Defining the New State for Comprehensive Enterprise Security Using CSC Services and HP Security Technology
Defining the New State for Comprehensive Enterprise
Security Using CSC Services and HP Security Technology
Transcript of a BrieﬁngsDirect podcast on the growing menace of cybercrime and what
companies need to do to protect their intellectual property and their business.
Listen to the podcast. Find it on iTunes. Sponsor: HP
Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance
Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your
moderator for this ongoing discussion of IT innovation and how it’s making an
impact on people’s lives.
Once again, we're focusing on how IT leaders are improving security and
reducing risks, as they adapt to new and often harsh realities of doing business
online. I am now joined by our co-host for this sponsored podcast series, Paul
Muller, Chief Software Evangelist at HP Software. Welcome back, Paul. How are you?
Paul Muller: I'm great Dana. Thanks for having me back. It's good to be back, and I'm looking
forward to a great conversation today.
Gardner: We do have a fascinating discussion today. We’re going to be learning how HP’s
Strategic Partner and IT services and professional services global powerhouse CSC is helping its
clients to better understand and adapt to the current cybersecurity landscape. Let's welcome our
guests. We’re here with Dean Weber. He is the Chief Technology Ofﬁcer, CSC Global
Cybersecurity. Welcome, Dean. [Disclosure: HP is a sponsor of BrieﬁngsDirect podcasts.]
Dean Weber: Hi, Dana. Happy to be here.
Gardner: Great to have you. And we’re also joined by Sam Visner. He is the Vice President and
General Manager, CSC Global Cybersecurity. Welcome.
Sam Visner: Thank you, and thanks for having us. We’re very grateful.
Gardner: This is obviously a hot topic. Just this morning I picked up the New
York Times and the top headline was that Chinese hackers have resumed attacks
on US targets. We’re seeing a lot of interest, and frankly, we’re not seeing things
couched or dressed up anymore. We’re really getting into sort of the state of the state.
Now, we can sit here and gnash our teeth, and people can head to the hills, but I don't think that's
going to do any good. Let's talk about these harsh terms. Let's start with you Dean. What is the
scale here? Are we only just catching up in terms of the public perception of the reality? How
different is the reality from the public perception?
Weber: The difference is night and day. The reality is that we are under attack, and have been for
quite some time. We are, as Sam likes to put it, facing a weapons-grade threat analysis that goes
on in the world, and the good guys are trying to catch up.
Gardner: Sam, anything to offer on that? Is there something that people are missing in terms of
understanding the threat, not just in the severity, but perhaps something else?
Visner: When I think about the threat, I think about several things happening at once. The ﬁrst
thing is that we’re asking IT, on which we depend, to do more. It's not just emails, collaboration,
documents, and spreadsheets. It isn’t even just enterprise systems.
IT for manufacturing
It extends all the way down to the IT that we use for manufacturing, to control power plants,
pipelines, airplanes, centrifuges, and medical devices. So, the ﬁrst thing is that
we’re asking IT to do more, and therefore there's more to defend. Secondly, the
stakes are higher. It's not just up to us.
Government has said that the cybersecurity of the private sector is of public
concern. If you're a regulated public utility for power, water, healthcare, ﬁnance,
or transportation, your cybersecurity is an issue of public interest. So, this isn’t
just the public cybersecurity, it's the cybersecurity of the private sector, which is in the public
Third is the point that Dean made, and I want to elaborate on it. The threat is very different.
Today, intellectual property, whether or not it's possessed by the public sector or the private
sector, if it's valuable, if it's worth something. It's worth something to a bad guy who wants to
steal it. And if you have critical infrastructure that you’re trying to manage, a bad guy may want
to disrupt it, because their government may want to be able to exercise power.
And the threats are different. The threats are not just technically sophisticated. That's something
a hacker, a teenager, can do. In addition to being technically sophisticated, they’re operationally
That means this is foreign governments, or in some cases, foreign intelligence services that have
the resources and the patience to study a target, a company, or a government agency over a long
period of time, use social networking to ﬁgure out who has administrative privileges inside of
that organization, and use that social networking to identify people whom they may want to
subvert and who may help them in introducing malware.
Then, once they have decided what information they want, who safeguards it, they use their
technical sophistication to follow up on it to exploit their operational knowledge. This is what
differentiates a group of hackers, who maybe technically very bright, from an actual nation-state
government that has the resources, the discipline, the time, and the patience to stick with the
target and to exploit it over a long, long period of time.
So, when we use the term "weapons grade," what we mean is a cyber threat that's hard to detect,
that's been wielded by a foreign government, a foreign armed force, or a foreign intelligence
service the way a foreign government wields a weapon. That's what we’re really facing today in
the way of cybersecurity threats.
Muller: You asked if the headlines are simply reﬂecting what has always been going on, and I
think the answer is yes. Deﬁnitely, there is an increased willingness of organizations to share the
fact that they have been breached and to share what some of those vulnerabilities have been.
That's actually a healthy thing for society as a whole, rather than pretending that nothing is going
on. Reporting the broken window is good for everybody. But, the reality is the sophistication and
the scale of attacks as we have just heard, have gone up and have gone up quite measurably.
Cost of cybercrime
Every year we conduct a Cost of Cyber Crime Study with the Ponemon Institute. If we look
just at the numbers between 2010 and 2012, from the most recent study in October, the cost
impact of cyber crime has gone up 50 percent over that period of time. The number of successful
attacks has gone up two times. And the time to resolve attack is almost doubled as well. So it has
become more expensive, greater scale, and it's becoming more difﬁcult to solve.
Visner: We would absolutely agree with that, that the scale of the attack has changed
signiﬁcantly. Whereas this had been done in the past, now it's being done, we believe, as part of
national policies to augment national power. So, the scope, scale, and sophistication are so much
greater, as to almost characterize this as a new phenomenon.
Gardner: What strikes to me is being quite different from the past, too, is when businesses
encountered risks, even collective risks, they often had a law enforcement or other regulatory
agency that would come to their rescue.
But, in reading the most recent New Yorker, the May 20 issue, in an article titled Network
Insecurity by John Seabrook, Richard McFeely, the Executive Assistant Director of the F.B.I,
says quite straightforwardly that we simply don't have the resources to monitor the mammoth
quantity of intrusions that are going on out there.
So, enterprises, corporations, governments even can't really wait for the cavalry to come riding
in. We’re sort of left to our own devices, or have I got that a little off-base, Dean?
Weber: The government can provide support in talking about threats and providing information
about best practices, but overall, the private sector has a responsibility to manage its own
infrastructures. The private sector may have to manage those infrastructures consistent with the
public interest. That's what regulation means.
But the government is not going to provide cybersecurity for power companies’ power grid or for
pharmaceutical companies’ research program. It can insist that there be good
cybersecurity, but those organizations have always had to manage their own
Today, however, the threat to those infrastructures and the stakes of losing control
of those infrastructures are much higher than they have ever been. That's what's
There is also a tradeoff that can be done there in terms of how the government shares its threat
intelligence. Today, threat intelligence shared at the highest levels generally requires a very, very
high level of security, and that puts it out of reach of some organizations to be able to effectively
utilize, even if they were so desirous.
So as we migrate ourselves into dealing with this enhanced threat environment, we need to also
deal with the issues of enhancing the threat intelligence that we use as the basis of decision.
Gardner: Well, we've deﬁned the fact that the means are there and that the incidences are
increasing in scale, complexity, and severity. There is proﬁt motive, state secrets, and
intellectual-property motives. Given all of that, what can organizations start to do, or at least
what can they recognize about what they have done in the past that isn’t adequate to recognize
that they are really in much deeper problem than they had been? What's wrong with the old
method? Let's start at that level and let's start with you, Dean.
Weber: Against the current state-of-the-art threat, our ability to detect them, as they are
coming in or while they are in has almost diminished to the point of non-existence. If we're
catching them at all, we're catching them on the way out.
We've got to change the paradigm here. We've got to get better at threat intelligence. We've got to
get better at event correlation. We've got to get better at the business of cybersecurity. And it has
to be a public-private partnership that actually gets us there, because the public has an interest in
the private infrastructure to operate its countries. That’s not just US; that’s global.
Visner: Let me add a point to that that’s germane to the relationship between CSC and HP
Software. It's no longer an issue of ﬁnding a magic bullet. If I could just keep my antivirus up to
fully updated, I would have the best signatures and I would be protected from the threat. Or if my
ﬁrewall were adequately updated, I will be well protected.
Today, the threat is changing and the IT environment that we're trying to protect is changing. The
threat, in many cases, doesn’t have a known signature and is being crafted by nations/states not
to have it. Organizations ought to think twice about trying to do these themselves.
Our approach is to use a managed cybersecurity service that uses an infrastructure, a set of
security operation centers, and an architecture of tools. That’s the approach we're using. What
we're doing with HP Software is using some key pieces of HP Software technology to act as the
glue that assembles the cybersecurity information management architecture that we use to
manage the cybersecurity for Global 1000 companies and for key government agencies.
Our security operations centers have set of tools, some of which we've developed, and some of
which we've sourced from partners, bound together with HP’s ArcSight Security Information and
Event Management System. This allows us to add new tools, as we need to retire old tools, when
they are no longer useful.
They do a better job of threat correlation and analysis, so that we can help organizations manage
that cybersecurity in a dynamic environment, rather than leave them to the game of playing
Whac-A-Mole. I've got a new threat. Let me add a new tool. Oh, I've got another new threat. Let
me add another new tool. That's opposed to managing the total environment with total visibility.
So that managed cybersecurity approach is the approach that we're using, and the role of HP
Software here is to provide a key technology that is the sort of binder, that is the backbone for
much of that architecture that allows us to manage organically, as opposed to a piece at a time.
Customers, who try to manage a piece at a time, invariably get into trouble, because they can't do
it. They're always playing catch up with the latest threat and they are always at least one or two
steps behind that threat by trying to ﬁgure out what is the latest band-aid to stick over the wound.
Muller: Sam makes a great point there Dana. The sophistication of the adversary has risen,
especially if you're in that awkward position. You're big enough to be interesting to an attacker,
especially when it’s motivated by money, but you are not large enough to have
access to up-to-date threat information from some of the intelligence agencies of
your national government.
You're not large enough to be able to afford the sort of sophisticated resources
who are able to dedicate the time taken to build and maintain honey pots to
understand and hang out in all of the deep dark corners of the internet that
nobody wants to go to.
Those sort of things are the types of behaviors you need to exhibit to stay ahead, or at least to not
get behind, of those threat landscape. By working with an organization that has that sort of
capacities by opting for managed service, you're able to tap into a skill set that’s deeper and
broader and that often has an international or global outlook, which is particularly important.
When the threat is distributed around the planet, your ability to respond to that needs to be
Gardner: So I'm hearing two things. One that this is a team sport. I'm also hearing that this is a
function of better analytics of really knowing your systems, knowing your organization,
monitoring in real time, and then being able to exploit that. Maybe we could drill down on those.
This new end state of a managed holistic security approach, let's talk about it being a team sport
and a function of better analytics. Sam?
Visner: There's no question about it. It is a team sport. Fortunately, in the United States and in a
few other countries, people recognize that it's a team sport. More and more, the government has
said that the cybersecurity of the private sector is an issue of public interest, either to regulation,
standards regulation, or policy.
More and more in the private sector, people have realized that they need threat information from
the government, but there are also accruing threat information they need to share with the
government and proliferate around their industries.
That has happened, and you can see coming out of the original Comprehensive National
Cybersecurity Initiative of 2006-2007, all the way to the current recent executive order from the
President of the United States, that this is a team sport. There is no question about that.
At the same time, a lot of companies are now developing tools that have APIs, programming
interfaces that allow them to work togethe. Tools like ArcSight provide an environment that
allows you to integrate a lot of different tools.
What's really changing is that global companies like CSC have become a global cybersecurity
provider based on the idea that we will do this as a partner. We're not going to just sell a tool to a
customer. We're going to be their partner to manage this environment.
More and more, they have the discussion underway about improved information sharing from the
government to the private sector, based on intelligence information that might be provided to the
private sector, and the private sector being provided with more protected means to share
information relating to incidents, events, and investigations with the public sector.
At the same time, enterprises themselves know that this has to be a team sport within an
enterprise. It used to be that the email system was discreet, or your SAP system was discreet,
inside of an enterprise. That might have been 10 years ago. But today, these things are part of a
common enterprise and tomorrow they're going to be part of a common enterprise, where these
things are provided as a service.
And the day after that, they'll be provided as a common enterprise with these things as a service
on a common infrastructure that we call a cloud. And the day after that, that cloud will extend all
the way down to the manufacturing systems on the shop ﬂoor, or the SCADA systems that
control a railway, a pipeline, or the industrial control systems that control a medical device or an
elevator, all the way out to 3D manufacturing.
The entire enterprise has to work together. The enterprise has to work together with its
cybersecurity partner. The cybersecurity partner and the enterprise have to work together with
the public sector and with regulatory and policy authorities. Governments increasingly have to
work together to build a secured international ecosystem, because there are bad actors out there
who don’t regard the theft of intellectual property as cyber crime.
For some countries, like China and Russia, cybersecurity is more about protecting those
governments from dissidents and from challenges to their sovereign power, than it is about
protecting the intellectual property of companies or the privacy of individuals.
From their perspective, they don’t necessarily understand our worry about the protection of
intellectual property. That’s just their game. They don’t worry about the protection of privately
identiﬁable information that cyber criminals want to get -- our credit card and ﬁnancial data. To
them it's just their game.
So in an environment where nation-states are playing by a different set of rules, if we don’t play
together, if countries and companies that believe in free enterprise and democracy don’t work
together, we'll be defenseless.
Now fortunately, people get this increasingly and we're working together. That’s why we're
ﬁnding partners who do the manage cybersecurity, and ﬁnding partners who can provide key
pieces of technology. CSC and HP is an example of two companies working together in
differentiated roles, but for a common and desirable outcome.
Muller: As Sam pointed out, one of the problems that we face here is an increasing amount of
oversight from regulatory compliance vectors, where obfuscation of source and method may be
an individual nationalistic guideline. That makes a global managed cybersecurity vendor difﬁcult
One of the reasons for choosing the relationship that we did with HP was exactly that, our ability
to use the API to extract metadata from the underlying event-management sources and large
sources and contribute that to a greater knowledge base. This allows us to appropriately and
within the geographic laws share threat intelligence in a more efﬁcient manner.
Weber: So let me think about how we chop this up, Dana. It’s a three-step process. The ﬁrst is
see, understand, and act -- at the risk of trivializing the complexity of approaching the problem.
Seeing, as Sam has already pointed out, is to just try to get visibility of intent to attack, attacks in
progress, or worse case, attacks that have taken place, attacks in progress, and ﬁnally, how we
manage the exﬁltration process.
Understanding is all about trying to unpack the difference between "bragging rights attacks,"
what I call high-intensity but low-grade attacks in terms of cyber threat. This is stuff that’s being
done to deface the corporate website. Don’t get me wrong, it’s important, but in this scheme of
things, it’s a distraction from some of the other activities that’s taking place. Also understanding
is in terms of shifting or changing your compliance posture for some sort of further action.
Then, the last part is acting. It’s not good enough to simply to understand what’s going on, but
it’s shutting down attacks in progress. It’s being able to take proactive steps to address breaches
that may exist and particularly to address breaches in the underlying software.
We have always been worried about protecting the perimeter of our organization through the
technologies, but continue to ignore one of the great issues out there, which is that software
itself, in many cases, is inherently insecure. People are not scanning for, identifying, and
addressing those issues in source code and binary vulnerability.
Gardner: Well, it certainly sounds to me as if we're going after this new posture with added
urgency because of cybersecurity, but it’s dovetails with a lot of what companies should have
been doing for a lot of reasons. That is to get to know yourself better, know your systems better,
putting in diagnostics and monitoring capabilities, and elevating those to a more centralized
approach for management and reporting.
Cybersecurity is a catalyst, but these are going to make companies more healthy. These are
investments that will pay back dividends in many ways, in addition to helping you mitigate risk.
Any thought about why this is just good business, not just good cyber-security prevention? Sam.
Visner: Security is a journey. Paul was saying that organizations have to stay up with it. They
can’t just rest on their laurels regarding their defenses. They have to continually evolve with the
threat and to do that means that, as we get better at one level of security, another level of security
becomes the low hanging fruit. As we get better at infrastructure security, application security
becomes more of an issue.
And organizations aren’t doing the appropriate level of source code and binary scanning. They
aren’t doing the ad hoc or interval scanning that is necessary to make sure that their applications
not only were developed correctly, but they were also deployed correctly, and remain correctly
deployed throughout their lifecycle.
Again, this is where integration of the technologies that are available to us today and that has
never been done before is important for organizations to consume. With that being said, this is a
huge undertaking, to be able to include your application code scanning in with your security
event and information management is a difﬁcult prospect. But it's one that CSC and HP have
collectively decided to take up.
Visner: Speaking to the question of whether people have been doing this before, sure. On the
other hand, the intensity of the adversarial effort has changed in recent years. It's only recently
that governments have been able to discuss, or have found a way to talk, openly about that threat.
Level of security
As recently as three years ago, we would hear things such as, "Well, you guys come from the
national security environment." Dean and I both do. I used to be Chief of Signals Intelligence
Programs in the US National Security Agency. And the rap on us was,"You think about this from
a national security perspective, but commercial organizations don’t face this level of threat and
don’t need this level of security."
Only in recent years, the report of the US National Counterintelligence Executive shows that
foreign intelligence services are targeting the intellectual property of the US private sector. We’re
actually seeing reports of what foreign governments and intelligence services and cyber
criminals are doing to steal from both the private sector and the public sector. But only in recent
years have we really sensitized the private sector to what they have at stake.
So while these should have been happening all along, for many people, there wasn’t this
awareness. Those who might have shared that awareness have been doing so, but they've only as
useful as we would like them to be in just the last few years.
Now, there's no excuse. There is an Industrial Control System Computer Emergency Response
Team at the Department of Homeland Security that demonstrates that industrial control systems
are at risk. Their security is a question of vital national concern, as well as vital concern to the
companies that run those industrial control systems.
You're seeing reports from both the private sector and the public sector about theft of intellectual
property. You're seeing key leaders from both sectors speaking to the other. It’s really in the last
24 months that the corner has been turned in the candor of the discussion and its ability to give
people real reason to pay attention to the problem.
Muller: Dana, Dean, and Sam I'd like your thoughts on this. There are parallels to this in
traditional society. Cybersecurity has that cloak of mystery about it. It’s the sort of thing you read
about in spy novels. But take it down to a more prosaic level. If we think about commerce in our
own environments in the traditional bricks and mortar type environment, people will tend not to
spend money and economies will be less effective, if people feel insecure and unsafe walking
down the street to go shopping .
If they feel they can't get on public transport with conﬁdence and safety, they're less likely to go
out. They're less likely to interact in the economy as a whole. They basically hold back. That’s
the primary reason old economies and societies tend to have security forces, policing forces -- for
the public trust.
There's generally a sense that when you go out during your day to go to school, go to work,
whether to transact or to sell something, that you can trust in society around you in order to be
able to do that. It’s not just about you being secured, but it’s about understanding what's
happening around you. If you take the pattern of activity, a rise in crime, a rise in attempts of
crime in your area, it could be an indication of potentially more dangerous and more threatening
activities taking place.
Even in something as prosaic as neighborhoods, good security is good hygiene, not just for your
immediate concerns, but for business in general. The fact that there is so much increased
awareness around the topic now, people are feeling more willing to share when their car "got
broken into." It helps everybody in terms of preparedness, and more importantly, makes sure that
people have taken necessary steps to get on top of the problem, because it is occurring.
That’s what both Dean and Sam have been saying is that this problem is occurring 24x7. It's just
a question of whether or not it's being reported and we understand it.
Visner: I agree with your point, but to a certain extent, it's a binary situation. For example, let's
assume that you're using big-data analytics to help you make decisions of very high value -- how
to price your retail products if you're a key retailer, how to allocate your R&D resources if
you're making pharmaceuticals, or how to deploy your army, navy, or air force in a theater of
The validity of that decision is a direct corollary to the amount of security that you have. If you
don’t have a high degree of conﬁdence in the provenance and the origin of that data, or the fact
that the date hasn’t been altered or tampered, then the decision may be absolutely valueless.
If you're using computer-aided manufacturing for 3D manufacturing, particularly for high-spec
parts and you don’t have a high degree of assurance that the data you're using to control those
machines hasn’t been tampered with or that those designs haven’t been stolen, it may in fact be a
valueless thing to do.
There's a company in China that had its control technology for wind turbines or wind energy
stolen. They are not all that big. Some of it was stolen, but enough was stolen that their market
share has been eliminated in China. Their market share maybe eliminated globally, and therefore,
although only some of the data may be stolen, the entire company may have been placed at risk.
So there is a threshold phenomenon. You don’t have to lose all of your data to lose all your
integrity. You don’t have to lose all of your data to lose the entirety of your business, to lose the
entirety of your value proposition. You only have to lose that part of the data that’s most
important to you. Therefore, from our perspective, it's not that people should walk around being
paranoid, but they should walk around realizing that while this is a manageable problem, if they
don’t seek to manage the problem, they're very likely to go out of business. That's the difference.
Muller: I don’t know whether you've read this whitepaper that was produced, I think by Ross
Anderson and a number of others, discussing the measuring the cost of cybercrime out of UK.
What was interesting was the conclusion that crime has always been there, but the majority of
crime is now able to be carried out more effectively at lower cost on a greater scale through
electronic means. In other words, cybercrime has become the default form of crime. It may be a
better way of putting it.
Weber: There is still a lot to be stolen in physical space and by the way, it's not just a computer
network attack, but being to be able to destroy or damage information, destroy or damage an
information infrastructure, or even destroy or damage a physical infrastructure like a power plant
that relies on IT and IT infrastructure. Perhaps it makes the turbines run at the wrong speed,
damaging them. It's been demonstrated that it can be done.
So I don’t know that it is the new default kind of crime. What I would say is that it operates at a
huge scale. Keith B. Alexander of NSA and CYBERCOM says, “It’s the greatest illegal transfer
of wealth in history.” At the same time, there are enterprises today that don’t exist apart from
information. Think about key information providers. They don’t have anything other than
information to steal. They don’t have any resources other than information resources to damage
or to destroy.
There's a whole new part of the economy. In cyberspace, as the Egyptian government found out,
there is a whole new ecosystem in which people can organize and seek to change the balance of
power between governments and citizens. And that’s an environment that doesn’t exist in
So if it's not cybersecurity, it isn't security at all. And if you're a key organization that deals
principally in information, it's not your physical infrastructure that you have to worry about. That
can be recreated or even virtualized. But if you lose your information or the ability to manage
that infrastructure on which your information relies, then you have lost everything.
So for them it's not just the default source of crime, it's the only thing that matters anymore.
Muller: Having terriﬁed everybody, shall we talk about next step?
Gardner: We're coming up a bit on the end of our time. Before we sign out, I'd like to try to do
just that. What are some of the two or three major pillars that organizations should start to
inculcate as a culture, as a priority, given how pervasive these issues are, how existential they
are, for some many companies and organizations? What do you have to do in terms of thinking
differently in order to start really positioning yourself to be proactive and aggressive in this
regard? Let's go down our list of speakers. Let's start with you Sam.
Visner: The ﬁrst thing is that you’ve got to make an adequate assessment of the kind of
organization you are. The role information and information technology plays in your
organization, what we use the information for, and what information is most valuable. Or
conversely, what would cause you the great difﬁculty, if you were to either lose control of that
information or conﬁdence in its integrity.
That has to be done not just for one piece of an enterprise, but for all pieces of the enterprise. By
the way, there is a tremendous beneﬁt, because you can re-visualize your enterprise. You can sort
of business-process reengineer your enterprise, if you know on and what information you rely,
what information is most valuable, what information, if was to be damaged, would cause you the
That’s the ﬁrst thing I would do. The second thing is, since as-a-service is the way organizations
buy things today and the way organizations provide things today, consider taking a look at
cybersecurity as a service.
Rather than trying to manage it yourself, get a conﬁdent managed cyber-security services
provider, which is our business at CSC, to do this work and be sure that they are equipped with
the right tools and technologies, such as ArcSight Security Information and Event Management
and other key technologies that we are sourcing from HP Software.
Third, if you're not willing to have somebody else manage it for you, get a managed
cybersecurity services provider to build up your own internal cybersecurity management
capabilities, so that you are your own managed cybersecurity services provider.
Next, be sure you understand, if you are part of critical infrastructure -- and there are some 23
critical infrastructure sectors -- what it is that you are required to do, what standards the
government believes are pertinent to your business.
What information you should have shared with you, what information you are obligated to share,
what regulations are relevant to your business, and be sure you understand that those are things
that you want to do.
Next, rather than trying to play Whac-A-Mole, having made these decisions, determine that
you're going to make a strategic investment and not think of security as being added on and
what's the least you need to do, but realize that cybersecurity is as organic to your value
proposition as R&D is. It's as organic to your value proposition as electricity is. It's as
organic to your value proposition as the good people who do the work. It's not once the least you
need to do, but what are the things that contribute value.
Cybersecurity doesn’t just protect value, but in many cases, it can be a discriminator that
enhances the value of your business, particularly if your business either relies on information, or
information is your principal product, as it is today for many businesses in a knowledge
economy. Those are things that you can do.
Lastly, you can get comfortable with the fact that this is a septic environment. There will always
be risks. There will always be malware. Your job is not to eliminate it. Your job is to function
conﬁdently in the midst of it. You can, in fact, get to the point, both intellectually and
emotionally, where that’s a possibility.
The fact that you can have an accident doesn’t deter us from driving. The fact that you can have
a cold doesn’t deter us from going out to dinner or sending our kids to school.
What it does is make sure that we're vaccinated, that we drive well, that we are competent in our
dealings with the rest of the society, and that we're prudent, but not frightened. Acting as if we
are prudent, but not frightened, is a step we need to take.
Our brand name is CSC Global Cyber Security. The term we use is Cyber Conﬁdence. We're not
going to make you threat proof, but we will make you competent and conﬁdent enough to be able
to operate in the presence of these threats, because they are the new norms. Those are the things
you can do.
Gardner: Dean, quickly, a number of things from your perspective that our top of line thoughts,
and perceptions, ideas that people should consider as they move to this new posture?
Weber: In addition to what Sam talked about, I'm a huge fan of data classiﬁcation. Knowing
what to protect, gives you the opportunity to decide how much protection is necessary by
whatever data classiﬁcation that is.
Whether that’s a risk management framework like FISMA, or it’s a risk management framework
like the IL Series Controls of the UK Government or similar in Australia, these are risk
management frameworks. They are deterministic about the appropriate level of security. Is this
public information, in which case all you have to do is worry about whether it’s damaged and
how to recover if and when it is? Or is this critical? Is this injurious to life, limb, or the pursuit of
proﬁts? And if it is, then you need to apply all the protections that you can to it.
And last but not least, again, as I pointed out earlier, our ability to detect every intrusion is
almost nil today. The state of the threat is so far advanced. Basically, they can get in when they
want to, where they want to.
They can be in for a very long period of time without detection. I would encourage organizations
to beef up their perimeter controls for egress ﬁltering and enclaving, so that they have the ability
to manage the data that is being actually traded out of their networks.
Gardner: Paul Muller, last word to you, top of the line thoughts, cultural shift what is the new
rethinking that needs to take place to get to this new posture?
Muller: There has been so much great content today that summarizing the action is going to be
challenging. Sam made a point. It’s important to be alert, but not alarmed. Do not let security
send you into a sense of panic and inaction. Don’t hire an organization to help you write security
policy that then just sits on the shelf. A policy is not going to give you security. It’s certainly not
going to stop any of bad guys from exﬁltrating any of that information that you have.
I'll say a couple of things. First, it’s not like buying an alarm and locks for your organization.
Before, physical security was kind of a process you went through, where you started, it had a
start and middle and an end. This is an ongoing process of continually identifying incoming
threats and activities from an adversary that is monetized and has a lot to gain from their success.
It’s an ongoing process. As a result, as we said earlier today, security is a team sport. Find a
friend who does it really well and is prepared to invest on an ongoing manner to make sure that
they're able to stay here.
I'd concur with Dean's point as well. Ultimately, it's about the exﬁltrating of your data. Put in
place processes that help you understand the information that is leaving your organization and
take steps to mitigate that as quickly as possible. Those are my highest priorities.
I'd also add that if you're having trouble identifying some of the beneﬁts for your organization,
and even having trouble trying to get a threat assessment prioritized in your organization, have a
look at the Cost of Cyber Crime Study that we've conducted across the Globe, United Kingdom,
Germany, Australia, Japan and of course the US, was the third in the series, now we do it
annually. You can get to hpenterprisesecurity.com and get a copy of that report and hopefully
shift a few of the, maybe more intransigent people in your organization to action.
Gardner: Well I'm afraid we will have to leave it there. We've been learning how HP’s Strategic
Partner and IT Services and Professional Services, global powerhouse CSC is helping its clients
to better understand and adapt to the current cybersecurity landscape.
I like to thank our supporter for this series, HP Software and remind our audience to carry on the
dialogue with Paul Muller and others through their blog tweets and their Discover Performance
Group on LinkedIn, and I also like to thank our co-host Paul Muller. Thank you so Paul.
Muller: Always a pleasure.
Gardner: And also huge thanks to our special guests. We’ve been joined Dean Weber, the Chief
Technology Ofﬁcer for CSC Global CyberSecurity. Thank you, Dean.
Weber: Thank you.
Gardner: And also Sam Visner, the Vice President and General Manager there at CSC Global
Security. Thanks so much, sir.
Visner: Thank you, it's been a pleasure.
Gardner: And a last thank you to our audience for joining this special HP Discovered
Performance Podcast. You can learn more about the best of IT Performance Management at
www.hp.com/go/discoverperformance and you can always access this in other episodes of our
HP Discover Performance Series on iTunes under to BrieﬁngsDirect.
This is Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for
this on going discussion of IT innovation and how it's making an impact on people's lives.
Thanks again for listening and comeback next time.
Listen to the podcast. Find it on iTunes. Sponsor: HP
Transcript of a BrieﬁngsDirect podcast on the growing menace of cybercrime and what
companies need to do to protect their intellectual property and their business. Copyright
Interarbor Solutions, LLC, 2005-2013. All rights reserved.
You may also be interested in:
• Converged Cloud News from HP Discover: What it means
• With Cloud OS, HP takes up mantle of ambassador to the future of hybrid cloud models
• Podcast recap: HP Experts analyze and explain the HAVEn big data news from HP
• HP's Project HAVEn rationalizes HP's portfolio while giving businesses a path to total
• Insurance leader AIG drives business transformation and IT service performance through
center of excellence model
• HP BSM software newly harnesses big-data analysis to better predict, prevent, and
respond to IT issues
• Right-sizing security and information assurance, a core-versus-context journey at Lake