“Holistic” is one of the most popular terms used across the IT industry. Almost every enterprise and every vendor claims their approach to problem-solving as being holistic. Yet in explaining it, they typically state that they either address the problem in its entirety, provide a complete solution, or have all products and components necessary to make their solution “holistic”.  In many or most cases, they simply rephrase some dictionary definition such as “relating to the whole of something or to the total system instead of just its parts” as defined by the Cambridge Dictionary.

Instead of debating whether such a liberal use of the term “holistic” is proper, we offer what we think is a reasonably formal and practical definition of a holistic approach and assessment.

Assessment of an enterprise posture is holistic when the following requirements have been satisfied: 

1. Collection and aggregation of a variety of heterogeneous data classes. 
2. Correlation of these heterogeneous data classes.
3. Contextual assessment of the correlated data classes 
4. Assignment of a single assessment score that defines the posture the enterprise.

A holistic approach is ensured by the above four principles:

• Collection and aggregation of heterogeneous data-classes and subclasses creates a source of data that enables analysis of all or most aspects of the enterprise. (e.g., not only application security, or not only developer effectiveness, or not only asset utilization, or not only third-party vendor reputation, etc., but all of them).
• Correlation: Just collecting and aggregating various data classes is not enough: they should be correlated. Correlation means establishing relationships between different data classes (e.g., security and reputation), which enables bridging different aspects of an enterprise, thus expanding the range of visibility (observability)). Correlation serves as a preliminary step to Contextual Assessment.

• Contextual Assessment means taking under consideration not just an isolated event or a data-element, but also the circumstances that made it happen. Context makes assessment credible and justifiable, as it enables analysis from the various angles/aspects. Contextual assessment enables prioritization (e.g., contextual assessment will enable prioritizing remediation efforts: out of two equally severe vulnerabilities, the higher remediation priority gets the vulnerability discovered in the application with a higher business-criticality). Correlation and contextual assessment enable optimal decision-making by bridging different aspects of the enterprise (e.g., security, assets utilization, developer efficiency, third-party risk) thus enabling to make decisions that are best for the entire enterprise, not just for one of its divisions/aspects (possibly harming other divisions/aspects).
• Assignment of a single assessment score (or a minimal number of scores) to the enterprise’s posture.
  • Collecting and aggregating various data classes, along with the benefits, also poses a risk of being lost in the ocean of data. Unable to handle such a variety and volume, enterprise decision-makers often use a few out of many data classes, limiting the number of data classes, thus making arbitrary decisions that often prove to be suboptimal. The solution is the following: enterprises should be collecting a massive variety of data classes covering all enterprises’ aspects yet assessing the posture with a single score. 
  • The single score will enable an easy grasp of the enterprise’s posture. At the same time, the score should be composite, allowing decision makers to drill into specific aspects of the enterprise posture. The score will indicate the trends: whether the enterprise’s posture (security, risk, asset utilization, employee efficiency, etc.) is improving or declining. That approach would enable enterprise decision-makers to make accurate, optimal, justified decisions regarding the enterprise’s transactions and operations, such as M&A, cost reduction, asset acquisition, and DevSecOps.

Applying the above four principles does ensure a holistic approach, enables most-complete visibility across all aspects of the enterprise, and enables optimal decision-making.

For more details on the subject, please refer to our previous blog posts on “Assessing Enterprise’s Posture: Not-Enough Data or Too-Much Data?” and “Correlation and Context: A Must for Assessing Enterprise’s Risk and Security Posture.”