• October 13, 2015

Security at the Speed of Transformation

By Art Wong, Senior Vice President, Enterprise Security Services, Hewlett Packard Enterprise

Protecting the New Style of Business

Security has never been more in the forefront of IT. More in the news. More on the minds of customers. Yet, as you rally plans to update your technology standards, to evolve your enterprise to the New Style of Business and to realize all the opportunities that come with it, where is your security strategy?

The age of wait and see before deciding what kind of defensive data security you really need is long gone. The only effective strategy for today’s cyber threats is a proactive one that runs through your business and technology plans end to end, detecting breaches, stopping attacks, and securing the enterprise. Baked in from the beginning rather than bolted on as you grow.

Out With Reactive

For too long, enterprises have taken a reactive stance on security—responding to attacks once they begin or long after they occur. A recent study by FireEye shows that on average, it takes 205 days for an organization even to detect a cyber-incident. That same study says an alarming 95 percent of organizations remain compromised.

Target discovered the consequences the hard way in 2013, when hackers stole the credit card information of millions of the retail giant’s customers. Weeks of high-profile media attention, lost sales, and a significant drop in market capitalization followed. And that was just one of many well-known brands with similar stories to come.

The challenge starts with the old, obsolete concept of a well-defined perimeter of the enterprise network. The new organizational IT infrastructure is far more complex, with many more surfaces and points that are potentially vulnerable to attack, such as many types of devices that access apps and data hosted and distributed across numerous locations in the cloud. We can’t make every point impenetrable, but we can make it so breaches are much more likely to be nuisances, not calamities.

In With New

The New Style of Business requires a new approach with a tighter focus on prevention and minimizing the potential consequences of breaches. As sophisticated hackers (sometimes even sponsored by governments or organized-crime groups) leverage cyber attacks, the enterprise must batten down the hatches to prevent the loss of vital data and intellectual property. While regulatory agencies are imposing stricter standards on data security—even holding boards of directors and C-level executives responsible for performance—securing the transformed enterprise can only take place with a deep and sophisticated program. Here are some of the elements that must be included:

Risk assessment: Most enterprises don’t realize how much risk they face in their traditional IT environment. Engage a third-party partner to objectively audit organizational IT security, providing an assessment of vulnerabilities in processes and technology.

Security improvement plan: Some actions necessary to prevent intrusions, detect breaches sooner, and protect valuable assets are technical in nature—like encrypting sensitive data. Other protective actions involve people and processes. These include training employees to avoid risky online behavior that introduces malware into enterprise systems and keeping IT security personnel up-to-date on the latest hacking incidents so that they can focus attention on preventing the most serious threats.

Breach preparedness plan: Any breach incident can quickly go from bad to worse. Have a comprehensive plan in place to quickly respond to breaches from technical, management, communications, and legal perspectives.

A technical plan includes ways to analyze and resolve the incident. A management plan ensures that all executives and managers are notified of the incident and know how to coordinate actions to mitigate it. A communications plan must address both internal and external audiences, including business partners, the media, and the investment community. The legal plan calls for the enterprise to work with regulators and third parties that may have been impacted.

Baked-in security on all new projects: Just as it is easier to wire a house before the drywall goes up, it’s easier to implement security at the beginning of a project rather than add it later.

Inadequate security can be a business inhibitor on so many levels. A monetary agency found this out after it received a credible threat that hackers would take down its transactional system. Its response was to shut the system down, ostensibly for “maintenance.” In effect, even though the agency proactively shut down the system, it did what the hackers had threatened to do … and lost a significant volume of transactions as a result.

In the New Style of Business, security should be an enabler, not an inhibitor. It’s like brakes on your car that allow the driver to safely accelerate the vehicle: Without them, you’d have to stop with your feet, which makes accelerating a lot less appealing and safe. Security elements should enable the enterprise to optimize the cloud, Big Data, and mobility; empower employees; enhance customers’ experience; and drive growth at the speed of transformation.