Your SlideShare is downloading. ×
Right-Sizing the Security and Information Assurance for Companies, a Core-versus-Context Journey
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Right-Sizing the Security and Information Assurance for Companies, a Core-versus-Context Journey


Published on

Transcript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that its internal systems continue to serve patient care, while protecting against outside threats.

Transcript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that its internal systems continue to serve patient care, while protecting against outside threats.

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Right-Sizing the Security and Information Assurance forCompanies, a Core-versus-Context JourneyTranscript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that itsinternal systems continue to serve patient care, while protecting against outside threats.Listen to the podcast. Find it on iTunes. Sponsor: HPDana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. Im Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.   Once again, were focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end- users alike. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]Were now joined by our co-host for this sponsored podcast series, Chief Software Evangelist atHP, Paul Muller. Hello, Paul, welcome back.Paul Muller: Dana, its good to be back. How are you?Gardner: Im well. Are you still in San Francisco?Muller: Still in San Francisco, and it’s another lovely day.Gardner: Very good. Were also here with Raf Los. He is the Chief Security Evangelist at HP.Welcome back, Raf, how are you?Raf Los: Im well. Thank you.Gardner: And where are you joining us from today?Los: Im in Houston, Texas, today.Gardner: We have a fascinating show today, because were going to learn how regionalhealthcare services provider Lake Health in Ohio has matured from deploying securitytechnologies to becoming more of a comprehensive risk-reduction practice provider internallyfor its own consumers.Were going to learn how Lake Healths Information Security Officer has been expanding thebreadth and depth of risk management there to a more holistic level, and were even going to Page 1
  • 2. discuss how theyve gone about deciding for which risk and compliance services to seek outsideproviders and which to retain and keep inside, or on premises.With that, please join me in welcoming our special guest, Keith Duemling. He is the InformationSecurity Officer at Lake Health. Welcome, Keith.Keith Duemling: Hi. How are you guys doing today?Gardner: Were doing very well.Duemling: Good. Good to hear.Gardner: Keith, let me begin our discussion with a high level, almost a philosophical, question for you. Many people are practicing IT security and theyre employing products and technologies. Theyre putting in best practices and methods, of course, but it seems to me that you have a different take. Youve almost abstracted this up to information assurance, even quality assurance, for knowledge, information, and privacy. Tell me how that higher abstraction works,and why you think its more important or more successful than just IT security?Duemling: If you look at the history of information security at Lake Health, we started like mostother organizations. We were very technology focused, implementing one or two point solutionsto address specific issues. As our program evolved, we started to change how we looked at it andconsidered it less of a pure privacy issue and more of a privacy and quality issue.Go back to the old tenets of security, with confidentiality, integrity, and availability. We startedthinking that, of those three, we really focused on the confidentiality, but as an industry, wehavent focused that much on the integrity, and the integrity is closely tied to the quality.Information assuranceSo we wanted to transform our program into an information-assurance program, so that wecould allow our clinicians and other caregivers to have the highest level of assurance that theinformation theyre making decisions based on is accurate and is available, when it needs to be,so that they feel comfortable in what they are doing.So its not just protecting information from being disclosed, but its protecting information so thatits the right information, at the right time, for the right patient, for the right plan of care. From ahigh level, the program has evolved from simple origins to more of a holistic type of analysis,where we look at the program and how it will impact patient care and the quality of that patientcare. Page 2
  • 3. Gardner: It sounds like what I used to hear -- and it shows how long I have been around -- inthe manufacturing sector. I covered that 20 years ago. They talked about a move towards quality,and rather than just looking at minute or specific parts of a process, they had to look at it in total.It was a maturity move on behalf of the manufacturers, at that time.Raf Los, do you see this as sort of a catching up for IT and for security practices that are maybe20 years behind where manufacturing was?Los: More or less, Dana. Where Keith’s group is going, and where many organizations are evolving to, is a practice that focuses less on “doing security” and more on enabling the enterprise and keeping quality high. After all, security is simply a function, one of the three pillars of quality. We look at does it perform, does it function, and is it secure? So its a natural expansion of this, sort of a Six Sigma-esque approach to the business, where IT is catching up, as you’ve aptly put it. So I tend to agree with it.Gardner: Of course, compliance is really important in the healthcare field. Keith, tell us howyour approach may also be benefiting you, not just in the quality of the information, but helpingyou with your regulatory and compliance requirements too?Duemling: In the approach that we’ve taken, we haven’t tried to change the dynamics thatsignificantly. Weve just tried to look at the other side of the coin, when it comes to security. Wefind that a lot of the controls that we put in place for security benefit from an assurancestandpoint, and the same controls for assurance also benefit from a security standpoint.As long as we align what were doing to industry-accepted frameworks, whether it’d be NIST orISO, and then add the healthcare-specific elements on top of that, we find that that gives us agood architecture to continue our program and be mindful of the assurance aspect as well as thesecurity side.In doing so, were able to implement controls that span multiple compliance elements, so that weare not duplicating our efforts, missing something, or trying to reinvent the wheel. Obviously,were not the first healthcare provider, and we certainly wont be the last one, to go through thechallenges of compliance in the United States -- and how its ever changing.Add-on benefitsGardner: Are there some other ancillary or add-on benefits from your approach? I am thinkingof being able to be proactive, rather than reactive, on certain elements of your requirements. Ordo you have an ability to compress the amount of time that you can react, so that you can bemore real time in how you adjust. What are the other benefits to your approach? Page 3
  • 4. Duemling: One of the other benefits of the approach is that we look at the data itself or thebusiness function and try to understand the risks associated with it and the importance of thosefunctions and the availability of the data. When we put the controls and the protective measuresaround that, we typically find that if were looking specifically at what the target is when weimplement the control, our controls will last better and they will defend from multiple threats.So were not putting in a point solution to protect against the buzzword of the day. Were trying toput in technologies and practices that will improve the process and make it more resilient fromboth what the threats are today and what they are in the future.Gardner: Paul Muller, any thoughts about what youre hearing and how this might relate to thelarger marketplace that youre familiar with from some of the other clients and enterprises thatyoure talking to?Muller: A couple of observations. The first is that we need to be really careful when we think about compliance. Its something of a security blanket, not so much for security executives. I think InfoSec security executives understand the role of compliance, but it can give business leaders a false sense of security to say, "Hey, we passed our audit, so were compliant." There was a famous case of a very large financial-services institution that had been through five separate audits, all of which gave them a very clear bill ofhealth. But it was very clear from some of the honey pots they put in place in terms of certaindata that they were leaking data through to a market-based adversary. In other words, somebodywas selling their data, and it wasn’t until the sixth audit that it uncovered the source of theproblem.So we need to be really careful. Compliance is actually the low bar. Were dealing with a market-based adversary. That is, someone will make money from your data. Its not the nation-state thatwe need to worry about so much as the people who are looking to exploit the value of yourinformation.Of course, once money and profit enter the equation, there are a lot of people very interested inautomating and mechanizing their attack against your defense, and that attack surface isobviously constantly increasing.The challenge, particularly in examples such as the one that Keith is talking about, comes in themid-sized organizations. Theyve got all of the compliance requirements, the complexity, and thefascinating, or interesting, data from the point of view from a market-based adversary. They haveall of that great data, but dont necessarily have the scale and the people to be able to protect that. Page 4
  • 5. Balancing needsIts a question of how you balance the needs of a large enterprise with the resources of a mid-sized organization. I dont know, Keith, whether youve had any experience of that problem.Duemling: I have all too many times experienced that problem that you’re defining right there.We find that technology that helps us to automate our situational awareness is something thatskey for us. We can take the very small staff that we have and make it so that we can respond tothe threats and have the visibility that we need to answer those tough questions with confidence,when we stand in front of the board or senior management. Were able to go home and sleep atnight and not be working 24×7.Los: Keith, let me throw a question at you, if you dont mind. We mentioned automation, andeverybody that I have with this conversation with tends to -- I dont want to say oversimplify --but can have an over-reliance on automation technology.In an organization of your size, you’re right smack in the middle of that, too big not to be atarget, too small to have all the resources youve ever wanted to defend yourself. How do youkeep from being overrun by automation -- too many dashboards, too many red lights blinking atyou, so you can actually make sense of any of this?Duemling: Thats actually one of the reasons we selected ArcSight. We had too many dashboardsfor our very small staff to manage, and we didn’t want Monday to be the dashboard for ProductA, Tuesday for Product B, and things of that nature.So we figured we would aggregate them and create the master dashboard, which we could use tohave a very high-level, high-altitude view, drill down into the specific events, and then startreferring them to subject-matter experts. We wanted to have just those really sensitive eventsbubble up to the surface, so that we could respond to them and they wouldn’t get lost in the mazeof dashboards.Gardner: Keith, before we go any further, for the benefit of our listeners, please tell us a bitabout Lake Health, the size of your organization, the types of services you provide, and even thenature of your organization. Are you non-profit, publicly-traded, that sort of thing?Duemling: Sure. Lake Health is a not-for-profit healthcare system. We’re about 45 minutesoutside of Cleveland, Ohio. We have two freestanding hospitals and approximately 16 satellitesites of different sizes that provide healthcare to the citizens of the county that we’re in and threeadjacent counties.We have three freestanding 24×7 emergency rooms (ERs), which treat all kinds of injuries, fromthe simple broken fingers to severe car accidents, heart-attacks, things of that nature. Page 5
  • 6. We also have partnerships with a number of very large healthcare systems in the region, andorganizations of that size. We send some of our more critically injured patients to thoseproviders, and they will send some of their patients to us for more localized, smaller care closerto their place of residence.We’ve grown from a single, small community hospital to the organization that we have now.Career pathGardner: And how about you? Whats been your trajectory in terms of how long youveworked there and the career path that you followed?Duemling: Ive been with Lake Health for a little under eight years now. I started as a systemsadministrator, managing a set of Windows servers, and evolved to my current position over time.Typically, when I started, an individual was assigned a set of projects to work on, and I wasassigned a series of security projects. I had a security background that I came to the organizationwith. Over time, those projects congealed into the security program that we have now, and if Iam not mistaken, its in its third iteration right now. We seem to be on a three-year run for oursecurity program, before it goes through a major retrofit.Gardner: How did you unify all of these different elements under what you call a program forsecurity? What were some of the steps you needed to take? We heard a little bit about thedashboard issue, but Im trying to get a larger perspective on how you unified culture around thisnotion of information assurance?Duemling: We started within the information and technology department where we had to reallydo an evaluation of what technologies we had in place? What are different individualsresponsible for, and who do they report to? Once we found that there was this sprinkling oftechnology and responsibilities throughout the department, we had to put together a plan to unifythat all into one program that has one set of objectives, is under one central leadership, and hasits clear marching orders.Then once we accomplished that, we started to do the same thing across the entire organization.We improved our relationship within IT, not just with sub-departments within IT, but then wealso started to look outside and said, "We have to improve our relationship with compliance andwe have to improve our relationship with physical security."So we’re unifying our security program under the mantra of risk, and thats bringing all thedifferent departments that are related to risk into the same camp, where we can exchange notesand drive towards a bigger enterprise focused set of objectives. Page 6
  • 7. Gardner: Raf, this sounds a bit like the resiliency concepts that youve been talking about in thepast few months. Is what were hearing from Keith enterprise resiliency or is there a differencethat we should appreciate?Los: No, hes dead-on. At the end of the day, what security is chartered with, along with most ofthe rest of IT, as I said earlier, is empowering the organization to do its work. Lake Health doesnot exist for the sole purpose of security, and clearly they get that.Thats step one on this journey of understanding what the purpose of an IT security organizationis. Along the broader concept of resiliency, one of the things that we look at in terms of securityand its contribution to the business is, can the organization take a hit and continue, get back up tospeed, and continue working?Not if, but whenMost organization technologists by now know it’s not a question of if you’re going to behacked or attacked, but a question of when, and how you’re going to respond to that by allowingthe intelligent use of automation, the aligning towards business goals, and understanding theorganization, and whats critical in the organization.They rely on critical systems, critical patient-care system. That goes straight to the enterpriseresiliency angle. If you get hacked and your network goes down, IT security is going to befighting that hack. At the same time, we need to realize how we separate the bad guys from thepatient and the critical-care system, so that our doctors and nurses and support professionals cango back to saving lives, and making people’s lives better, while we contain the issue anderadicate it from our system.So thats perfectly along those lines, and as you pointed out, Ive been hearing a lot about thatlately. Its more than just about security, and thats a fantastic revelation to wake up to everymorning.Gardner: Keith, before we go and learn more about how you examine all of the things that youneed to do in this program and then perhaps start thinking about whats core, whats context, andhow to best source those, I’d like to hear a little bit about the payoffs.Youve been doing this, as you pointed, out for several years. Are there some lessons that you canpoint to in terms of payback? Clearly, if you are operating well and youve got good data andprivacy, thats a reward in its own. But, are there some other returns on investment (ROI), maybeits a softer return like an innovation benefit or being able to devote more staff to innovation.Maybe you can line-up a few of the paybacks when this goes as it should?Duemling: Id probably put forward two paybacks. One is about some earlier comments I heard.We, as an organization, did suffer a specific event in our history, where we were fighting a threat,while it was expected that our facilities would continue operating. Because of the significant size Page 7
  • 8. of that threat, we had degraded services, but we were able to continue -- patients were able tocontinue coming in, being treated, things of that nature.That happened earlier in our program, but it didn’t happen to the point where we didn’t have aprogram in place. So, as an organization, we were able to wage that war, for lack of a better term,while the business continued to function.Although those were some challenging times for us, and luckily there was no patient datadirectly or indirectly involved with that, it was a good payoff that we were able to continue tofight the battle while the operations of the organization continued. We didnt have to shut downthe facilities and inconvenience the patients or potentially jeopardize patient safety and/or care.A second payoff is, if we fast forward to where we are now, lessons learned, technologies put inplace, and things of that nature. We have a greater ability to answer those questions, when peopleput them to us, whether its a middle manager, senior manager, or the board. What are some ofthe threats were seeing? How are we defending ourselves? What is the volume of the challenge?Were able to answer those questions with actual answers as opposed to, "I dont know," or "Illget back to you."So we can demonstrate more of an ROI through an improvement in situational awareness andsecurity intelligence that we didnt have three, four, or five years earlier in the program’s life.And tools like ArcSight and some of the other technologies that we have, that aggregate that forus, get rid of the noise, and just let us hone in on the crown jewels of the information are reallyhelpful for us to answer those questions.System of recordGardner: How about looking at this through the lens of a system of record perspective, anarchitectural term perhaps, has that single view, that single pane of glass, allowed you to gain thesense that you have a system of record or systems of record. Has that been your goal, or has thatbeen perhaps even an unintended consequence?Duemling: Its actually kind of both. One, it retains information that sometimes you wish youdidnt retain, but thats the fact of what the device and the technology are in the solution and it’smeeting its objective.But it is nice to have that historical system of record, to use your term, where you can see thehistorical events as they unfold and explain to someone, via one dashboard or one image, as asituation evolves.Then, you can use that for forensic analysis, documentation, presentation, or legal to show thechange in the threat landscape related to a specific incident, or from a higher level, a specifictechnology thats providing its statistical information into ArcSight, but you can then do trendingand analysis on. Page 8
  • 9. It is also good to get towards a single unified dashboard where you can see all of the securityevents that are occurring in the environment or outside the environment that you are pulling in,like edit from a disaster recovery (DR) site. You have that single dashboard where if you thinktheres a problem, you can go to that, start drilling down, and answer that question in a relativelyshort period of time.Muller: Ill go back to Keith’s opening comments as well. Lets not undervalue the value ofconfidence -- not having to second guess not just the integrity of your systems and yourapplications, but to second guess the value of information. Its one thing when were talkingabout the integrity of the bank balance of a customer. Lets be clear that thats important, but itcan also be corrected just as easily as it can be modified.When youre talking about confidence in patient data, medical imaging, drug dispensations, andso forth, that’s the sort of information you cant afford to lack confidence in, because you need tomake split-second decisions that will obviously have an impact on somebody’s life.Duemling: I would add to that. Like you were saying, you can undo an incorrect or a fraudulentbank transfer, but you cannot undo something such as the integrity of your blood bank. If yourblood bank has values that randomly change or if you put the wrong type of blood into a patient,you cannot undo those without there being a definitely negative patient outcome.Los: Keith, along those lines, do you have separate critical systems that you have different levelsof classifications for that are defended and held to a different standard of resilience, or do youhave a network wide classification? I am just curious how you figure out what gets the mostattention or what gets the highest concentration of security?Duemling: The old model of security in healthcare environments was to have a very flat type ofarchitecture, from both networking, support, and a security standpoint. As healthcare continues tomodernize for multiple reasons, theres a need to build islands or castles. That’s the term we useinternally, "castles," to describe it. You put additional controls, monitoring, and integrity checksin place around specific areas, where the data is the most valuable and the integrity is the mostcritical, because there are systems in a healthcare environment that are more critical than others.Obviously, as we talked about earlier, the ones that are used for clinical decision making aretechnically more critical than the ones that are used for financial compensation as it results fromtreating patients. So although its important to get paid, its more important that patient safety ismaintained at all times.Limited toolsWe cant necessarily defend all of our vast resources with the limited set of tools that we have.So weve tried to pick the ones that are the most critical to us and thats where weve tried to putall the hardening steps in place from the beginning, and we will continue to expand from there. Page 9
  • 10. Gardner: Keith, lets take this now to that question about managing your resources. Obviously,because you are in that Goldilocks position, as Raf pointed out -- not too big, not too little -- youhave to be choosy. You dont have unlimited resources, but you have a very serious andsignificant responsibility.Have you been starting to look at what is core and what is context, what should be eitheroutsourced or provided through some managed services of some sort and what you would reallylike to retain control over? How does that thought process about that problem pan out?Duemling: Absolutely, we look at every security project with the mindset of how we can do thisthe most effectively and with the least amount of resources that are diverted from the clinicalenvironment to the information security program.That being said, security as a service, cloud-based technology, outsourcing, whatever term youwould like use, is definitely something that we consider on a regular basis, when it comes todifferent types of controls or processes that we have to be responsible for. Or professionalservices in the events of things like forensics, where you don’t do it on a regular basis, so youmay not consider yourself an expert.We tend to do an evaluation of the likelihood of the threat materializing or dependence on thetechnology, what offerings are out there, both as a service and premise-based, what it would takefrom an internal resource standpoint to adequately support and use a technology. Then, we tryand articulate that into a high-level summary of the different options, with cost, pros and consrelated to each.Then, typically our senior management will discuss all of those, and well try and come to thedecision that we think makes best for our organizations, not just for that point, but for the nextthree to five years. So some initiatives have gone premise-based and some have gone security-as-a-service based. We are kind of a mix.Gardner: Paul Muller, as a cloud follower, a close follower, youve seen hybrid services deliveryarise in many different forms. I guess were talking here about hybrid security delivery. How dothey come together in your mind?Muller: Exactly the same way. It is about what Keith described as understanding particularlywhere, for example, there is a high degree of specialization or skill required that is in shortsupply, particularly in your geography.Its particularly true of security professionals that the bigger targets -- the banking institutions,defense, to a certain extent telecoms -- are able to offer a price premium to some of these peopleand it can make it hard to find the best quality stuff, particularly in mid-sized organizations.Therefore, it sometimes makes more sense to procure those staff and the services alongside themfrom outside of the organization. Page 10
  • 11. Core intellectual propertyHaving said that, there are times when there is core intellectual property (IP) of yourorganization, core capabilities, particularly around industry vertical processes, where that level ofexpertise is not widely understood.Its too generic to be of value. Healthcare is a great example, where the compliance requirement,plus the particular or specific patient management systems, would be too specific for a general-purpose service provider to add much value. Its a question of blending that right to thecapabilities.I want to add that its interesting that the security world tends to have a somewhat schizophrenicview of software as a service (SaaS). They will typically be okay with the idea of putting all ofyour sales pipeline and your customer data into a customer relationship management (CRM)system in the cloud, but will often have a negative reaction if you say lets use security SaaS.So often you will find that its actually more palatable for the organization culturally, whenlooked at maybe as a managed service, rather than treating it as a SaaS, knowing, in other words,that theres people behind it as well as software. I dont know. Raf, what are your thoughts?Los: Well, Paul, eloquently put. Theres still that stigma of cloud somehow magically meaningless secure, and I work with that trepidation almost daily, like you do.The one aspect we need to make sure that we emphasize and understand is that there are  peoplebehind all of this. This isn’t just some automated scan, script, or thing. There are people behind alot of this, and the broad sense of why security really matters is the human element of it.So these hybrid types of services make sense, because there are a lot of things and -- going backto that comment about the size of the organization -- you cant do it all yourselves. If you can,you cant do it well, whether youre a massive company or a small one.Knowing that fact, acknowledging that, and being able to consume security services intelligentlycan be the difference between getting lost in "dashboard hell" and having the right information atthe right time to make the right decision, based on partnerships with the correct organizations.I think you summed it up well, but I just felt like I would add a little bit of color to that, becausethats a little bit of what I have been seeing.Gardner: Its interesting that a common thread for successful organizations is knowing yourselfwell. Its also an indicator of maturity, of course. I know that Paul is talking about this, and Rafas well, that those organizations that know themselves well can better plot their futurearchitecturally and across comprehensive services. But it also sounds as if this is reallyimportant, when it comes to deciding what services to retain total control over or retain theresources that deploy them and another set of choices. Page 11
  • 12. Back to you, Keith. It sounds like you have a good level of maturity. You have had a goodopportunity to know yourself and then to track your progress. Is that helping you make thesedecisions about whats core or context in the design of your risk-mitigation activities?What you do wellDuemling: Yes, it is. You have to know what you do well and also you have to know the areaswhere you, as an organization, are not going to be able to invest the time or the resources to getto a specific comfort level that you would feel would be adequate for what you are trying toachieve. Those are some of the things where we look to use security as a service.We dont want to necessarily become experts on spam filtering, so we know that there arecompanies that specialize in that. We will leverage their investment, their technology, and theirIP to help defend us from email-borne threats and things of that nature.Were not going to try and get into the business of having a program or to create an event-correlation engine. Thats why were going to go out and look for the best-of-breed technologiesout there to do it for us.Well pick those different technologies, whether its as a service or premise-based and wellimplement those. That will allow us to invest in the people that know our environment the bestand intimately and who can make decisions based on what those tools and those managedservices tell them.They can be the boots on the ground, for lack of a better term, making the decisions that areeffective at the time, with all the situational awareness that they need to resolve the problem rightthen and there.Gardner: Keith, youve got a little bit of 20/20 hindsight, having done this. For those of ourlisteners who are perhaps at that level, where they are juggling quite a few security products ortechnologies and they would like to move into this notion of a program and would like to have aunified view, any thoughts about getting started, any lessons learned that you could share?Duemling: I would say just a couple of bullet points. Security is more than just technology. Itreally is the people, the process, and the technology. You have to understand the business thatyou are trying to protect. You have to understand that security is there to support the business,not to be the business.Probably most importantly, when you want to evolve your security and set up projects into anactual security program, you have to be able to talk the language of the business to the people Page 12
  • 13. who run the business, so that they understand that it’s a partnership and you are there to supportthem, not to be a drain on their valuable resources.Gardner: Raf, any thoughts to amplify or extend that?Los: I think he has put it brilliantly just now. IT security is a resource and also a potential drainon resources. So the less we can take away from anything else the organization is doing, whileenabling them to basically be better, deliver better, deliver smarter, and save more lives and makepeople healthier, that is ultimately the goal.If theres nothing else that anybody takes away from a conversation like this, IT security is justanother enabler in the business and we should really continue to treat it that way and worktowards that goal.Lessons learnedGardner: All right, last word to you today, Paul Muller. What sort of lessons learned orperhaps perceptions from the example of Lake Health would you amplify or extend?Muller: I will just go back to some of my earlier comments, which is, let’s remember that ouradversary is increasingly focused on the market opportunity of exploiting the data that we haveinside our organizations -- data in all of its forms. Where there is profit, as I said, there will be adrive for automation and best practices. They are also competing to hire the best security peoplein the world.But as a result of that, and mixed in with the fact that we have this ever-increasing attack surface,the vulnerabilities are increasing dramatically. The statistic I saw from just October is that thecost of cyber crime has risen by 40 percent and the attack frequency has doubled in the last 12months. This is very real proof that this market forces are at work.The challenge that we have is educating our executives that compliance is important, but it is thelow bar. It is table stakes, when we think about information and security. And particularly in thecase of mid-sized enterprises, as Raf pointed out, they have all of the attractiveness as a target ofa large enterprise, but not necessarily the resources to be able to effectively detect and defendagainst those sorts of attacks.You need to find the right mix of services, whether we call it hybrid, whether we call it cloud ormanaged services, combined with your own on-premises services to make sure that youre able todefend yourself responsibly.Gardner: Very good. I am afraid well have to leave it there. I want to thank our co-hosts today.We have been joined by Paul Muller, the Chief Software Evangelist at HP. Thank you, Paul.Muller: Great having been here again, Dana. Good to talk to you. Page 13
  • 14. Gardner: And also Raf Los. He is the Chief Security Evangelist at HP. Thank you so much, Raf.Los: Thanks for having me, Dana. And Keith, it has been a pleasure having the conversation.Gardner: And Id like to thank our supporter for this series, HP Software, and remind ouraudience to carry on the dialogue with Paul Muller through the Discover Performance Group onLinkedIn, and also to follow Raf on his popular blog, Following the White Rabbit.You can also gain more insights and information on the best of IT performance management at you can always access this and other episodes in our HP Discover Performance PodcastSeries at and on iTunes under BriefingsDirect.And of course I want to thank our very special guest today, with a very impressive story, KeithDuemling; he is the Information Security Officer there at Lake Health. Thank you so much,Keith.Duemling: Thank you for the opportunity to share the information.Gardner: And lastly, I would like to thank our audience for joining us for this special HPDiscover Performance Podcast discussion. I am Dana Gardner, Principal Analyst at InterarborSolutions, your host for this ongoing series of HP sponsored business success stories.We appreciate your listening, and do come back next time.Listen to the podcast. Find it on iTunes. Sponsor: HPTranscript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that itsinternal systems continue to serve patient care, while protecting against outside threats.Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.You may also be interested in: • HP Discover Performance Podcast: McKesson Redirects IT to Become a Services Provider That Delivers Fuller Business Solutions • Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show • Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption • Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance • Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments Page 14