Rethink risk and enterprise security in a digital world
Rethink risk and enterprise security in a digital world
2
Digital transformation promises to deliver new business value but also introduces new security risks that demand equally new and innovative responses. Organizations on a digital transformation journey must make a parallel trip, one that integrates security and risk management into DevOps and Continuous Delivery (CD) processes.
Security professionals need to be participating in DevOps/CD teams, bringing security aspects into the develop-to-deliver process and addressing built-in security capabilities and operational hooks to mitigate risk. Simultaneously, security operations teams gain access to more detailed logs, and deploy Machine Learning (ML) and Artificial Intelligence (AI) techniques to detect abnormal conditions. Overall, the newly integrated DevOps/CD/security processes, combined with new operational technologies, can make a material change in the enterprise’s risk posture. Ultimately, the business needs a single, converged view of technology risk across both operational and security domains.
Rethink risk and enterprise security in a digital world
3
As organizations continue their digital transformations, the transformation of security
and risk management must be an integral part of that journey. Rather than bolting-on
security at the end, organizations should plan for digital transformation and security
together, simultaneously.
In fact, the best way to defend against next-generation threats in the digital age is a
structured, enterprise-wide risk management strategy with well-defined governance
and policies. The ultimate goal is to have resilient systems that can not only withstand
cyber attacks, but also carry out mission-critical business operations after an attack.
This is no easy task, as the risk environment is changing quickly. An effective strategy
must now address:
• Identity. As the network’s physical perimeter fades, the ability to authenticate
the identity of users and devices — and to determine their proper level of access
to both systems and data — becomes essential. Exacerbating this challenge is the
exponential growth of mobility, the internet of things (IoT), automated apps and
robotic process automation (RPA), and the widening scope of information security
to include operational technology (OT) systems. User analytics must now consider
both human and machine-generated behavior.
• Continuous compliance. Data-protection and privacy policies such as the
European Union’s General Data Protection Regulation (GDPR) are too often
addressed with ad hoc solutions. A superior approach involves building a security
and privacy infrastructure that will prepare your organization to meet the demands
of evolving policies.
• Incident response. Enterprises are no longer judged simply by whether they
get breached, but how they respond to that breach. The public and regulators
recognize that risk is prevalent and breaches will happen. What the public and
regulators will not accept is sub-optimum breach response. We need robust
incident response capabilities that are consistently tested, ensuring that from the
board to the legal department, all are prepared to execute professional incident
response that minimizes damage.
• Information and asset governance. Data is increasingly mobile. Recent incidents
have included not only hostile actors making internal breaches, but supposedly
legitimate third parties circumventing protections to access and store bulk client
data. Enterprises need a security and privacy model that continually refreshes,
moving with the data, and has appropriate self-destruct mechanisms when
anomalies are detected.
• Federation. Third parties increasingly need access to corporate networks, creating
a serious security challenge. How do you open your network to suppliers, partners
and others while still protecting your systems and data?
By 2020, 60% of the Forbes Global 2000 (G2000) will use AI-based security.Source: IDC FutureScape: Worldwide IT Industry 2018 Predictions (Doc #US43171317 / Oct 30, 2017)
Rethink risk and enterprise security in a digital world
4
People, process and technology
As organizations develop an enterprise risk management strategy along with their
digital transformation strategy, they can imagine the effort as a highway with three
lanes: one for people, another for process, and a third for technology. (See Figure 1.)
People in an organization form its culture and are the first line of design and
defense for security. For digital transformation to succeed, many organizations will
need to transform the culture around risk. Here are a few changes that most likely
will be needed:
• DevOps/Continuous Delivery teams become security practitioners. In the near
future, security will transition from being a niche skill practiced in near isolation,
to being a core capability of developers. This will require a mind-set shift for both
security professionals and developers, who have operated in silos for a generation.
The first step is to integrate security expertise at the inception of development
projects. This will allow skills to diffuse between the parties and will, over the next
several years, enable security to be truly baked in rather than bolted on.
• New respect for customer data. Processing and holding customer data can no
longer be seen as a business right, but rather as a privilege. Organizations must
quickly learn to use customer data with appropriate care, protecting customer
privacy and keeping personal data more secure.
• Start small, then go big. When building new systems, it’s best to conceive of
them as modules, each with security designed in from day one. In the past, many
organizations would instead build monolithic systems, then apply a security
“wrapper” after the design or development. But in an environment with thousands
Reducing risk with digital transformation
Figure 1. Three paths — people, process and technology — are changing quickly.
Rethink risk and enterprise security in a digital world
5
of mobile and IoT devices, that’s no longer sufficient. The newer, more effective
approach involves building loosely coupled components, wherever possible, on a
stateless/shared-nothing architecture with a zero trust mentality between modules.
• Prepare for failure. With the further adoption of cloud computing, organizations
no longer have total control over their computing or storage platforms. New risks
are introduced, and some elements will fail. You can no longer try to design around
these potential failures; instead, you must plan for them.
One powerful approach that requires a new cultural mind-set is known as resiliency
engineering. This involves building systems so when one component goes down or is
overwhelmed, its effect on the overall system is predictable.
A related approach, refined for distributed solutions by Netflix, is known as chaos
engineering. Here, IT employees experiment against a working system daily by
pushing unknown conditions, including shutting down on different assumptions, in
the system to make sure continuous operations are possible. If not, the test group can
see where the gaps are, and then improve the recovery automation.
Chaos engineering generally delivers better results than traditional site-oriented
business-continuity testing. The latter is done under specific conditions, thereby
failing to accurately mimic unexpected challenges.
We are living in a world of explosive data growth, and yet
we are moving into a period where this data is coming
more and more under question. In the consumer space,
fake news is the latest paradigm driving this distrust. How
can we trust what we are reading even when it looks as if
it is coming from an authoritative source?
This challenge in a business context is equally scary.
Just as organizations are learning to open themselves
up to external data sources, open data sets, data feeds
from third parties and data streams from devices, so
too should they be thinking about how to ensure the
provenance of that data.
When you combine this with the insatiable need of
machine learning to have as much data as possible to
learn and continually improve, things can get even more
worrisome. Imagine replacing core business processes
with those of an artificial intelligence (AI) that is making
decisions on your behalf or dealing with customers
in real-time scenarios, all based on the information
the AI has been given to train its models. What if that
information contains a bias that could lead to poor
decisions or unethical behavior? What if a bad actor gets
access to the data, or to the data ingest point, and is able
to substitute your data with his or hers? This puts the bad
actor in a very powerful position, with an ability to quickly
change the behavior of your AI systems and, most likely,
not for outcomes you’d want to be remembered for.
Adversarial data is and should be a concern to any
company looking to rely on any forms of data. Ensuring the
provenance of data is something that should be factored
into any data exchange relationship. Could blockchain be
the answer here? Quite possibly. But today the technology
is too slow to allow fast “fluidity” of data through a system
so that data can be used in real-time analysis. But for
slower types of data, blockchain could well prove to be a
good starting point to evolving a solution.
The balance of data fluidity and provenance of data
is a hard one to get right. This challenge will drive
an abundance of innovation in the coming years, to
help organizations and individuals trust the data and
information they are receiving.
Leading Edge Forum (LEF) is DXC Technology’s
independent cross-industry think tank.
LEF Persepective
The challenge of trusting data
Rethink risk and enterprise security in a digital world
6
Process is the second lane on the enterprise risk highway, relating to how an
organization approaches its business processes. This might involve moving from ITIL
to DevOps or other automation-friendly approaches. It could also mean integrating
cloud providers that have security and privacy features built in.
That becomes especially important if the shift to cloud involves use of “serverless”
computing environments. Moving workloads to the public cloud still requires you to
manage the underlying cloud infrastructure. But with serverless, when you switch on a
web service, you no longer have to worry about that infrastructure; that becomes the
responsibility of the cloud provider, making it more important to select the right vendor.
Many cloud suppliers today offer highly resilient environments, but some risk will
remain. Risk that evades even the best attempts at detection and prevention is known
as “residual risk.” Fortunately, organizations have a new way to hedge their residual
risk: cyber insurance.
When all else fails, cyber insurance can act as an organization’s final safety net,
addressing residual risk. Payments from a cyber insurance policy could go to IT
for restoring systems, to finance for reimbursing affected customers and to public
relations for repairing the organization’s reputation.
Still, cyber insurance should not be considered a panacea. Like most insurance
policies, it is part of the overall resiliency that organizations need. Traditional
insurers enjoy sophisticated and time-proven tools, including actuarial tables, to help
them assign and manage risk profitably. Cyber insurers are still gathering insights,
adjusting offerings and introducing more tools to best assign risk and manage it.
Also, while an organization can transfer some risk with cyber insurance, it still can’t
transfer responsibility. Diligence and simulation remain vital.
Technology is the third lane on the risk highway. Emerging technologies can present
new risks, but they can also help address risk. Many top technology companies, for
example, are using technologies to automate processes in a way that’s secure. Their
best practices will become the common practices of organizations in all industries.
Machine learning, a subset of artificial intelligence (AI), has become a viable tool for
threat detection because it can detect anomalies. For example, if an executive most
often logs in from her office in London, then that’s her norm. But if one night that same
executive logs in from Tokyo, that’s an anomaly. It could be harmless, but what if a cyber
criminal is impersonating the executive and attempting to gain access to the network?
Either way, it’s something to detect, check out and, if warranted, take action against.
Machine learning is critical because it addresses scalability. If you have a handful
of mobile users and IoT and OT devices to monitor, you could handle the work with
current staff. But it is more likely you have thousands of mobile users — each with
their own working patterns and locations (e.g., office workers, contractors, field
workers, teleworkers) and each owning multiple devices — and even more IoT and OT
devices.
Suddenly, the task of establishing a norm for each user and device, watching for
anomalies and then deciding which ones require preventive action moves beyond
human capabilities. Machine learning can automate this process and keep a much
tighter watch on who — and what — is allowed onto the network.
Indeed, one of the most important areas to address with technology best practices
is identity management. In a world of hybrid clouds, proliferating devices and highly
mobile users, the network becomes a “zero trust” environment where the identity
of every user and device must be verified before access is granted. That’s because
countless IoT devices, RPA software, bots and other automated devices are already
banging on network doors, with many more coming soon.
6
By 2021, at least 25% of Forbes Global 2000 (G2000) companies will use blockchain services as a foundation for
digital trust at scale.Source: IDC FutureScape: Worldwide IT Industry 2018 Predictions (Doc #US43171317 / Oct 30, 2017)
Rethink risk and enterprise security in a digital world
7
Part of a standard checklist for reducing risk in AI applications is to build AI forensics
tools, use those tools to profile the AI algorithm, use the profile to anticipate behavior,
and discuss the anticipated behavior with a diverse risk mitigation team.
AI forensics analyzes an AI model’s tendencies based on its output. You need a good
log of input and corresponding output. You also need tools that can discover the most
influential factors in how the model makes decisions. Using the tools, you can build
a profile: the decisions the AI makes, the factors that it considers, and the weight of
each factor.
By building a profile, you gain insight into the model’s behavior and tendencies.
Profiling an algorithm doesn’t sacrifice performance. It’s not necessary to alter the
function of the underlying algorithm. Nor is it necessary for the inner workings of the
underlying algorithm to be fully transparent and explainable.
Some of the most useful profiling and analysis tools will, themselves, be based on
machine learning. It turns out that machine learning is one of the best ways to protect
against the unintended consequences of machine learning.
The final and most important step in the AI-ethics checklist is to discuss the results of
forensics with a diverse group of people. Decide whether the potential security risk of
an unexpected outcome is acceptable or whether changes need to be made before
allowing the algorithm to continue in production.
In artificial intelligence (AI), unexpected outcomes leading to ethics breaches are a big risk factor. For example, is the AI biased and giving skewed or inaccurate search results, recommendations or predictions?
Reducing risk in intelligent applications
Artificial intelligence is often based on machine learning and can produce unexpected results.
Rethink risk and enterprise security in a digital world
8
A new vision for managed risk
Few organizations have achieved a fully transformed environment for enterprise risk.
Yet the contour of this new environment is already becoming clear.
As noted, machine learning will play a central new role. This technology can
automate an organization’s end-to-end response to security threats, from detection
to response. Speed is important because early detection reduces the likelihood of
further attacks. By orchestrating the organization’s responses to new vulnerabilities
with automation, systems can recover from breaches quickly.
Security threats are growing faster than organizations are able to add specialists
to thwart them, so organizations continue to find themselves shorthanded when
attempting to manage this explosion of security incidents. Compounded by the
widened scope of cyber-physical risks through the inclusion of IoT and OT systems,
most organizations will feel deluged by the risk management activity of these
concerns. The solution? Leveraging technology and services, including the cloud and
automation tools along with managed security services.
Ultimately, the business needs a single, converged view of technology risk across both
operational and security domains. Whether an application is taken down as a result
of a failed cooler in a server farm or a criminal action, the impact on the business is
similar. The incident response process is almost identical until the point at which an
adversary is detected. With security skills becoming part of the wider IT skillset, and
the dearth of pure-play security specialists, enterprises must employ a wider array of
multi-skilled people to address this challenge. It’s the only viable way forward.
As we factor in all of the principles discussed, we then have to think about how to
bring together our IT operations centers and security operations centers. We will
start to generate joint risk management frameworks that give the business a single
assessment of risk and associated levers to pull in reducing this risk.
Rethink risk and enterprise security in a digital world
9
How to get started
Ready to start protecting your organization against the new security risks? The
journey starts with four important steps:
1. Create both digital transformation and enterprise security roadmaps. These
two journeys are separate yet parallel.
2. Create a security team for digital transformation. Security team members need
to be a part of the digital transformation process and be able to articulate the
security risks this journey will likely entail. Consider working with a trusted security
partner who has broader expertise and experience to understand the risks and
accelerate delivery of results while adhering to the enterprise’s risk appetite.
3. Reengineer processes to enforce proactive security. The combination of new
privacy laws and new technologies will require most organizations to change the
way they operate. Robust security will need to be proactively designed and built in
from the start.
4. Ensure that you have the right technologies. To achieve the desired
transformation outcomes, you probably don’t have the right technology installed
today. If that’s the case, your organization will need to bring in new tools designed
to complement or replace existing technology.
In this way, organizations can implement a new approach to enterprise risk, one that
ensures they have robust security from the very start. It’s also an approach that can
protect against whatever new risks emerge — whether that’s today, tomorrow or beyond.
Development without integrated security and compliance will fail; progressive organizations have prioritized security due to uptime and compliance concerns, accelerating the need for agility and a curated open source software development portfolio; security-led development will be a priority for 90% of organizations by 2020.Source: IDC FutureScape: Worldwide Developer and DevOps 2018 Predictions (Doc #US42652317 / Oct 31, 2017)
Rethink risk and enterprise security in a digital world
10
How DXC and its partners can help
DXC’s Cyber Reference Architecture provides a structured way of ensuring that all areas of IT security are taken into consideration for resilience and for determining the appropriate balance between protect, detect and respond.
DXC Cyber Reference Architecture
Managing enterprise risk in a fast-changing environment isn’t
easy. But you can do it with help from DXC Technology and
our extensive network of industry-leading security partners,
including CA Technologies, F5, Micro Focus, Microsoft, Palo
Alto Networks, ServiceNow and Symantec.
DXC has deep experience with machine learning and cyber
security. We offer services including analytics and artificial
intelligence (AI), managed business intelligence, and internet
of things (IoT) analytics. We also offer security advisory
services, intelligent security operations, identity access and
management, data protection, cloud security and other
security products and services.
To help you manage risk, DXC has developed a unique,
structured approach to cyber resilience. Called the DXC Cyber
Reference Architecture (CRA), it contains nearly 350 discrete
security capabilities to ensure that all operational functions
are clearly defined.
Based on our work with some of the world’s largest
organizations, CRA describes the most effective ways to
manage risk. It also describes ways your organization can
detect and respond to cyber attacks — and recover your data
and restore normal operations.
CRA can also help you comply with the European Union’s
General Data Protection Regulation (GDPR) and other
industry or country regulations. CRA does this by developing
“security blueprints,” plans that accelerate the development of
GDPR and compliance programs.
In addition, we offer a new approach to intelligent security
orchestration, automation and response known as DXC
Intelligent Security Operations (ISecOps) Solutions. ISecOps
can help you modernize traditional delivery of security
services. ISecOps will transform your existing offerings and
provide innovative new solutions that address enterprise
security risk. ISecOps together with DXC BionixTM — our
digital-generation services delivery model — combine
security-incident response, threat intelligence, analytics, lean
development and automation. Underpinned by our new digital
generation platform for delivering and managing services,
Platform DXC, ISecOps and Bionix are game-changing
solutions to help organizations transform at scale.
Now is the time to act. Don’t be disrupted — be the disruptor.
Let us help you innovate and transform to differentiate with
speed and quality. That’s DXC. That’s Digital Delivered.
Learn more at dxc.technology/security
Rethink risk and enterprise security in a digital world
11
Simon Arnell is a security chief technologist, Office of the
CTO, at DXC Technology. He has a background in applied
security research and development, and in running client
proofs of concept. Previously, Simon led the commercialization
of the DXC DNS monitoring service, and pioneered the use
of software-defined networks for rapid incident response, as
well as the application of stochastic process modeling and
simulation for strategic security-policy decision support.
Simon is also the lead author of DXC’s “Annual Cyber Security
Predictions” report, a risk-oriented horizon scan of the industry
and threat landscapes.
TM Ching is chief technology officer for Security at DXC
Technology. TM is responsible for security strategy, focusing
on the development of innovative capabilities to address the
evolving threat landscape. He works closely with clients and
internal teams to identify future technological evolutions
and disruptions, and develop strategy roadmaps that help
both clients and DXC achieve service-readiness to meet the
technological changes of today and tomorrow.
About the authors
Contributors
Jerry Overton, data scientist and industrialized AI lead, DXC Technology, and DXC Fellow
© Copyright 2019 DXC Technology Companywww.dxc.technology
dxc.technology/digitaldirections
As the world’s leading independent, end-to-end IT services company, DXC Technology (NYSE: DXC) leads digital transformations for clients by modernizing and integrating their mainstream IT, and by deploying digital solutions at scale to produce better business outcomes. The company’s technology independence, global talent, and extensive partner network enable 6,000 private and public-sector clients in 70 countries to thrive on change. DXC is a recognized leader in corporate responsibility. For more information, visit dxc.technology and explore THRIVE, DXC’s digital destination for changemakers and innovators.