Managing Risk in Today’s Digital Enterprise

Digital enterprise

By Neil Bryden

Managing risk in today’s digital environment becomes even more critical. Threats are growing exponentially and the bad guys are getting smarter. We live in a world of complex security threats. They can be external or internal in nature, or they can represent malicious or unintentional actions, but more and more they are a result of cybercriminals that have created an adversary marketplace that has become more specialized, efficient and lucrative.

The criminal marketplace has advanced beyond basic capabilities innovating and changing tactics every day. They are getting smarter, collaborative and highly motivated to gain access to information for profit, politics and corporate espionage.

Conflicting regulatory drivers, sovereignty challenges and industry-specific issues mean there is no clear path for organizations to achieve regulatory success. Growing stakeholder demands and increasing public scrutiny mean security and risk officers are grappling with more complex regulatory issues, including compliance regulations, privacy rulings and data protection mandates. Organizations often fall foul of the regulators in the event of a breach, being hit with hefty fines as a result of noncompliance.

The transformation of enterprise IT is driving innovation and accelerating growth. Today, mobile and hybrid computing are representative of such shifts offering great value, but create new risks, threats and vulnerabilities to our enterprise. Adopting the new style of IT has distributed our data everywhere creating new exposures and attack surfaces.

Therefore, today’s digital enterprise needs a new style of protection. Organizations must embrace the opportunities that cloud and mobile bring to increase time to value, enhance customer experiences and improve workforce productivity.

Not that long ago, organizations deployed security strategies focused on blocking and securing the perimeter, locking down users, access and data. The new style of business has dissolved the perimeter. Your users are interacting with your data and applications in the cloud, on mobile devices and within your network.

To protect your digital enterprise, you must secure the interactions between your business critical digital assets by securing the free flow of information throughout your enterprise across your customers, employees, partners and suppliers.

Protect Your Digital Enterprise
Hewlett Packard Enterprise advocates an integrated approach to security, one that starts with a single, comprehensive view of risk across the enterprise and driven by your enterprise priorities and goals. Although, we know that everything in an organization can never be completely secure, by focusing on your critical digital assets and the interactions between them you can implement a more proactive and effective pan-enterprise approach to security and risk management.

HPE Security advocates three core principles to protecting your organization:
1. Prevent – Organizations must stop treating security as an afterthought and ensure that security is built into the fabric of their business, across users, infrastructure, data, applications and integrated across their IT processes. By understanding your risk posture and assessing your cyber capabilities in line with your business priorities, security teams can effectively identify their business critical information and assets and focus on protecting them against known and unknown threats. See Data Centric Security and Securing the New SDLC below.

2. Detect and Respond – To effectively respond to today’s advanced threats, organizations must proactively monitor their security operations all day every day, hunting and shutting down threats before they wreak havoc. Security organizations must take advantage of today’s rapid detection and powerful analytics tools, like Arc- Sight, our industry leading SIEM solution, combined with Threat Central, our threat intelligence platform, to detect known and unknown threats allowing them to respond quickly, effectively and at scale to mitigate risk.

3. Recover – Ensuring business continuity and constant availability of your IT environments, critical systems and applications in the event of a natural disaster, cyber attack or system failure is paramount. Organizations must be able to perform system recovery and restoration to ensure its users, data and applications experience minimum downtime. Security, risk and IT organizations must prepare for enterprise wide resiliency plans to safeguard their operations and ensure they don’t fall foul of compliance, data protection and privacy regulations.

Data Centric Security for End-to-End Protection
Data centric security is a new approach to protect sensitive data end-to-end from the moment of capture, as it is processed and stored across a variety of devices, operating systems, databases and applications. This data centric approach helps enterprises neutralize data breaches by rendering data valueless, de-identifying data through encryption, tokenization and data masking. This approach minimizes the need for constant decryption for sensitive data elements in the enterprise. It is always-on protection.

There are four key use cases where data centric security plays a very large role:
1. Compliance – We help reduce compliance complexity and simultaneously increase security because systems protected by our approach can be taken out of PCI scope up to 90 percent reduction, freeing up time and resources to do other things, like accelerating revenue generating projects. This is at a time when compliance mandates are increasing.

2. Analytics – Organizations everywhere want to harness the power of big data for competitive advantage and insights and we allow them to do this securely on sensitive data while addressing issues like privacy concerns.

3. Cloud – Because our solutions have such broad system coverage, as I mentioned everything from legacy apps in COBOL to Hadoop and AWS, we allow enterprises to accelerate their move to the cloud.

4. Storage – Data-centric security isn’t complete if you don’t address fundamental issues like protecting your infrastructure. Don’t keep the business critical keys with the data is like saying don’t lock your car and put the keys on the roof. Our enterprise key management solutions interoperate with HPE servers and storage and allow full separation of duties between admins and access to sensitive data.

Securing the New SDLC
Securing the new perimeter has become critical. In the world of DevOps and the rapid growth of the app economy, the traditional SDLC has become rapid (Facebook releases every 10 minutes) and highly integrated (with Dev, QA and Ops now operating as one group).

Secure Development:
• Find and fix security vulnerabilities during development. We show developers in their code where the security issue exists.
• Market-leading static analysis technology in Fortify SCA continuously finds and prioritizes security issues as developers write code.
• At DevOps speed, the feedback has to be continuous and frequent, which is why we’re now showing developers these security flaws as they type.

Security Testing:
• For applications already running in your environment, or those that you bought, or that someone else developed, your security burden is likely greater.
• Dynamic analysis from WebInspect is an important component of comprehensive security testing. With this technology, we run thousands of automated security tests, just like a hacker would, to root out exploitable vulnerabilities in running apps of any time – Web, mobile and infrastructure.
• Fortify on Demand enables continuous application discovery and security testing at scale as a managed service with no expertise required and immediate startup value.

All of this comes together through a discipline we call Soft ware Security Assurance (SSA).
• SSA is a systemic, programmatic approach to securing applications by finding and fixing security vulnerabilities throughout the lifecycle of an application.
• Full-lifecycle view of assuring application security from the day an app is born or purchased to its entire lifespan in production.
• Solutions and services that provide the education, planning, automation and governance to secure applications at scale.


Neil Bryden is a security strategist for the Americas within the Enterprise Security Product business unit at HPE. In this role, Mr. Bryden is responsible for driving strategic initiatives for the ESP Security Strategy group and providing thought leadership and insight regarding the ever changing global threat landscape. Prior to joining HPE in 2013, Mr. Bryden served as the global information security officer and U.S. firm’s chief information security officer for KPMG LLP. Mr. Bryden is a 30-year veteran of the information risk and security industry and has a proven record of designing, implementing and managing transformation programs for clients and internally.