rethink risk and enterprise security in a digital world...rethink risk and enterprise security in a...

Rethink risk and enterprise security in a digital world


2

Digital transformation promises to deliver new business value but also introduces new security risks that demand equally new and innovative responses. Organizations on a digital transformation journey must make a parallel trip, one that integrates security and risk management into DevOps and Continuous Delivery (CD) processes.

Security professionals need to be participating in DevOps/CD teams, bringing security aspects into the develop-to-deliver process and addressing built-in security capabilities and operational hooks to mitigate risk. Simultaneously, security operations teams gain access to more detailed logs, and deploy Machine Learning (ML) and Artificial Intelligence (AI) techniques to detect abnormal conditions. Overall, the newly integrated DevOps/CD/security processes, combined with new operational technologies, can make a material change in the enterprise’s risk posture. Ultimately, the business needs a single, converged view of technology risk across both operational and security domains.


3

As organizations continue their digital transformations, the transformation of security

and risk management must be an integral part of that journey. Rather than bolting-on

security at the end, organizations should plan for digital transformation and security

together, simultaneously.

In fact, the best way to defend against next-generation threats in the digital age is a

structured, enterprise-wide risk management strategy with well-defined governance

and policies. The ultimate goal is to have resilient systems that can not only withstand

cyber attacks, but also carry out mission-critical business operations after an attack.

This is no easy task, as the risk environment is changing quickly. An effective strategy

must now address:

• Identity. As the network’s physical perimeter fades, the ability to authenticate

the identity of users and devices — and to determine their proper level of access

to both systems and data — becomes essential. Exacerbating this challenge is the

exponential growth of mobility, the internet of things (IoT), automated apps and

robotic process automation (RPA), and the widening scope of information security

to include operational technology (OT) systems. User analytics must now consider

both human and machine-generated behavior.

• Continuous compliance. Data-protection and privacy policies such as the

European Union’s General Data Protection Regulation (GDPR) are too often

addressed with ad hoc solutions. A superior approach involves building a security

and privacy infrastructure that will prepare your organization to meet the demands

of evolving policies.

• Incident response. Enterprises are no longer judged simply by whether they

get breached, but how they respond to that breach. The public and regulators

recognize that risk is prevalent and breaches will happen. What the public and

regulators will not accept is sub-optimum breach response. We need robust

incident response capabilities that are consistently tested, ensuring that from the

board to the legal department, all are prepared to execute professional incident

response that minimizes damage.

• Information and asset governance. Data is increasingly mobile. Recent incidents

have included not only hostile actors making internal breaches, but supposedly

legitimate third parties circumventing protections to access and store bulk client

data. Enterprises need a security and privacy model that continually refreshes,

moving with the data, and has appropriate self-destruct mechanisms when

anomalies are detected.

• Federation. Third parties increasingly need access to corporate networks, creating

a serious security challenge. How do you open your network to suppliers, partners

and others while still protecting your systems and data?

By 2020, 60% of the Forbes Global 2000 (G2000) will use AI-based security.Source: IDC FutureScape: Worldwide IT Industry 2018 Predictions (Doc #US43171317 / Oct 30, 2017)


4

People, process and technology

As organizations develop an enterprise risk management strategy along with their

digital transformation strategy, they can imagine the effort as a highway with three

lanes: one for people, another for process, and a third for technology. (See Figure 1.)

People in an organization form its culture and are the first line of design and

defense for security. For digital transformation to succeed, many organizations will

need to transform the culture around risk. Here are a few changes that most likely

will be needed:

• DevOps/Continuous Delivery teams become security practitioners. In the near

future, security will transition from being a niche skill practiced in near isolation,

to being a core capability of developers. This will require a mind-set shift for both

security professionals and developers, who have operated in silos for a generation.

The first step is to integrate security expertise at the inception of development

projects. This will allow skills to diffuse between the parties and will, over the next

several years, enable security to be truly baked in rather than bolted on.

• New respect for customer data. Processing and holding customer data can no

longer be seen as a business right, but rather as a privilege. Organizations must

quickly learn to use customer data with appropriate care, protecting customer

privacy and keeping personal data more secure.

• Start small, then go big. When building new systems, it’s best to conceive of

them as modules, each with security designed in from day one. In the past, many

organizations would instead build monolithic systems, then apply a security

“wrapper” after the design or development. But in an environment with thousands

Reducing risk with digital transformation

Figure 1. Three paths — people, process and technology — are changing quickly.


5

of mobile and IoT devices, that’s no longer sufficient. The newer, more effective

approach involves building loosely coupled components, wherever possible, on a

stateless/shared-nothing architecture with a zero trust mentality between modules.

• Prepare for failure. With the further adoption of cloud computing, organizations

no longer have total control over their computing or storage platforms. New risks

are introduced, and some elements will fail. You can no longer try to design around

these potential failures; instead, you must plan for them.

One powerful approach that requires a new cultural mind-set is known as resiliency

engineering. This involves building systems so when one component goes down or is

overwhelmed, its effect on the overall system is predictable.

A related approach, refined for distributed solutions by Netflix, is known as chaos

engineering. Here, IT employees experiment against a working system daily by

pushing unknown conditions, including shutting down on different assumptions, in

the system to make sure continuous operations are possible. If not, the test group can

see where the gaps are, and then improve the recovery automation.

Chaos engineering generally delivers better results than traditional site-oriented

business-continuity testing. The latter is done under specific conditions, thereby

failing to accurately mimic unexpected challenges.

We are living in a world of explosive data growth, and yet

we are moving into a period where this data is coming

more and more under question. In the consumer space,

fake news is the latest paradigm driving this distrust. How

can we trust what we are reading even when it looks as if

it is coming from an authoritative source?

This challenge in a business context is equally scary.

Just as organizations are learning to open themselves

up to external data sources, open data sets, data feeds

from third parties and data streams from devices, so

too should they be thinking about how to ensure the

provenance of that data.

When you combine this with the insatiable need of

machine learning to have as much data as possible to

learn and continually improve, things can get even more

worrisome. Imagine replacing core business processes

with those of an artificial intelligence (AI) that is making

decisions on your behalf or dealing with customers

in real-time scenarios, all based on the information

the AI has been given to train its models. What if that

information contains a bias that could lead to poor

decisions or unethical behavior? What if a bad actor gets

access to the data, or to the data ingest point, and is able

to substitute your data with his or hers? This puts the bad

actor in a very powerful position, with an ability to quickly

change the behavior of your AI systems and, most likely,

not for outcomes you’d want to be remembered for.

Adversarial data is and should be a concern to any

company looking to rely on any forms of data. Ensuring the

provenance of data is something that should be factored

into any data exchange relationship. Could blockchain be

the answer here? Quite possibly. But today the technology

is too slow to allow fast “fluidity” of data through a system

so that data can be used in real-time analysis. But for

slower types of data, blockchain could well prove to be a

good starting point to evolving a solution.

The balance of data fluidity and provenance of data

is a hard one to get right. This challenge will drive

an abundance of innovation in the coming years, to

help organizations and individuals trust the data and

information they are receiving.

Leading Edge Forum (LEF) is DXC Technology’s

independent cross-industry think tank.

LEF Persepective

The challenge of trusting data


6

Process is the second lane on the enterprise risk highway, relating to how an

organization approaches its business processes. This might involve moving from ITIL

to DevOps or other automation-friendly approaches. It could also mean integrating

cloud providers that have security and privacy features built in.

That becomes especially important if the shift to cloud involves use of “serverless”

computing environments. Moving workloads to the public cloud still requires you to

manage the underlying cloud infrastructure. But with serverless, when you switch on a

web service, you no longer have to worry about that infrastructure; that becomes the

responsibility of the cloud provider, making it more important to select the right vendor.

Many cloud suppliers today offer highly resilient environments, but some risk will

remain. Risk that evades even the best attempts at detection and prevention is known

as “residual risk.” Fortunately, organizations have a new way to hedge their residual

risk: cyber insurance.

When all else fails, cyber insurance can act as an organization’s final safety net,

addressing residual risk. Payments from a cyber insurance policy could go to IT

for restoring systems, to finance for reimbursing affected customers and to public

relations for repairing the organization’s reputation.

Still, cyber insurance should not be considered a panacea. Like most insurance

policies, it is part of the overall resiliency that organizations need. Traditional

insurers enjoy sophisticated and time-proven tools, including actuarial tables, to help

them assign and manage risk profitably. Cyber insurers are still gathering insights,

adjusting offerings and introducing more tools to best assign risk and manage it.

Also, while an organization can transfer some risk with cyber insurance, it still can’t

transfer responsibility. Diligence and simulation remain vital.

Technology is the third lane on the risk highway. Emerging technologies can present

new risks, but they can also help address risk. Many top technology companies, for

example, are using technologies to automate processes in a way that’s secure. Their

best practices will become the common practices of organizations in all industries.

Machine learning, a subset of artificial intelligence (AI), has become a viable tool for

threat detection because it can detect anomalies. For example, if an executive most

often logs in from her office in London, then that’s her norm. But if one night that same

executive logs in from Tokyo, that’s an anomaly. It could be harmless, but what if a cyber

criminal is impersonating the executive and attempting to gain access to the network?

Either way, it’s something to detect, check out and, if warranted, take action against.

Machine learning is critical because it addresses scalability. If you have a handful

of mobile users and IoT and OT devices to monitor, you could handle the work with

current staff. But it is more likely you have thousands of mobile users — each with

their own working patterns and locations (e.g., office workers, contractors, field

workers, teleworkers) and each owning multiple devices — and even more IoT and OT

devices.

Suddenly, the task of establishing a norm for each user and device, watching for

anomalies and then deciding which ones require preventive action moves beyond

human capabilities. Machine learning can automate this process and keep a much

tighter watch on who — and what — is allowed onto the network.

Indeed, one of the most important areas to address with technology best practices

is identity management. In a world of hybrid clouds, proliferating devices and highly

mobile users, the network becomes a “zero trust” environment where the identity

of every user and device must be verified before access is granted. That’s because

countless IoT devices, RPA software, bots and other automated devices are already

banging on network doors, with many more coming soon.

6

By 2021, at least 25% of Forbes Global 2000 (G2000) companies will use blockchain services as a foundation for

digital trust at scale.Source: IDC FutureScape: Worldwide IT Industry 2018 Predictions (Doc #US43171317 / Oct 30, 2017)


7

Part of a standard checklist for reducing risk in AI applications is to build AI forensics

tools, use those tools to profile the AI algorithm, use the profile to anticipate behavior,

and discuss the anticipated behavior with a diverse risk mitigation team.

AI forensics analyzes an AI model’s tendencies based on its output. You need a good

log of input and corresponding output. You also need tools that can discover the most

influential factors in how the model makes decisions. Using the tools, you can build

a profile: the decisions the AI makes, the factors that it considers, and the weight of

each factor.

By building a profile, you gain insight into the model’s behavior and tendencies.

Profiling an algorithm doesn’t sacrifice performance. It’s not necessary to alter the

function of the underlying algorithm. Nor is it necessary for the inner workings of the

underlying algorithm to be fully transparent and explainable.

Some of the most useful profiling and analysis tools will, themselves, be based on

machine learning. It turns out that machine learning is one of the best ways to protect

against the unintended consequences of machine learning.

The final and most important step in the AI-ethics checklist is to discuss the results of

forensics with a diverse group of people. Decide whether the potential security risk of

an unexpected outcome is acceptable or whether changes need to be made before

allowing the algorithm to continue in production.

In artificial intelligence (AI), unexpected outcomes leading to ethics breaches are a big risk factor. For example, is the AI biased and giving skewed or inaccurate search results, recommendations or predictions?

Reducing risk in intelligent applications

Artificial intelligence is often based on machine learning and can produce unexpected results.


8

A new vision for managed risk

Few organizations have achieved a fully transformed environment for enterprise risk.

Yet the contour of this new environment is already becoming clear.

As noted, machine learning will play a central new role. This technology can

automate an organization’s end-to-end response to security threats, from detection

to response. Speed is important because early detection reduces the likelihood of

further attacks. By orchestrating the organization’s responses to new vulnerabilities

with automation, systems can recover from breaches quickly.

Security threats are growing faster than organizations are able to add specialists

to thwart them, so organizations continue to find themselves shorthanded when

attempting to manage this explosion of security incidents. Compounded by the

widened scope of cyber-physical risks through the inclusion of IoT and OT systems,

most organizations will feel deluged by the risk management activity of these

concerns. The solution? Leveraging technology and services, including the cloud and

automation tools along with managed security services.

Ultimately, the business needs a single, converged view of technology risk across both

operational and security domains. Whether an application is taken down as a result

of a failed cooler in a server farm or a criminal action, the impact on the business is

similar. The incident response process is almost identical until the point at which an

adversary is detected. With security skills becoming part of the wider IT skillset, and

the dearth of pure-play security specialists, enterprises must employ a wider array of

multi-skilled people to address this challenge. It’s the only viable way forward.

As we factor in all of the principles discussed, we then have to think about how to

bring together our IT operations centers and security operations centers. We will

start to generate joint risk management frameworks that give the business a single

assessment of risk and associated levers to pull in reducing this risk.


9

How to get started

Ready to start protecting your organization against the new security risks? The

journey starts with four important steps:

1. Create both digital transformation and enterprise security roadmaps. These

two journeys are separate yet parallel.

2. Create a security team for digital transformation. Security team members need

to be a part of the digital transformation process and be able to articulate the

security risks this journey will likely entail. Consider working with a trusted security

partner who has broader expertise and experience to understand the risks and

accelerate delivery of results while adhering to the enterprise’s risk appetite.

3. Reengineer processes to enforce proactive security. The combination of new

privacy laws and new technologies will require most organizations to change the

way they operate. Robust security will need to be proactively designed and built in

from the start.

4. Ensure that you have the right technologies. To achieve the desired

transformation outcomes, you probably don’t have the right technology installed

today. If that’s the case, your organization will need to bring in new tools designed

to complement or replace existing technology.

In this way, organizations can implement a new approach to enterprise risk, one that

ensures they have robust security from the very start. It’s also an approach that can

protect against whatever new risks emerge — whether that’s today, tomorrow or beyond.

Development without integrated security and compliance will fail; progressive organizations have prioritized security due to uptime and compliance concerns, accelerating the need for agility and a curated open source software development portfolio; security-led development will be a priority for 90% of organizations by 2020.Source: IDC FutureScape: Worldwide Developer and DevOps 2018 Predictions (Doc #US42652317 / Oct 31, 2017)


10

How DXC and its partners can help

DXC’s Cyber Reference Architecture provides a structured way of ensuring that all areas of IT security are taken into consideration for resilience and for determining the appropriate balance between protect, detect and respond.

DXC Cyber Reference Architecture

Managing enterprise risk in a fast-changing environment isn’t

easy. But you can do it with help from DXC Technology and

our extensive network of industry-leading security partners,

including CA Technologies, F5, Micro Focus, Microsoft, Palo

Alto Networks, ServiceNow and Symantec.

DXC has deep experience with machine learning and cyber

security. We offer services including analytics and artificial

intelligence (AI), managed business intelligence, and internet

of things (IoT) analytics. We also offer security advisory

services, intelligent security operations, identity access and

management, data protection, cloud security and other

security products and services.

To help you manage risk, DXC has developed a unique,

structured approach to cyber resilience. Called the DXC Cyber

Reference Architecture (CRA), it contains nearly 350 discrete

security capabilities to ensure that all operational functions

are clearly defined.

Based on our work with some of the world’s largest

organizations, CRA describes the most effective ways to

manage risk. It also describes ways your organization can

detect and respond to cyber attacks — and recover your data

and restore normal operations.

CRA can also help you comply with the European Union’s

General Data Protection Regulation (GDPR) and other

industry or country regulations. CRA does this by developing

“security blueprints,” plans that accelerate the development of

GDPR and compliance programs.

In addition, we offer a new approach to intelligent security

orchestration, automation and response known as DXC

Intelligent Security Operations (ISecOps) Solutions. ISecOps

can help you modernize traditional delivery of security

services. ISecOps will transform your existing offerings and

provide innovative new solutions that address enterprise

security risk. ISecOps together with DXC BionixTM — our

digital-generation services delivery model — combine

security-incident response, threat intelligence, analytics, lean

development and automation. Underpinned by our new digital

generation platform for delivering and managing services,

Platform DXC, ISecOps and Bionix are game-changing

solutions to help organizations transform at scale.

Now is the time to act. Don’t be disrupted — be the disruptor.

Let us help you innovate and transform to differentiate with

speed and quality. That’s DXC. That’s Digital Delivered.

Learn more at dxc.technology/security

http://www.dxc.technology/security


11

Simon Arnell is a security chief technologist, Office of the

CTO, at DXC Technology. He has a background in applied

security research and development, and in running client

proofs of concept. Previously, Simon led the commercialization

of the DXC DNS monitoring service, and pioneered the use

of software-defined networks for rapid incident response, as

well as the application of stochastic process modeling and

simulation for strategic security-policy decision support.

Simon is also the lead author of DXC’s “Annual Cyber Security

Predictions” report, a risk-oriented horizon scan of the industry

and threat landscapes.

TM Ching is chief technology officer for Security at DXC

Technology. TM is responsible for security strategy, focusing

on the development of innovative capabilities to address the

evolving threat landscape. He works closely with clients and

internal teams to identify future technological evolutions

and disruptions, and develop strategy roadmaps that help

both clients and DXC achieve service-readiness to meet the

technological changes of today and tomorrow.

About the authors

Contributors

Jerry Overton, data scientist and industrialized AI lead, DXC Technology, and DXC Fellow

© Copyright 2019 DXC Technology Companywww.dxc.technology

dxc.technology/digitaldirections

As the world’s leading independent, end-to-end IT services company, DXC Technology (NYSE: DXC) leads digital transformations for clients by modernizing and integrating their mainstream IT, and by deploying digital solutions at scale to produce better business outcomes. The company’s technology independence, global talent, and extensive partner network enable 6,000 private and public-sector clients in 70 countries to thrive on change. DXC is a recognized leader in corporate responsibility. For more information, visit dxc.technology and explore THRIVE, DXC’s digital destination for changemakers and innovators.

http://www.dxc.technology

www.dxc.technology/digitaldirections

http://www.dxc.technology

http://thrive.dxc.technology

rethink risk and enterprise security in a digital world...rethink risk and enterprise security in a...

Documents