Transcript of "Cybersecurity is a Necessity, Not an Option, in the Face of Global Security Threats, Says CSC"
Cybersecurity is a Necessity, Not an Option, in the Face of
Global Security Threats, Says CSC
Transcript of a BrieﬁngDirect podcast on the growing need for cybersecurity as an important
organizational goal for businesses and government agencies.
Listen to the podcast. Find it on iTunes. Sponsor: HP
Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance
Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your
moderator for this ongoing discussion of IT innovation and how it’s making an
impact on people’s lives.
Once again, we're focusing on how IT leaders are improving security and
reducing risks as they adapt to the new harsh realities of doing business online.
We have a fascinating discussion today, because we're joined for Part 2 of our series with HP
strategic partner and IT services and professional services global powerhouse CSC. We'll be
exploring how CSC itself has improved its own cybersecurity posture. [Disclosure: HP is a
sponsor of BrieﬁngsDirect podcasts.]
With that, please join me in welcoming our guests. We're here with Dean Weber, the Chief
Technology Ofﬁcer for CSC Global Cybersecurity. Welcome back, Dean.
Dean Weber: Thank you.
Gardner: We're also here with Sam Visner, Vice President and General Manager for CSC Global
Cybersecurity. Welcome back to you too, Sam.
Sam Visner: Thanks, Dana, for this opportunity to discuss this topic.
Gardner: As you recall, in Part 1 of our series, we examined the tough challenges facing
companies and how they need to adjust their technology and security operations. We
saw how they were all now facing a weapons-grade threat, as we put it, with big
commercial incentives for online attacks and also a proliferation of more
We also learned how older IT security methods have proven inadequate to the
escalating risks that are also expanding beyond corporate networks to include critical
infrastructure, supply chains, and even down to devices and sensors.
So today, we'd like to take a deeper dive into how CSC itself is going beyond just technology and
older methods to understand a better path to improve cybersecurity.
Let me start with you, Sam. What's the most impactful thing that CSC has done in the past
several years, perhaps in concert with HP, that's proven to be a major contributor to a more
Visner: There are three things to which I'd point. In the course of any conversation about three
things, I'll think of a fourth, a ﬁfth, a sixth, and a seventh in due course, but let
me start with three things.
The ﬁrst is the recognition that cybersecurity is an important issue for any
organization today, whether they're a Global 1000 company, a Fortune 500
company, or a government agency, and everybody has a stake in cybersecurity.
The ﬁrst thing is that, because everybody has this stake, there has been a recognition that the
cybersecurity of the commercial world and the cybersecurity of the public sector are really the
The commercial world provides the technology on which governments depend. Governments
express the interest that the public has and the cybersecurity of those parts of the private sector
that manage energy, transportation, critical manufacturing, aerospace, defense, chemicals,
banking, healthcare, and any other thing that we call critical infrastructure.
In our company, where we serve both the public sector and private sector, we recognized early on
that it made sense to address commercial and public sector cybersecurity from a common
strategy. That's the ﬁrst thing.
The second thing is that we then built a uniﬁed capability, a uniﬁed P&L, a uniﬁed line of
business and delivery capability for cybersecurity that brings together our commercial and our
public-sector business. We're end to end. So from consulting and assessments, then education,
through managed cybersecurity services and systems integration, all the way through incident
response, we make our full portfolio available to all our customer set, not just part of our
And the third thing is -- and I am going to ask Dean Weber to comment on this, because more
than anyone else he has been the motivating powerhouse here -- a lot of people think about
cybersecurity as tools. What's my ﬁrewall? What's my user provisioning? What's my password
policy? How am I handling passwords? What should I be doing about endpoint protection?
That's a recipe for disaster, because you're always playing catch up against the problem and you
don't even know if the tools work together. You certainly don't have the means to take the
information that these tools generate, put them together, analyze them and give yourself the big
picture that allows you to be effective in understanding the total threat you face and the total
situation that you have internal in your organization.
The third thing that has been important is moving from a tools-based perspective to an
architecture-based perspective, one in which before we buy tools or develop tools, or even in
which we deﬁne offerings, we deﬁne the architecture of our offerings.
What are we trying to do? How will these offerings ﬁt together in accruing information outside
of our enterprise about the global threat environment and inside of an enterprise about everything
that affects the security of an organization, from their smartphone, all the way down to their
industrial control systems on the shop ﬂoor?
What are the offerings that, when knit together, give you a total capability? Then, what are the
speciﬁc technologies that are pertinent to each of those offerings? So taking an architectural
approach as opposed to a product-speciﬁc approach is the third basic development.
Again, the public sector and commercial sector have to be approached in a common strategy, the
need to build a common organization serving all our customers across the CSC space, and
approaching our solutions from an architectural perspective where you ﬁt everything together in
terms of offerings, capabilities, and technology. Those would be the three things to which I'd
Gardner: Dean Weber, let's get some more input on the shift from a tools perspective or a
tactical perspective to that architectural level?
Weber: As Sam pointed out, the idea here is that we need an integrated capability to combat the
current and emerging threats. You do that based on a global ability to detect and
defer the threats, remediate as quickly as possible from threats that have
manifested themselves, and recover.
Not only are we a services provider of managed security services to enterprise
and government, we also consume those services ourselves on the inside. There's
no difference. We drink our own champagne, or eat our own dog food, or
however you want to put it.
But at the end of the day we have made this very security operations center (SOC)-centric
offering, where we have elected to use a common technology framework across the globe. All of
our SOCs worldwide use the same security and information event management -- SIEM
technology, in this case ArcSight.
That allows us to deliver the same level of consistency and maturity, and given some of the
advanced capabilities of ArcSight, it has allowed us to interconnect them using a concept we call
the global logical SOC, where for data protection and data privacy purposes, data has to reside in
the region or country of its origin, but we still need to share threat intelligence, both internally
generated and externally applied. The ArcSight platform allows us to build on that basis.
Separate and apart from that, any other tools that we want to bring to bear, whether that's
antivirus or vulnerability scanning, all the way up the stack to application security lifecycle, with
a product like Fortify, we can plug all of that into the managed framework regardless of where
it's delivered on the globe and we can take advantage of that appropriately and auditably across
the entire hemisphere or across the entire planet.
Visner: Dean mentioned Fortify. As you may know, we're bringing out an application security
testing-as-a-service component of our portfolio. It’s an offering. That was done very deliberately.
It's a portfolio of offerings that comprise a total capability. Each offering goes through offering
lifecycle management to ensure that it conforms to the architecture, and then trade studies to
determine which technologies, in this case the HP Fortify technology, are pertinent to that
As we move out on this, what people should expect is not that somebody is going to show up and
say, "Buy our tool." Instead, what we're going to be doing is soliciting requirements for tools and
technologies, some of which we'll buy or license and some which we'll develop ourselves that
conform to the total architectural approach that Dean described. What we're doing with HP
Fortify is a perfect example of that very deliberate and methodical approach.
Gardner: It sounds as if an important pillar of those three items you brought up, Sam, the
common strategy, uniﬁed capability, and architecture, is to know yourself as an organization, to
deeply understand where you are, and then be dynamic in terms of tracking that. Do the HP
Fortify and HP ArcSight technologies come to bear on that aspect of self-awareness.
Visner: The way I would put it is this. We have to deal with a situation in which we have a broad
set of industries that we serve from a cybersecurity perspective. I'm going to take a look at the
ArcSight situation here more particularly, because the ArcSight situation is one that had to serve
CSC and its customers on a global basis.
Wide range of environments
We do cybersecurity for public-sector organizations, but we also do it for chemical companies,
banks, aerospace and defense companies, manufacturing companies, and companies in the
We have to be able to bring together data across a very wide range of environments. Although
there are some great global threats out there, some of those threats are being crafted to be speciﬁc
to some of the industries and some of the government’s activities that we try to safeguard.
Therefore, in the case of ArcSight, we needed an environment that would allow us to use a broad
range of tools, some of which may have to be selected to be ﬁt for purpose for a speciﬁc
customer environment and yet to accrue data in a common environment and use that common
environment for correlation and analysis.
This is a way in which our self-awareness as a company that does cybersecurity across many
sectors of the private sector, as well as a broad range of public sector organizations, told us that
we needed an environment that could accrue a wide range of data and allow us to do correlation.
In terms of what we're doing with Fortify and application security testing, one of the things
we've learned about ourselves is that we're going to support organizations that have very speciﬁc
applications requirements. In some cases, these requirements will relate to things like healthcare
or banking. In some cases, it will be for transactions. In some cases, it will be speciﬁc workﬂows
associated with these industries.
What’s common to this, we have learned, is the need for secure applications. What’s also
common is that globally the world isn’t doing enough in terms of testing the security of
applications. This is something we found we could do that would be of value to a broad range of
CSC customers. Again, that's based on our own self-awareness of what those customers need in
Remember, our company has been doing independent IT and software work since 1959. One of
the things we've learned over 54 years is that there is a wide variety of things that organizations
do in terms of making their software really useful, and there is a wide variety in the attention
they pay to testing that software from the perspective of security.
We are trying to raise the bar globally to one, high, common level of application security testing.
So that’s a way that we are working with it. That’s what the Fortify tool will help us do.
Gardner: Dean Weber, to Sam’s point about the amount of data required to track, understand,
and follow, do you consider this a big-data function? We hear, of course, a lot about that in the
marketplace these days. How important would general-data and/or big-data capabilities be in a
good secure organization? Are they hand in hand?
Weber: They are absolutely hand in hand. As we generate more data across our grids, both
sensor data and event data, and as we combine our information technology networks with our
operational technology networks, we have an exploding data problem. No longer is it ﬁnding a
needle in a haystack. It’s ﬁnding a needle amongst needles in a haystack.
The problem is absolutely a big-data problem. Choosing technologies like ArcSight that allow
us to pinpoint technology aberrations from a log, alert, or an event perspective, as well as from a
historical trending perspective, is absolutely critical to trying to stay ahead of the problem. At the
end of the day, it’s all about identity, access, and usage data. That's where we ﬁnd the indicators
of these advanced threats.
As the trade craft of our opponents gets better, as Sam likes to put it, we have to respond, and it’s
not easy to respond at that level. One of the reasons that Fortify is going to become one of the
cornerstones of our offering is because as we get better at securing infrastructure using the
technologies we've already talked about, the next low-hanging fruit is the application
Recently, Android announced that they have a vulnerability in their crypto product. There are
900 million Android products that are affected by that. While Google has released a patch for
that particular crypto vulnerability, all the rest of the vendors who use an Android platform are
still struggling with how to patch, when to patch, where to patch, how do they know they
Visner: And who is responsible for the patch?
Weber: And who is responsible for the patch, absolutely true.
Gardner: That brings us to this. When you talk about responsibility and tracking, who is doing
what and how it’s getting done? We started to talk about key performance indicators (KPIs).
How much of a shift have you had to go about there at CSC to put in place the ability to track
metrics of success and KPIs? How do you measure and gauge these efforts?
Visner: I'm going to ask Dean to cleanup on my answer, but a lot of people are paying attention
to global threat intelligence and threat attribution. That’s really important, but I think what’s even
more important is not knowing where the threat came from, or what the motivations are. That’s
useful to know, because it can help characterize other aspects of the threat and what you can
expect from the threat actor to do, not just in terms of one piece of malware, but an integrated
The other piece of this is understanding yourself. That is to say it’s not enough to know that I
have patched my desktop. It’s not enough to know that I have got good governance, risk, and
compliance (GRC) enterprise-wide password maintenance and password reset.
I have to know everything about my enterprise today, all the way down to the industrial control
systems on the shop ﬂoor, the supervisory control and data acquisition systems that coordinate
my enterprise, the enterprise databases and applications that I use for global transactions, as well
as individual desktops and smartphones.
What we're really talking about is a level of awareness that people are not used to having.
They're really not. People don’t worry about what goes on beyond their own computer. Even
CIOs haven’t really worried about the cybersecurity of computers that are embedded in
manufacturing systems or control systems. Now, I think they have to be.
Swinging back to the awareness question, this is required of us and of any other enterprise to go
beyond the status of an individual device to treat the status of the entire enterprise as important
corporate knowledge. That's important corporate knowledge.
Holistic global view
Think of it this way, this is an organization that needs to know globally what its credit
worthiness is, where its lines of credit are, and how it’s using those lines of credit and its cash
instruments globally to manage its cash ﬂow. That’s important corporate knowledge, and it has to
be dealt with on a holistic global view. Otherwise it’s worthless.
The same thing is true with cybersecurity, knowing what the effect is. Cybersecurity of a speciﬁc
server is interesting, but it's actually not nearly as useful as knowing the state of cybersecurity
throughout your entire enterprise. That's global corporate knowledge and that's the difference
between a piece of information which is interesting and corporate knowledge which is vital,
important, and very valuable.
We have to treat the state of cybersecurity in an organization with the same seriousness, and
consider it to be the same level of resource and asset, as the global cash ﬂow of a global
organization. It's the same thing.
Gardner: Dean Weber, the opportunity to bring big-data capabilities to bear on this problem is
one thing that we've addressed, but there is also the operations and organizational side of having
reports, delivering reports, measuring those reports, and being able to act on it.
What have you done there to allow for a KPI-oriented or a results-oriented organizational
approach that leverages of course all the data?
Weber: You've just touched on the value proposition for a global managed security services
provider (MSSP) in the fact that we have data sources that span the planet. While CSC as a 90-
plus thousand person organization is considered a large scale organization, it pales in comparison
to the combined total of CSC's customer base.
Being able to combine intelligence and operational knowledge from multiple enterprises
spanning multiple countries and geographic regions with differing risk postures and business
models, sometimes even with differing technologies employed in those models, gives us a real
opportunity to see what the global threat looks like.
From the distribution of that threat perspective our ability to, within the laws appropriate across
the globe and auditable against those laws, share that threat intelligence without rushing up
against or breaking those laws is very important to an organization. This ultimately keys to the
development of the value proposition of why do business with the global MSSP in the ﬁrst place.
Gardner: It was interesting to me when Sam said that there's no difference between
understanding your ﬁnancial situation and your security posture. Is there some opportunity for
security and cybersecurity to be a driver for even better business practices?
Now, you might start employing these technologies and putting in place these operational
capabilities because of an existential threat to your security, but in doing so, it seems to me that
you're becoming a far better organization along the way. Have any customers, or have you
yourself, been able to demonstrate that taking the opportunity to improve your cyber posture also
improves your business posture?
Not well managed
Weber: That's becoming evident. Not everybody gets it yet, but more and more people do.
The general proposition is that an organization that doesn't understand, for example, its ﬁnancial
position is not well-managed and isn't a good investment. It probably can't mobilize its resources
to support its customers.
It isn't in a position to bring new products to market and probably can't support those products.
Or it might ﬁnd that those product lines are stolen, manufactured at a lower standard by
somebody else, and not properly supported, so that the customer suffers, the company suffers,
and everybody but the cyber thief suffers.
A ﬁnancial organization that can't take care of their own ﬁnancial position can't serve their
customers, just as an organization that doesn't understand its cybersecurity posture can't preserve
value for shareholders and deliver value for its customers.
Gardner: Dean, looking at this same beneﬁt, what you do for cybersecurity beneﬁts extend to
other business beneﬁts, is there a return on investment (ROI) impact where you could measure
the investments made for extensive security but then leverage those capabilities in other ways
that offset the price. Has that been the case for you or are you aware of anyone that's done the
bean counting in such a fashion?
Weber: There absolutely is an ROI in security. In fact, there is actually a concept of return on
security investment (ROSI), but I would say generally that most people don't really understand
what those calculations mean.
Where the rubber hits the road is more along the lines of keeping the CEO and the CFO out of
jail when they have to sign off on things like Sarbanes–Oxley. Or the fact that you don't have to
make an SEC ﬁling as a result of ﬁnancial-systems breach that impacts your ability to keep
revenues that you may have already attained.
The real return on investment is less measured in savings than it is in -- as Sam likes to say --
keeping us off the front page of "The Wall Street Journal" above the fold, because the real impact
to these things traditionally is not in the court of law, but in the court of public opinion.
They tend to look at organizations that can't manage themselves well and end up in the news at
not managing themselves well, less favorably than they do for companies that do manage their
Visner: What is a pound of cybersecurity worth? I'll put it to you this way. What is a pound of
stolen intellectual property worth? That that intellectual property means that somebody else is
stealing patient data, manufacturing your products, or undermining your power grid.
One way of thinking is that it's not the value of the cybersecurity so much, but the diminished
value of the assets that you would lose that you could no longer protect.
That’s as good a place as any to measure that ROI. If you do measure that ROI, the question is
not how much are you spending on cybersecurity. The question is what would you lose if you
didn’t make that spend. That’s where you see the positive return on investment for cybersecurity,
because for any organization, the spend on cybersecurity is almost insigniﬁcant compared to the
value that would be lost if you didn’t make that spend.
When you think about what it cost to bring to market a product, a new pharmaceutical, a new
aircraft design, a new jet engine, and what happens if somebody gets there ﬁrst or undermines
your intellectual property, the value of that intellectual property towards what people are
prepared to spend and protect is worth it.
Gardner: As we take the lessons internally, can you offer some recommendations for how others
could proceed? Are there any aspects of what you've done with HP internally at CSC that maybe
provide some stepping stones? What would you recommend in terms of ﬁrst steps, initial steps,
or lessons learned that others might beneﬁt from in terms of what you've done?
Visner: The real question is not what we've done internally, but the internal process we used, for
example, in deciding to work with a speciﬁc strategic partner. We recognized early on that this is
not a one company problem.
This is a problem where we are dealing with weapons grade threats from nations-state. This is a
problem where we are dealing with weapons grade threats from organized criminals who have
vast resources at their disposal. This is a problem of intellect, and therefore, no one organization
is going to have sufﬁcient intellect to be able to deal with this problem globally.
As a company, CSC tends to seek out partners to whom we can couple our intellect and get a
synergistic result. In this case, the process of making that relationship real when it ﬂows through
deﬁning our portfolio, deﬁning the services that comprise the portfolio, managing the
development of those services through our offering lifecycle management process, and then
choosing companies whose technology provides the needed strength for each one of those
offerings, each one of the elements of that portfolio.
In this case, that process serves us well, because we're going to need a wide range of technology.
Nobody is in a position to confront this problem on their own -- absolutely nobody. Everybody
needs partners here. But the question is whom?
We have people show up on our doorstep with ideas and technologies and products every day.
But the real issue is, what is a good organizing principle? That organizing principle has two
components. One, you need a wide range of capabilities, and two, you need to choose from
among the wide range of technologies you need for that wide range of capabilities. You need a
process that’s disciplined and well-ordered.
Believe me, we have people show up and ask why it takes so long, why it's such an elaborated
process, and can't you see that our product is absolutely the right one.
The answer is that it's like a single hero going out onto the battleﬁeld. They maybe a very
effective ﬁghter, but they're not going to be able to master the entirety of the battleﬁeld. That
can't be done. They're going to need partners. They're going to need mates in the ﬁeld. They're
going to need to be working alongside other people they trust.
So in working with HP and the ArcSight tool as our security information and management
player of our global logical SOC, our global logical managed cybersecurity service, and in
working with HP Fortify we chose a partner we thought -- and we think correctly -- is a strong
long-term strategic partner.
It's somebody with whom we can work. HP recognizes that we do. They're not going to solve this
problem on their own. What one company is going to solve a problem on their own when they
are up against the global environment of nation-state and trade actors? We all need these
Our company is unique in that we've always looked to our partner relations for key technologies
to enable offerings in our portfolio.
We've always believed that you go to market and you serve your customers with strategic
partners, because we've always believed that every problem that had to be solved would require
not only our abilities as an integrator, but the abilities of our partners to help in the development
of some of this technology. That’s what makes the most sense.
For a company like CSC that is largely technology-independent, it gives us access to a wide
range of technology partners. But as a company, we're smart about the partners that we choose
because of the technologies that we have. Although there's a wide range of potential partners, we
work with companies that we think are going to be long-term strategic partners against high-
value problems and challenges -- in this case HP and cybersecurity respectively.
Gardner: Last word to you, Dean. Just based on your experiences, as the Chief Technical
Ofﬁcer increasing and improving your security posture, are there any lessons learned that you
could share for others that are seeking the same path?
Weber: I'll leave you with two thoughts. One is again the value proposition of doing business
with a global business MSSP. We do have those processes and processes in our background
where we are trying to bring the best price-performance products to market.
There maybe higher-priced solutions that are ﬁt for purpose in a very small scale, or there may
be some very low-price solutions which are ﬁt for purpose in a very large scale, but don't solve
for the top-end problems. The juggling act that we do internally is something that the customer
doesn't have to do, whether that’s the CSC internal account or any of our outside paying
The second thing is the rigor with which we apply the evaluation process through an offering
lifecycle or product lifecycle management program is really part and parcel of the strength of our
ability to bring the correct product to market in the correct timeframe and with the right amount
of background to deliver that at a level of maturity that an organization can consume well.
Gardner: Well, great. I'm afraid we'll have to leave it there. We've been exploring how IT
leaders are improving security and reducing risks as they adapt to the new and often harsh
realities of doing business online and we've been learning through the example of CSC itself.
I’d like to offer a huge thanks to our guests. We've been here with Dean Weber, the Chief
Technology Ofﬁcer for CSC Global Cybersecurity. Thank you, Dean.
Weber: Thank you.
Gardner: And also Sam Visner, the Vice President and General Manager for CSC Global
Cybersecurity. Thank you so much, Sam.
Visner: It's been a pleasure. Thank you for having us.
Gardner: And you can gain more insights and information on the best of IT performance
management at www.hp.com/go/discoverperformance. And you can always access this and other
episodes of our HP Discover Performance podcast series on iTunes under BrieﬁngsDirect.
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this
ongoing discussion of IT innovation and how it's making an impact on people’s lives. Thanks
again for listening, and come back next time.
Listen to the podcast. Find it on iTunes. Sponsor: HP
Transcript of a BrieﬁngDirect podcast on the growing need for cybersecurity as an important
organizational goal for businesses and government agencies. Copyright Interarbor Solutions,
LLC, 2005-2013. All rights reserved.
You may also be interested in:
• HP Vertica General Manager Sets Sights on Next Generation of Anywhere Analytics
• HP Vertica Architecture Gives Massive Performance Boost to Toughest BI Queries for
• HP-Fueled Application Delivery Transformation Pays Ongoing Dividends for McKesson
• Podcast recap: HP Experts analyze and explain the HAVEn big data news from HP
• HP's Project HAVEn rationalizes HP's portfolio while giving businesses a path to total
• Insurance leader AIG drives business transformation and IT service performance through
center of excellence model
• HP BSM software newly harnesses big-data analysis to better predict, prevent, and
respond to IT issues