HPE has an edge-to-cloud operating model that will help.

For further information please visit www.hpe.com/greenlake/cloud-adoption-framework.

This article is one in a series that address the eight capability domains of the HPE Edge-to-Cloud Adoption Framework. The other seven articles can be found here:

The Crucial Role of Application Management in a Cloud Operating Model Insight From Data Everywhere Driving Hybrid Cloud Strategy Does Your Company Have a Complete Innovation Framework? Five Focus Areas to Transform Your IT Organization DevOps and Digital Transformation: Now and Future An Operating Model to Support Engagement at the Digital Edge 3 Essential Elements of Strategy & Governance to Accelerate a Multi-Cloud Journey

____________________________________

About Mark Gilmor

Mark Gilmor is the Chief Security Strategist for the Security Risk and Compliance Practice at HPE Pointnext Services. Previously Mark built and led the Cloud Security Practice at Cloud Technology Partners, acquired by HPE, with a focus on highly regulated companies. With over 25 years of experience delivering security strategy and business solutions in the Application, Mobile, and Cloud space, Mark focuses on shifting security from a blocker to an enabler of an organization.  He leverages agile approaches and thinking to accomplish desired outcomes by implementing security-focused emerging practices to achieve organizational goals that promote adaptability in a complex marketplace.

About Steve Fatigante

Steve Fatigante is an Information Technology Executive with 28+ years of experience delivering digital transformation and hybrid cloud solutions. He is a driven leader with an extensive background in formulating information technology strategies that emphasize digital transformation, hybrid cloud adoption, information security, flexible & extensible architectures, and service reliability for both regulated and growth-oriented industries. He leverages entrepreneurial skills and a bias for action to deliver measurable outcomes by seamlessly integrating people, process, technology, and innovation. Steven has a knack for making strategic implementations, delivery and execution, and transformation feel tactical and practical. He is an inventor on five US technology patents.