• April 11, 2016

Risks You Don’t Have to Take: Secrets to a Secured Environment

While new technologies and infrastructure are creating immense value for the enterprise, many IT leaders are struggling with how to transform and reduce risk in the future state. The good news? Technology—namely, predictive analytics and new infrastructure architecture—is giving IT leaders the ability to mitigate threats and security gaps in a real time secured environment and on a micro level.

How can your organization leverage those innovations to positively impact strategic decision-making and realize an overall reduction in risk? We sat down with HPE Enterprise Services Cybersecurity Chief Technologist Cheryl Soderstrom and Applications Services Chief Technologist Terry White to ask that question—and many more.

What are the top threats you see to tomorrow’s enterprise?

Terry White: I think the biggest issue is exposure. In the past, the enterprise was closed off from most external threats. But now assets are being spread around by many devices, through many channels, and with various service providers that aren’t owned or controlled by the enterprise. This can create a host of massive security issues.

Specifically, it’s virtually impossible to control how people adapt to and use constantly evolving technology. And if you don’t have the right processes, compliance protocols, and proactive audits in place, you could be exposing the organization to significant risk. Thankfully, new technology is allowing us to codify those things. You can automate everything, observe the data trail that’s created, trend it over time, and more easily identify anomalies.

Cheryl Soderstrom: I agree with Terry. I think another huge challenge is the speed of change. Disruptors are coming from outside of traditional places, and the competitive landscape is rapidly shifting as a result.

From a cybersecurity perspective, there’s also the threat of the aggressive industrial espionage that’s being perpetuated by certain nation states. These groups are attacking for a competitive advantage. Maybe they don’t want to pay for costly R&D. Maybe they want to steal formulas. Maybe they want to be able to understand our markets and disrupt them without heavy lifting. Whatever the motivation, the risk in ignoring them is enormous.

What security issues need to be addressed in a transforming enterprise?

Soderstrom: Typically, we talk about the security of the cloud, mobile applications, access, identity, and all the things joining the IoT. There are solutions for secured cloud, apps, identity, and protection, but there are new risks that continue to be introduced by the proliferation of the IoT. It’s growing so quickly, and there’s so much excitement around it, that it’s caused us to forget everything we’ve learned about baking cybersecurity into innovation, rather than trying to add it later.

So, from my perspective, we need to focus not just on the cloud or mobile apps, or the “systems” we rely on. We also need to focus on interactions between systems, the people who use them, and the data they both create. It’s not enough to just secure one system or technology at a time.

White: I also think there are significant security issues with the sensors we rely on to run our services. Typically, we take actions based on what a sensor reading says. But what if a hacker could fool the sensor? Could they create disruptive behavior by doing that? Absolutely.

There’s an assumption that sensors are benign. They monitor things like time, temperature, etc. But if someone disrupted one little aspect of those sensors, it could create a chain reaction on a series of other sensors that could cause an entire system to fail.

How can enterprise organizations mitigate threats earlier?

White: I think the tendency in most enterprise organizations is to be reactive. One thing that’s absolutely critical, however, is to not wait until you see an issue to fix it and to not assume issues are isolated. When you see something happen, even in other industries, you need to study and educate yourself on it. Employee training and education is a huge piece of this, too.

The good news is that we have technology that’s capable of helping the enterprise be more proactive in the transformed future state. We can analyze data streams and trends in real time, which allows us to make decisions in minutes or seconds, not days or weeks.

Soderstrom: It really starts with understanding our adversaries—who are they, what do they want most? What are their attack habits, tools, and favorite techniques to move from one stage to another in the attack life cycle? That’s where I think having the right partners is really important, too. Enterprises can leverage important analysis that’s already been done by others. And we can share defender tactics that work against those same adversaries. Collaboration helps us all make  smarter decisions faster.

From an HPE perspective, we’re now able to gather significant intel on threat actors from inside and outside the enterprise, which helps us recognize the telltale signs of what threat actors are trying to do.

What forms of predictive analytics should enterprises leverage to create a more secure environment? 

Soderstrom: The very simple answer is that security loves information. When the president is going somewhere, the Secret Service doesn’t wait until he gets there to assess the environment and the risks it presents. Instead, advanced teams head out to that location before the president gets there to scout it out.

The enterprise should be treating cybersecurity the same way—leveraging insights already embedded in data. These “scouts” can come in the form of external partners who analyze big data sets and internal analysts who can leverage internal data to help paint a much richer, more contextual picture about the organization’s security position. All of this allows the enterprise to manage risk proactively and make faster course corrections over time.

What areas should the enterprise invest in to achieve this secure future state?

White: In the short term, I think there are some simple investments that can make a big impact.

Mobile device management is a big one, because mobile devices aren’t going away. If people are going to be empowered to use these devices, the enterprise should have protections in place for them. Other investments include single sign-on technology for user authentication, predictive analytics and proactive monitoring tools, and document protection services, which allow you to track where files go and dictate who can read or access them.

Soderstrom: This is where I go back to predictive analytics. With the Big Data explosion, many IT leaders don’t yet have a grasp of the analytics explosion that needs to accompany it. To be truly effective in the transformed future state, you need to be able to tap into everything that’s “knowable.” Technology plays the critical role in this because our human brains reach capacity problems that computers don’t have.

That said, we need to go deeper than having endless computer-based attention spans. Clamor is not a security strategy. We need technology that finds meaning in the data and correlation analytics that make connections and anomalies more obvious. This helps us grow the business and protect the business, so it’s worthy of investment. At the end of the day, you can be the best and smartest company, but if you’re not proactively securing that greatness, you’re securing your own demise.

What are some of the specific types of business outcomes that an enterprise will see when it has secured its environment?

White: The one thing to caution against is that you can never be completely safe. There’s always going to be a new technology, threat, or vulnerability to worry about. That said, what technology can do is provide a level of confidence that your brand, reputation, and intellectual property are safe.

All it takes is one slip-up to blow it, so it’s critical to follow certain standards and partner with vendors that have the right certifications. When you do that, your business outcomes will be much greater in the future state.

Soderstrom: The problem with transformation is that it feels risky. Here’s my counterpoint to that argument: It’s far more risky to think you can succeed in the future by doing things the old way. There’s more risk associated with standing on ground that’s crumbling underneath you.

This is why I appreciate HPE’s own transformation. We’ve really embraced the levers of the new economy. We’re creating new business models that enable fluidity and nimbleness. We’re leveraging the Big Data we have to make us—and our customers—smarter and safer. And we’re committed to the idea that we have to weave security into the fabric of everything we do and offer. It’s how we go to market, and I think it’s a great model for other enterprise organizations.

Learn more about securing the enterprise in “Securing the internet of things,” a special report by The Economist Intelligence Unit.

For more on real-world transformation with Hewlett Packard Enterprise, click here.