In The Boardroom™ With...

Mr. George Romas
Technical Director
Cybersecurity Solutions Group
HP Enterprise Services U.S. Public Sector
Cybersecurity for U.S. Public Sector 

Updated February 2014

SecuritySolutionsWatch.com: Since we last spoke, what are some of the challenges you’ve encountered?

George Romas: The rapid pace of technology change, especially in the face of increased complexity. As an example, secure mobility is complex because there are many components to an end-to-end solution: network, carrier, platform, software, apps and device. Those components have extremely short lifecycles, with apps developed in days, new devices available every 4-6 months, and software updates being continually pushed to the platform. This is all occurring during a period of reduced budgets and more targeted spending, so keeping pace – in terms of solutions and expertise – is difficult at best.

SecuritySolutionsWatch.com: Any successes?

George Romas: We have won a number of contracts with cybersecurity components at HP, due to both our strong background in cybersecurity solutions as well as our security product portfolio. In terms of innovation, our cybersecurity lab achieved Initial Operating Capability in June 2013, and my team is rapidly developing solutions for U.S. Public Sector clients. We have already completed a secure mobility prototype and are continually adding enhanced functionality to others proof-of-concepts.

SecuritySolutionsWatch.com: For those organizations that may not have the resources available that HP brings to bear to innovate in the cybersecurity space, what are your recommendations?

George Romas: In a word - partner! There are a number of innovative small companies and start-ups in the cyber market; integrating capabilities and pooling resources can increase their impact and get them to the market faster. In addition, academia is more than willing to partner with industry and share leading edge research. Finally, government has some structured programs that support and promote innovative solutions to specific requirements. Defense Advanced Research Projects Agency (DARPA), Intelligence Advanced Research Projects Agency (IARPA), Homeland Security Advanced Research Projects Agency (HSARPA) and DoD Research Labs release Broad Agency Announcements that fund promising solutions. Also, the Intelligence Community has copied the venture capital model by standing up an organization, In-Q-Tel, to fund start-ups. 

SecuritySolutionsWatch.com: Thank you for joining us today, George. Could you give us an idea of your background and current area(s) of focus at Hewlett-Packard?

George Romas: I have over 30 years of experience, mostly in the US Intelligence Community, developing solutions across a wide range of technologies. Due to the nature of that environment, cybersecurity has always been a component of all those solutions. I've also been an entrepreneur, working at a robotics company in 1990 and co-founding a security company in 2000. At HP, I'm currently focused on developing the next wave of innovative cybersecurity solutions for the US Public Sector. Since this market arguably has the strictest security requirements of any sector, I anticipate that these solutions will be incorporated across all of HP and the markets we serve, providing a higher level of security for both our public and commercial offerings.

SecuritySolutionsWatch.com: Is there a formal way you approach innovation, and what are some of the resources you take advantage of?

George Romas: It's a combination of both informal and formal methods, driven by the search for novel ideas that solve specific problems. Informally, I have frequent discussions with colleagues in the industry, I read "everything" (IEEE articles, MIT Technology Review, WIRED, Federal Computing Week, Fast Company, Popular Science … really, anything I can get my hands on), I research start-up companies, and brainstorm with lots of professionals. Formally, I follow a specific process. At HP, it's called Concept to Production (CtP) methodology, which takes an idea (from a peer, employee, or HP Labs), establishes its value through Sales and Marketing processes, develops a product, solution or service through a standard engineering methodology, and prepares the result for delivery and maintenance. Our team also innovates through a formal solutioning process, usually in answer to a specific set of requirements presented in a customer Request for Proposal (RFP). The RFPs we answer can be entirely about cybersecurity, such as a Continuous Monitoring solution for an agency, or can have a cybersecurity component, such as Identity and Access Management for a big data or cloud solution. In either case, I start from a comprehensive view of the cybersecurity capabilities of the target environment and determine where specific improvements can be accomplished.

SecuritySolutionsWatch.com: How do you bring focused cybersecurity solutions to the market?

George Romas: That's actually the easy part, since cybersecurity has become woven into every aspect of our lives, both personal and business. Cybersecurity hasn't been tacked on at the last minute, but it has been "built in" to HP's computing solutions. When dealing with solutions from other providers, there are often gaps and deficiencies that must be filled. Just ask yourself these questions … how do I maintain my music library if my iPod or hard drive breaks? How do I keep my personal and financial information protected on my home computer, home network, or mobile device? How do I secure corporate, proprietary information against threats from loss, competitors, or cybercriminals? How do I keep national security infrastructure safe from disruption or cyber terrorism? These issues are starting to blend as we combine consumer and personal devices and platforms. For example, people access corporate email on their personal smartphones; they also telework using their home computers. Threats continue to escalate, not only in frequency and sophistication, but attacks on personal information and devices can inadvertently obtain company proprietary information, intellectual property or national security-related data. To answer these questions and address these issues, our cybersecurity solutions have to be dynamic, robust, and flexible to meet the challenges of this problem set.

SecuritySolutionsWatch.com: What's your approach to answering these questions and resolving these issues?

George Romas: I leverage my experience from developing solutions which apply the strictest security controls, and try to blend those concepts with modern technology and computing paradigms. Today, not only has scale vastly changed, with modern processors, faster memory, blade servers, enormous amounts of storage, virtualization, and cloud processing, but the way people use computers is also evolving. We're moving to portable, mobile computers that have new capabilities, like location-based services. We're also more likely to share information using these modern platforms, which introduces additional security issues and vulnerabilities.

SecuritySolutionsWatch.com: Can you give me an example of how you approach modernization while maintaining a high level of security?

George Romas: Example 1: I'll give you a somewhat dated example (circa 2000), but the lessons learned and security solution, still apply today. The most secure systems, then and now, are built on Trusted Computing concepts. I co-founded a company that tried to make Trusted Computing components (then, Trusted Solaris and Oracle with Label Security) easier and less expensive to operate and maintain (taking existing technology and improving it). Our initial concept of ease-of-use was to add capability, place the solution in a datacenter, and manage the complexity ourselves. Organizations would "give" us their data and we would keep it secure - sounds like cloud computing! Towards the end of that company's life, an advisor recommended we place the capabilities into an appliance that a customer could rack on their own premises - unfortunately, we ran out of money. However, the same issue exists today … as modern cloud and mobility technologies become more popular, the questions of security and trust have come to the forefront. We can no longer "own" our data, so have to develop innovative cybersecurity solutions.

Example 2: I'll describe our approach to cloud computing. HP, of course, offers Public, Private, and Hybrid cloud solutions to the market. We have to put protections and guarantees in place to secure personal information and proprietary corporate information. When it comes to the US Public Sector, however, there are a number of additional security requirements and restrictions, based on Federal Healthcare regulations, DoD Directives, National Institute for Standards and Technology criteria and national security standards. HP has developed a cloud architecture with extra layers of protection, from identity management to virtualization and data security, to satisfy Federal Risk and Authorization Management Program (FedRAMP) certification requirements. Yet applying modern security technology only addresses part of the issue. We have also put in place the people and processes necessary to ensure a higher level of security, so our cloud offerings are hosted out of a US-based datacenter and managed with US-only citizens. To introduce innovation into these offerings, we're leveraging the R&D being performed by HP Labs, and beginning to apply the enhanced security capabilities of their cloud architecture to our current cloud solutions.

SecuritySolutionsWatch.com: What are the biggest challenges in the cybersecurity market today?

George Romas: There's a collision between culture, technology, and security. Solutions over the past decade have centered around collaboration, common infrastructure, and information sharing. As threats and vulnerabilities have become more prevalent, security standards and guidelines were developed and published at a rapid pace, sometimes with the potential for diminished information sharing. Today's solutions must satisfy these security standards while maintaining the collaboration and productivity improvements provided by modern computing platforms. We need to develop innovative solutions that take advantage of the new style of IT, yet provide more comprehensive levels of security and assurance.

SecuritySolutionsWatch.com: Final thoughts?

George Romas:Technology solutions and their associated requirements are becoming more complex. Mobility moves data out to more uncontrolled endpoints. Cloud is based on shared infrastructure with boundaries that are not well understood by the user. At the same time, knowledge and awareness of cybersecurity is becoming more important. Cybersecurity best practices and standard processes can improve the level of security, but the only way to provide unique and effective solutions in this evolving and complex environment is to innovate, innovate, innovate!