In The Boardroom With...
Navy Rear Adm. (Ret.) Elizabeth A. Hight is vice president of HPs Cybersecurity Solutions Group for HP Enterprise Services U.S. Public Sector. In this role, Rear Adm. Hight leads a team of cybersecurity experts to deliver strategic, end-to-end cybersecurity solutions to help HP clients anticipate, overcome and reduce security threats and vulnerabilities while achieving their missions. Rear Adm. Hight joined HP in January 2010 as the director of the U.S. Defense Command and Control Infrastructure Practice, which is designed to assist U.S. defense clients in transforming their IT environments. Before joining HP, she served for 32 years in the U.S. Navy. Rear Adm. Hight was the acting Director of Defense Information Systems Agency (DISA) and Commander of the Joint Task Force Global Network Operations (JTF GNO) and vice director of DISA responsible for planning, developing, and providing interoperable, global net-centric solutions to support the needs of the President, Secretary of Defense, Joint Chiefs of Staff, the combatant commanders, the Military Departments and other DoD components, and served in many other roles throughout her naval career. Rear Adm. Hight is a graduate of the Defense Systems Management College, the Naval Post-graduate School with a master's degree in telecommunications systems, and George Washington University with a master's degree in information systems.
SecurityStockWatch.com: Given that
"It only takes one". A single email with an embedded virus or worm;
one lone instance of unauthorized network access; a solitary line of unsecure
code buried deep within an application; an individual loss of a laptop
or mobile device with unencrypted data
.is all it takes to launch
a damaging cybersecurity attack. Any of these scenarios, and many more,
can wreak havoc for public sector organizations. What is HP's approach
in working with clients to determine the security strategy the enterprise
Elizabeth A. Hight: The first order of business for any organization is to identify two things: first, what it needs to protect, and second, how much risk it is willing to accept. The organization must determine what their critical assets are, whether it is reputation, business strategies, information, intellectual property, national secrets, financials, private citizen data, mission specifics, best practices, etc. Only the business owners of the organization can answer that question - not a consultant and not the IT department. This is often hard thinking and discovery work, but once done, it is illuminating to the enterprise and sets the foundation for their security strategy. Once "the what" is defined, the organization can then turn to the risk element.
Risk can be defined as the potential that a given threat will exploit vulnerabilities of priority assets or organizational position thereby causing it harm; it involves assessing the likelihood of an event happening and the consequences should it occur. HP has a world-class Enterprise Risk Management program that enables our clients to effectively understand and plan for enterprise risk and incorporate risk management/mitigation concepts into decision-making. We include legal and regulatory compliance as well as global resiliency into the equation, and actually maintain a risk taxonomy and vocabulary to help the leadership understand their "risk portfolio." The security strategy is then based on these risk strategies.
The next order of business is to help clients develop their own security strategy by balancing their requirements to minimize potential loss and maximize potential gain. Business risk management, however, is a "top down" discipline because cyber risk is greater than just an IT failure. It is the business owners that must define an acceptable risk posture. Once defined, IT risk management is conducted "bottom up"; the technical programs, business processes and human resources needed to mitigate threats that must be developed and organized as required by the strategy.
SecurityStockWatch.com: Can we drill down a bit into cloud security for a moment? With the internet now firmly established as an integral part of the business model of every enterprise and so much information up in the cloud, what is your perspective on best practices for securing cloud computing?
Elizabeth A. Hight: The Internet has made access to cloud services universal. As a provider of cloud services in multiple markets, HP understands that it's important to address security, regulatory and operational requirements as part of agreed upon Service Level or Risk Level Agreements. At HP, we've combined our long history of understanding U.S. Public Sector security requirements with our security offerings to address these concerns. Our government-market Virtual Private Cloud (VPC) services are hosted within the continental United States. Datacenter personnel are U.S. citizens who believe deeply in the mission and business objectives of our clients. Our cloud infrastructure within those datacenters conforms to NIST Moderate standards, implementing the appropriate controls and processes for that level of assurance. Those controls include access controls, as well as network and virtualization security controls. As cloud services and applications are developed and/or deployed for customers, we perform rigorous security testing, from concept to production, using automated tools like HP Fortify and standard methodologies, like HP's Comprehensive Application Threat Analysis (CATA) and ITIL V3 Configuration Management. When it comes to cloud services, providing a level of assurance for our customers means evaluating all the components of those services and providing the right technologies, people, and processes to deliver them.
SecurityStockWatch.com: We read with great interest on HP.com that,"Today's attempts to breach your infrastructure have greater sophistication, agility, complexity and coordination than ever before. Frequently supported and financed by criminal or state-sanctioned organizations, these advanced and persistent cyber-attacks seek to damage, disrupt, destroy, or steal your information. They want to stop your mission." With this in mind, there seems to be a shifting cybersecurity focus from defending "everything" to defending that which is most important and critical for the enterprise in order to carry out its' mission. Do you agree with this premise? Care to elaborate?
Elizabeth A. Hight: Defending everything is, for all
practical purposes, impossible in today's globally interconnected and
networked world. First, the software we use is complex, was usually developed
by a third party to be run on a wide range of operating systems and the
traditional "IT stack" is comprised of heterogeneous components
all operating in a mixture of security configurations/postures. Second,
our "wireless" world is dominated by thinking developed during
the "hard-wired" era---practices, processes, and assumptions
that were honed over the years for physically networked connections. In
addition, the number of hardware and software vendors currently developing
products has exploded in the last decade as have the technological advancements
in networking, storage, computing, and data manipulation. The integration
of components developed by the same vendor is hard enough
the effort to bring all of these pieces and parts together and the resultant
security implications of that effort. Finally, the way users interact
with data to accomplish their mission or business outcomes anywhere, anytime,
over a variety of networks and devices all lend itself to a cybersecurity
challenge that is growing in magnitude.
SecurityStockWatch.com: Without divulging any confidential or proprietary information, of course, are there 1 or 2 HP case studies or success stories you'd like to discuss?
Elizabeth A. Hight: The best known HP cybersecurity
and managed services success story is the Navy- Marine Corps Intranet
or NMCI, as it is referred to. NMCI one of the largest, most secure private
intranets in the world, serving more than 800,000 Sailors and Marines
in the Continental United States and the Pacific. It is a network that
delivers service 24 hours a day, seven days a week to include managing
more than 100 different vendors, multiple data centers, and the technical
refresh of both the end user equipment and the infrastructure, while complying
with all DoD security regulations. When I was still in uniform, I can
say without hesitation, NMCI consistently had the most secure infrastructure
of all the Service/Agency networks and it continues that track record
SecurityStockWatch.com: As an IT professional with 30+ years of experience in the military/government environment, it is abundantly clear that you bring an extremely valuable and unique view to your engagements - the "outside" view plus the "inside" view. How would you sum up for us HP's value proposition in these challenging economic times?
Elizabeth A. Hight: I think HP has an advantage in
four different areas. First, the depth and breadth of our capabilities
allows HP to deliver integrated hardware, software and operational solutions
that are designed to provide the fastest and most secure outcomes for
the user. We continue to utilize this depth and breadth, to include our
ongoing R&D specialists, to build secure capabilities from the consumer
to the cloud -- an advantage that few other companies can claim. Because
of our long history in this arena, we know how to integrate, deploy, operate
and provide extended services to securely manage cyberspace on behalf
of our clients.
Second, HP has a view of the user that starts where the client is..not where the company's solutions begin. In other words, we have a culture of listening to what the client needs and wants, not just what we can sell. We're also able to offer our expert opinion to help them think about challenges and opportunities in the emerging technology landscape. We have an HP Lab dedicated to Security and Cloud solutions-together. We have what we call the Digital Vaccines Lab, which discovers more vulnerabilities than the rest of the market combined! We have security scientists and security engineers in each of our product units-building security into the fabric of cyberspace components.
Third, HP thinks about the entire ecosystem from the external realities facing our clients (e.g., regulatory compliance, liability, etc.) to the internal factors the client must consider (e.g., business processes, affordability, etc.) when assessing a security strategy to achieve the risk tolerance defined by the client and the business or mission outcomes that the client is trying to achieve.
Finally, HP has the financial flexibility that allows for multiple approaches to transform a customer's business model from being heavily weighted on capital expenditures to one taking advantage of operational expenditures and embedded investments.
SecurityStockWatch.com: What resources are available at HP's Cybersecurity for U.S. Public Sector website for end-users?
Elizabeth A. Hight: On our web site visitors will find information about our security solutions portfolio and experience, including how they can get started working with HP in areas they need assistance. HP offers flexible, end-to-end security services that enable public sector agencies to:
HP Cybersecurity for US Public Sector http://www8.hp.com/us/en/industries/public-sector.html?compURI=1087497
FOR MORE INFORMATION
HP Applications Security for US Public Sector http://www8.hp.com/us/en/industries/public-sector.html?compURI=1087496
HP Identity and Access Management for US Public Sector http://www8.hp.com/us/en/industries/public-sector.html?compURI=1087501
HP Cybersecurity for Defense - http://www8.hp.com/us/en/industries/public-sector.html?compURI=1087536
HP Global Enterprise Security - http://www.hpenterprisesecurity.com/
Join HPs Enterprise Security Trends Blog - http://h30507.www3.hp.com/t5/Enterprise-Security-Trends-Blog/bg-p/information-security-trends
Join the HP Security Lab Blog - http://h30499.www3.hp.com/t5/Information-Faster-Blog/bg-p/sws-274