By Dr. May Wang, CTO of IoT Security at Palo Alto Networks and the Co-founder, Chief Technology Officer (CTO), and board member of Zingbox

At the foundation of cybersecurity is the need to understand your risks and how to minimize them. Individuals and organizations often think about risk in terms of what they’re trying to protect. When talking about risk in the IT world, we mainly talk about data, with terms like data privacy, data leakage and data loss. But there is more to cybersecurity risk than just protecting data. So, what should our security risk management strategies consider? Protecting data and blocking known vulnerabilities are good tactics for cybersecurity, but those activities are not the only components of what CISOs should be considering and doing. What’s often missing is a comprehensive approach to risk management and a strategy that considers more than just data.

The modern IT enterprise certainly consumes and generates data, but it also has myriad devices, including IoT devices, which are often not under the direct supervision or control of central IT operations. While data loss is a risk, so too are service interruptions, especially as IoT and OT devices continue to play critical roles across society. For a healthcare operation for example, a failure of a medical device could lead to life or death consequences.

Challenges of Security Risk Management

Attacks are changing all the time, and device configurations can often be in flux. Just like IT itself is always in motion, it’s important to emphasize that risk management is not static.

In fact, risk management is a very dynamic thing, so thinking about risk as a point-in-time exercise is missing the mark. There is a need to consider multiple dimensions of the IT and IoT landscape when evaluating risk. There are different users, applications, deployment locations and usage patterns that organizations need to manage risk for, and those things can and will change often and regularly.

There are a number of challenges with security risk management, not the least of which is sheer size and complexity of the IT and IoT estate. CISOs today can easily be overwhelmed by information and by data, coming from an increasing volume of devices. Alongside the volume is a large variety of different types of devices, each with its own particular attack surface. Awareness of all IT and IoT assets and the particular risk each one can represent is not an easy thing for a human to accurately document. The complexity of managing a diverse array of policies, devices and access controls across a distributed enterprise, in an approach that minimizes risk, is not a trivial task.

A Better Strategy to Manage Security Risks

Security risk management is not a single task, or a single tool. It’s a strategy that involves several key components that can help CISOs to eliminate gaps and better set the groundwork for positive outcomes.

Establishing visibility. To eliminate gaps, organizations need to first know what they have. IT and IoT asset management isn’t just about knowing what managed devices are present, but also knowing unmanaged IoT devices and understanding what operating systems and application versions are present at all times.

Ensuring continuous monitoring. Risk is not static, and monitoring shouldn’t be either. Continuous monitoring of all the changes, including who is accessing the network, where devices are connecting and what applications are doing, is critical to managing risk.

Focusing on network segmentation. Reducing risk in the event of a potential security incident can often be achieved by reducing the “blast radius” of a threat. With network segmentation, where different services and devices only run on specific segments of a network, the attack surface can be minimized and we can avoid unseen and unmanaged IoT devices as springboards for attacks for other areas of the network. So, instead of an exploit in one system impacting an entire organization, the impact can be limited to just the network segment that was attacked.

Prioritizing threat prevention. Threat prevention technologies such as endpoint and network protection are also foundational components of an effective security risk management strategy. Equally important for threat prevention is having the right policy configuration and least-privileged access in place on endpoints including IoT devices and network protection technologies to prevent potential attacks from happening.

Executing the strategic components above at scale can be optimally achieved with machine learning and automation. With the growing volume of data, network traffic and devices, it’s just not possible for any one human, or even group of humans to keep up. By making use of machine learning-based automation, it’s possible to rapidly identify all IT, IoT, OT and BYOD devices to improve visibility, correlate activity in continuous monitoring, recommend the right policies for least-privileged access, suggest optimized configuration for network segmentation and add an additional layer of security with proactive threat prevention.

About Dr. May Wang:

Dr. May Wang is the CTO of IoT Security at Palo Alto Networks and the Co-founder, Chief Technology Officer (CTO), and board member of Zingbox, which was acquired by Palo Alto Networks in 2019 for its security solutions to Internet of Things (IoT).

IT Leadership, Security

As companies lean into data-first modernization to deliver best-in-class experiences and drive innovation, protecting and managing data at scale become core challenges. Given the diversity of data and range of data-inspired use cases, it’s important to align with a robust partner ecosystem. This can help IT teams map the right set of services to unique workflows and to ensure that data is securely managed and accessible regardless of location.

Data volume has become a challenge for organizations as the size and velocity of data increase. Yet there’s no singular, one-size-fits-all framework for secure data storage and management. According to IDC, global data creation and replication will experience a compound annual growth rate (CAGR) of 23% by 2025. This means that organizations need access to a range of solutions for storing sensitive data at scale, especially in light of mounting regulations that vary by geography and industry. Two well-known examples: GDPR in Europe and HIPAA privacy rules for health information in the U.S.

With data well situated as the lifeblood of organizations and as a core competitive differentiator, data security becomes paramount. The rise in ransomware attacks and other cybersecurity breaches has raised awareness of the issue and made securing the IT estate a top C-suite priority.

Upgrading IT and data security to reduce corporate risk was the No. 1 CEO priority for respondents to the IDG/Foundry “State of the CIO Study 2022” research, cited by a third of the respondents. Almost half (49%) called out increasing cybersecurity protections as the top business initiative driving IT investments this year, up from 34% in 2021.

The push for elevated cybersecurity protections is also filtering down into storage and data management requirements. Gartner research shows that 60% of all enterprises will require storage products to have integrated ransomware defense and mitigation mechanisms by 2025, up from 10% in 2022.

As enterprises modernize with cloud, connectivity, and data, they are gravitating to technology-as-a-service models to refashion IT estates. Traditionally these IT ecosystems feature silos spread across multiple environments, including on-premises data centers and colocation facilities at the edge or across diverse cloud platforms. Compounding the complexity: the problem of multigenerational IT and the challenge of establishing resilience and cybersecurity across workloads. This in light of the disparity of the environment and due to mounting cybersecurity, regulatory, and privacy challenges.

Without an overall strategy for modernization, companies risk mismanaging their edge-to-cloud data efforts, either overprovisioning, which incurs unnecessary costs, or underprovisioning, which impedes their ability to fully deliver for customers or hit key business goals. They may also lack on-staff expertise to design and manage robust cybersecurity protocols.

“Customers want to be provided with integrated and optimized hardware and software platforms … to make sure there’s no disruption at all in the business,” says Valerie Da Fonseca, worldwide GreenLake and GTM senior director at HPE. “The key here is to shape the right data strategy so you simplify data management and provide access controls in an as-a-service model.”

Partner Ecosystem at Work

A rich partner ecosystem is essential for delivering next-generation secure data management protection from edge to cloud. HPE GreenLake’s backup-and-recovery services help companies fulfill data protection service-level agreements (SLAs) without having to make upfront capital investments or take on overprovisioning risk. On-demand cloud backup and recovery services ensure resilience at scale and allow for an agile response to changing business needs. Preconfigured on-premises solutions provide extended options, and a rich ecosystem of third-party partners gives customers choice.

The HPE GreenLake data protection portfolio delivers next-generation data protection services, from design and implementation to delivery with no vendor lock-in. The life cycle starts with HPE’s Zerto ransomware protection and disaster recovery services and extends to hybrid cloud data protection with the HPE Backup and Recovery Service. Last but not least, HPE offers on-premises data protection with HPE StoreOnce, a modernized data management solution for hybrid cloud that simplifies operations and delivers data protection based on common SLAs. Additional backup-and-recovery options from ISV partners such as Veeam, Commvault, and Cohesity complete the picture, ensuring that HPE GreenLake for Data Protection Services provides a breadth of choice to make data backup-and-recovery operations seamless and automated.

“The partner ecosystem delivers a comprehensive, end-to-end suite of services that adds value to HPE’s data protection strategy,” Da Fonseca says. “We are integrating everything into our hardware and HPE GreenLake as-a-service platform, and the solutions can be located everywhere and anywhere and be fully managed if customers don’t have the staff.”

To ensure the right data management/protection mix, HPE works with customers to understand their business needs and IT management challenges, creating a holistic strategy that encompasses the right partners and operating model. That level of comprehensive planning is crucial to safeguarding data and ensuring an end-to-end data management strategy that truly mitigates risk and meets the needs of the business. At the same time, making data protection available as a service streamlines the customer experience, providing time-to-market and cost advantages.

“It’s really about faster access to the insights that the business needs to make better decisions around innovation and customer experience,” she says. “Having one operating model with all the IT environments connected in the right way means customers don’t have to worry about where data resides. They can get the right benefits and insights out of data without managing it or worrying about compliance and security risks.”

For more information, visit

Data Center