In The Boardroom™ With...
Mr. George Romas
Technical Director
Cybersecurity Solutions Group
HP Enterprise Services U.S. Public Sector
Cybersecurity
for U.S. Public Sector
Updated February 2014
SecuritySolutionsWatch.com: Since we last spoke, what are some of the challenges you’ve encountered?
George Romas: The rapid pace of technology change, especially in the face of increased complexity. As an example, secure mobility is complex because there are many components to an end-to-end solution: network, carrier, platform, software, apps and device. Those components have extremely short lifecycles, with apps developed in days, new devices available every 4-6 months, and software updates being continually pushed to the platform. This is all occurring during a period of reduced budgets and more targeted spending, so keeping pace – in terms of solutions and expertise – is difficult at best.
SecuritySolutionsWatch.com: Any successes?
George Romas: We have won a number of contracts with cybersecurity components at HP, due to both our strong background in cybersecurity solutions as well as our security product portfolio. In terms of innovation, our cybersecurity lab achieved Initial Operating Capability in June 2013, and my team is rapidly developing solutions for U.S. Public Sector clients. We have already completed a secure mobility prototype and are continually adding enhanced functionality to others proof-of-concepts.
SecuritySolutionsWatch.com: For those organizations that may not have the resources available that HP brings to bear to innovate in the cybersecurity space, what are your recommendations?
George Romas: In a word - partner! There are a number of innovative small companies and start-ups in the cyber market; integrating capabilities and pooling resources can increase their impact and get them to the market faster. In addition, academia is more than willing to partner with industry and share leading edge research. Finally, government has some structured programs that support and promote innovative solutions to specific requirements. Defense Advanced Research Projects Agency (DARPA), Intelligence Advanced Research Projects Agency (IARPA), Homeland Security Advanced Research Projects Agency (HSARPA) and DoD Research Labs release Broad Agency Announcements that fund promising solutions. Also, the Intelligence Community has copied the venture capital model by standing up an organization, In-Q-Tel, to fund start-ups.
SecuritySolutionsWatch.com: Thank you for joining us today,
George. Could you give us an idea of your background and current area(s)
of focus at Hewlett-Packard?
George Romas: I have over 30 years of experience, mostly
in the US Intelligence Community, developing solutions across a wide range
of technologies. Due to the nature of that environment, cybersecurity
has always been a component of all those solutions. I've also been an
entrepreneur, working at a robotics company in 1990 and co-founding a
security company in 2000. At HP, I'm currently focused on developing the
next wave of innovative cybersecurity solutions for the US Public Sector.
Since this market arguably has the strictest security requirements of
any sector, I anticipate that these solutions will be incorporated across
all of HP and the markets we serve, providing a higher level of security
for both our public and commercial offerings.
SecuritySolutionsWatch.com: Is there a formal way you approach
innovation, and what are some of the resources you take advantage of?
George Romas: It's a combination of both informal and
formal methods, driven by the search for novel ideas that solve specific
problems. Informally, I have frequent discussions with colleagues in the
industry, I read "everything" (IEEE articles, MIT Technology
Review, WIRED, Federal Computing Week, Fast Company, Popular Science
really, anything I can get my hands on), I research start-up companies,
and brainstorm with lots of professionals. Formally, I follow a specific
process. At HP, it's called Concept to Production (CtP) methodology, which
takes an idea (from a peer, employee, or HP Labs), establishes its value
through Sales and Marketing processes, develops a product, solution or
service through a standard engineering methodology, and prepares the result
for delivery and maintenance. Our team also innovates through a formal
solutioning process, usually in answer to a specific set of requirements
presented in a customer Request for Proposal (RFP). The RFPs we answer
can be entirely about cybersecurity, such as a Continuous Monitoring solution
for an agency, or can have a cybersecurity component, such as Identity
and Access Management for a big data or cloud solution. In either case,
I start from a comprehensive view of the cybersecurity capabilities of
the target environment and determine where specific improvements can be
accomplished.
SecuritySolutionsWatch.com: How do you bring focused cybersecurity
solutions to the market?
George Romas: That's actually the easy part, since
cybersecurity has become woven into every aspect of our lives, both personal
and business. Cybersecurity hasn't been tacked on at the last minute,
but it has been "built in" to HP's computing solutions. When
dealing with solutions from other providers, there are often gaps and
deficiencies that must be filled. Just ask yourself these questions
how do I maintain my music library if my iPod or hard drive breaks? How
do I keep my personal and financial information protected on my home computer,
home network, or mobile device? How do I secure corporate, proprietary
information against threats from loss, competitors, or cybercriminals?
How do I keep national security infrastructure safe from disruption or
cyber terrorism? These issues are starting to blend as we combine consumer
and personal devices and platforms. For example, people access corporate
email on their personal smartphones; they also telework using their home
computers. Threats continue to escalate, not only in frequency and sophistication,
but attacks on personal information and devices can inadvertently obtain
company proprietary information, intellectual property or national security-related
data. To answer these questions and address these issues, our cybersecurity
solutions have to be dynamic, robust, and flexible to meet the challenges
of this problem set.
SecuritySolutionsWatch.com: What's your approach to answering
these questions and resolving these issues?
George Romas: I leverage my experience from developing
solutions which apply the strictest security controls, and try to blend
those concepts with modern technology and computing paradigms. Today,
not only has scale vastly changed, with modern processors, faster memory,
blade servers, enormous amounts of storage, virtualization, and cloud
processing, but the way people use computers is also evolving. We're moving
to portable, mobile computers that have new capabilities, like location-based
services. We're also more likely to share information using these modern
platforms, which introduces additional security issues and vulnerabilities.
SecuritySolutionsWatch.com: Can you give me an example of
how you approach modernization while maintaining a high level of security?
George Romas: Example 1: I'll give you a somewhat dated
example (circa 2000), but the lessons learned and security solution, still
apply today. The most secure systems, then and now, are built on Trusted
Computing concepts. I co-founded a company that tried to make Trusted
Computing components (then, Trusted Solaris and Oracle with Label Security)
easier and less expensive to operate and maintain (taking existing technology
and improving it). Our initial concept of ease-of-use was to add capability,
place the solution in a datacenter, and manage the complexity ourselves.
Organizations would "give" us their data and we would keep it
secure - sounds like cloud computing! Towards the end of that company's
life, an advisor recommended we place the capabilities into an appliance
that a customer could rack on their own premises - unfortunately, we ran
out of money. However, the same issue exists today
as modern cloud
and mobility technologies become more popular, the questions of security
and trust have come to the forefront. We can no longer "own"
our data, so have to develop innovative cybersecurity solutions.
Example 2: I'll describe our approach to cloud computing.
HP, of course, offers Public, Private, and Hybrid cloud solutions to the
market. We have to put protections and guarantees in place to secure personal
information and proprietary corporate information. When it comes to the
US Public Sector, however, there are a number of additional security requirements
and restrictions, based on Federal Healthcare regulations, DoD Directives,
National Institute for Standards and Technology criteria and national
security standards. HP has developed a cloud architecture with extra layers
of protection, from identity management to virtualization and data security,
to satisfy Federal Risk and Authorization Management Program (FedRAMP)
certification requirements. Yet applying modern security technology only
addresses part of the issue. We have also put in place the people and
processes necessary to ensure a higher level of security, so our cloud
offerings are hosted out of a US-based datacenter and managed with US-only
citizens. To introduce innovation into these offerings, we're leveraging
the R&D being performed by HP Labs, and beginning to apply the enhanced
security capabilities of their cloud architecture to our current cloud
solutions.
SecuritySolutionsWatch.com: What are the biggest challenges
in the cybersecurity market today?
George Romas: There's a collision between culture, technology,
and security. Solutions over the past decade have centered around collaboration,
common infrastructure, and information sharing. As threats and vulnerabilities
have become more prevalent, security standards and guidelines were developed
and published at a rapid pace, sometimes with the potential for diminished
information sharing. Today's solutions must satisfy these security standards
while maintaining the collaboration and productivity improvements provided
by modern computing platforms. We need to develop innovative solutions
that take advantage of the new style of IT, yet provide more comprehensive
levels of security and assurance.
SecuritySolutionsWatch.com: Final thoughts?
George Romas:Technology solutions and their associated
requirements are becoming more complex. Mobility moves data out to more
uncontrolled endpoints. Cloud is based on shared infrastructure with boundaries
that are not well understood by the user. At the same time, knowledge
and awareness of cybersecurity is becoming more important. Cybersecurity
best practices and standard processes can improve the level of security,
but the only way to provide unique and effective solutions in this evolving
and complex environment is to innovate, innovate, innovate!
|