In The Boardroom™ With...

Navy Rear Adm. (Ret.) Elizabeth A. Hight
Vice President, Cybersecurity Solutions Group
HP Enterprise Services U.S. Public Sector
Cybersecurity for U.S. Public Sector 

SecuritySolutionsWatch.com: Given that "It only takes one". A single email with an embedded virus or worm; one lone instance of unauthorized network access; a solitary line of unsecure code buried deep within an application; an individual loss of a laptop or mobile device with unencrypted data….is all it takes to launch a damaging cybersecurity attack. Any of these scenarios, and many more, can wreak havoc for public sector organizations. What is HP's approach in working with clients to determine the security strategy the enterprise should adopt?

Elizabeth A. Hight: The first order of business for any organization is to identify two things: first, what it needs to protect, and second, how much risk it is willing to accept. The organization must determine what their critical assets are, whether it is reputation, business strategies, information, intellectual property, national secrets, financials, private citizen data, mission specifics, best practices, etc. Only the business owners of the organization can answer that question - not a consultant and not the IT department. This is often hard thinking and discovery work, but once done, it is illuminating to the enterprise and sets the foundation for their security strategy. Once "the what" is defined, the organization can then turn to the risk element.

Risk can be defined as the potential that a given threat will exploit vulnerabilities of priority assets or organizational position thereby causing it harm; it involves assessing the likelihood of an event happening and the consequences should it occur. HP has a world-class Enterprise Risk Management program that enables our clients to effectively understand and plan for enterprise risk and incorporate risk management/mitigation concepts into decision-making. We include legal and regulatory compliance as well as global resiliency into the equation, and actually maintain a risk taxonomy and vocabulary to help the leadership understand their "risk portfolio." The security strategy is then based on these risk strategies.

The next order of business is to help clients develop their own security strategy by balancing their requirements to minimize potential loss and maximize potential gain. Business risk management, however, is a "top down" discipline because cyber risk is greater than just an IT failure. It is the business owners that must define an acceptable risk posture. Once defined, IT risk management is conducted "bottom up"; the technical programs, business processes and human resources needed to mitigate threats that must be developed and organized as required by the strategy.

SecuritySolutionsWatch.com: Can we drill down a bit into cloud security for a moment? With the internet now firmly established as an integral part of the business model of every enterprise and so much information up in the cloud, what is your perspective on best practices for securing cloud computing?

Elizabeth A. Hight: The Internet has made access to cloud services universal. As a provider of cloud services in multiple markets, HP understands that it's important to address security, regulatory and operational requirements as part of agreed upon Service Level or Risk Level Agreements. At HP, we've combined our long history of understanding U.S. Public Sector security requirements with our security offerings to address these concerns. Our government-market Virtual Private Cloud (VPC) services are hosted within the continental United States. Datacenter personnel are U.S. citizens who believe deeply in the mission and business objectives of our clients. Our cloud infrastructure within those datacenters conforms to NIST Moderate standards, implementing the appropriate controls and processes for that level of assurance. Those controls include access controls, as well as network and virtualization security controls. As cloud services and applications are developed and/or deployed for customers, we perform rigorous security testing, from concept to production, using automated tools like HP Fortify and standard methodologies, like HP's Comprehensive Application Threat Analysis (CATA) and ITIL V3 Configuration Management. When it comes to cloud services, providing a level of assurance for our customers means evaluating all the components of those services and providing the right technologies, people, and processes to deliver them.

SecuritySolutionsWatch.com: We read with great interest on HP.com that,"Today's attempts to breach your infrastructure have greater sophistication, agility, complexity and coordination than ever before. Frequently supported and financed by criminal or state-sanctioned organizations, these advanced and persistent cyber-attacks seek to damage, disrupt, destroy, or steal your information. They want to stop your mission." With this in mind, there seems to be a shifting cybersecurity focus from defending "everything" to defending that which is most important and critical for the enterprise in order to carry out its' mission. Do you agree with this premise? Care to elaborate?

Elizabeth A. Hight: Defending everything is, for all practical purposes, impossible in today's globally interconnected and networked world. First, the software we use is complex, was usually developed by a third party to be run on a wide range of operating systems and the traditional "IT stack" is comprised of heterogeneous components all operating in a mixture of security configurations/postures. Second, our "wireless" world is dominated by thinking developed during the "hard-wired" era---practices, processes, and assumptions that were honed over the years for physically networked connections. In addition, the number of hardware and software vendors currently developing products has exploded in the last decade as have the technological advancements in networking, storage, computing, and data manipulation. The integration of components developed by the same vendor is hard enough….just imagine the effort to bring all of these pieces and parts together and the resultant security implications of that effort. Finally, the way users interact with data to accomplish their mission or business outcomes anywhere, anytime, over a variety of networks and devices all lend itself to a cybersecurity challenge that is growing in magnitude.

SecuritySolutionsWatch.com: Without divulging any confidential or proprietary information, of course, are there 1 or 2 HP case studies or success stories you'd like to discuss?

Elizabeth A. Hight: The best known HP cybersecurity and managed services success story is the Navy- Marine Corps Intranet or NMCI, as it is referred to. NMCI one of the largest, most secure private intranets in the world, serving more than 800,000 Sailors and Marines in the Continental United States and the Pacific. It is a network that delivers service 24 hours a day, seven days a week to include managing more than 100 different vendors, multiple data centers, and the technical refresh of both the end user equipment and the infrastructure, while complying with all DoD security regulations. When I was still in uniform, I can say without hesitation, NMCI consistently had the most secure infrastructure of all the Service/Agency networks and it continues that track record today.

SecuritySolutionsWatch.com: As an IT professional with 30+ years of experience in the military/government environment, it is abundantly clear that you bring an extremely valuable and unique view to your engagements - the "outside" view plus the "inside" view. How would you sum up for us HP's value proposition in these challenging economic times?

Elizabeth A. Hight: I think HP has an advantage in four different areas. First, the depth and breadth of our capabilities allows HP to deliver integrated hardware, software and operational solutions that are designed to provide the fastest and most secure outcomes for the user. We continue to utilize this depth and breadth, to include our ongoing R&D specialists, to build secure capabilities from the consumer to the cloud -- an advantage that few other companies can claim. Because of our long history in this arena, we know how to integrate, deploy, operate and provide extended services to securely manage cyberspace on behalf of our clients.

Second, HP has a view of the user that starts where the client is..not where the company's solutions begin. In other words, we have a culture of listening to what the client needs and wants, not just what we can sell. We're also able to offer our expert opinion to help them think about challenges and opportunities in the emerging technology landscape. We have an HP Lab dedicated to Security and Cloud solutions-together. We have what we call the Digital Vaccines Lab, which discovers more vulnerabilities than the rest of the market combined! We have security scientists and security engineers in each of our product units-building security into the fabric of cyberspace components.

Third, HP thinks about the entire ecosystem from the external realities facing our clients (e.g., regulatory compliance, liability, etc.) to the internal factors the client must consider (e.g., business processes, affordability, etc.) when assessing a security strategy to achieve the risk tolerance defined by the client and the business or mission outcomes that the client is trying to achieve.

Finally, HP has the financial flexibility that allows for multiple approaches to transform a customer's business model from being heavily weighted on capital expenditures to one taking advantage of operational expenditures and embedded investments.

SecuritySolutionsWatch.com: What resources are available at HP's Cybersecurity for U.S. Public Sector website for end-users?

Elizabeth A. Hight: On our web site visitors will find information about our security solutions portfolio and experience, including how they can get started working with HP in areas they need assistance. HP offers flexible, end-to-end security services that enable public sector agencies to: