Discover Performance

HP Software's community for IT leaders // March 2014

Shift to protecting what matters most

CISOs need to adapt at least as quickly as their adversaries. HP Enterprise Security SVP Art Gilliland talks about protecting your data—and which data’s really worth your security spend.
2014 is shaping up to be a challenging year for enterprise security. Attacks were up in 2013, and defense costs were rising. Criminals are organized and well-trained. Our defenses are less successful. Fortunately, the changes we need to make to improve our defenses are well within reach.

Art Gilliland
In January, Discover Performance spoke to Art Gilliland, senior vice president and general manager for HP Enterprise Security, who shared his thoughts about how a better dialog between security and the business can help organizations identify and protect their most valuable assets. This month, we asked Gilliland about the specific techniques that can give us more defensive mileage, including application security and intelligence sharing. And before we’d finished, he brought us to a surprising conclusion: maybe you don’t need to protect all your data.

Q: Recently, businesses have poured a lot into maintaining a strong perimeter, but that seems to be paying diminishing returns. Is network security still the right place to invest?

Art Gilliland: Network security is still important, but there needs to be a shift away from a system-centric view of security, where we draw up a technical architecture and then say, "I need endpoint security, I need network security, I need web security," and so on. When you do it that way, it’s very difficult to prioritize what you should do first, and you’re likely to only add things to that mix and never take things out.
For network security in particular, it’s not that it’s less relevant, it’s just that what you do in the network and what you’re protecting have changed. For example, with the use of mobile devices, a lot of people are saying the user is the new perimeter. But all of those individual users still connect into some network superstructure. They still connect into services that the company is delivering.
Instead of the traditional firewall approach—let them in or don’t let them in—assume that they’re coming in, but also monitor what’s happening in the network traffic, understand what applications they’re touching, and what information they’re accessing.
Our security needs to evolve toward being identity-centric, and the network is one of those enforcement places, but we need to be focused more on the capability versus the technical architecture of the problem.

Q: Should we be more focused on individual attackers versus more generalized security strategies?

AG: The reality is that there are always going to be new threats, because the adversary is going to evolve. They don’t follow a single method. They may have norms of behavior, but as soon as those norms don’t work, they’ll create, borrow, or buy from someone else the process that does work. So we’re going to have to continue to be smart about it, and study who the bad guy is in aggregate. We need to better understand the adversary ecosystem.

Q: The bad guys benefit from using an ecosystem or marketplace. What can the good guys do as a countermeasure?

AG: As an industry, we’re horrible at sharing information: we don’t help each other. If we don’t learn from each other, we’re going to get crushed, because the adversaries are absolutely learning from and buying knowledge from each other.
When we share information we can take action on it faster. Information-sharing is at the heart of making us more resilient to what’s happening.

Q: Are there any other types of security safeguards that are currently underutilized?

AG: There’s a couple. The first one is application security. Historically, about 84 percent of breaches take advantage of vulnerabilities in an application. For the industry, this has been true for a very long time.
Now, with the explosion in mobile apps, cloud-delivered apps, and even the migration of existing legacy apps to cloud delivery within enterprises, we have a chance at redoing this. We’re rewriting access to back-end applications in mobile apps. We’re rewriting applications so that they are hostable and deliverable from the cloud. In that rewriting, we have a chance of reviewing and eliminating a lot of the vulnerabilities that we built into the original apps.
We blew it the first time, but now we’ve got a second shot: we could be building these new applications more securely, and yet we’re not doing it. In a recent study we performed on mobile applications, 9 out of 10 had security flaws written into them. We’ve got to code the next generation of applications better than the first. The tools are there to do that. We just have to believe it’s important enough, and then behave differently.

Q: And the second?

AG: The second area is to address breaches that take advantage of the user in some way. This includes socially engineered attacks, and attacks where users get compromised because they clicked on something. Helping to protect users from themselves is something we can do with technology.
One of the ways we can do that is through two-factor authentication—not just a password, but something that they have or something that they are, whether it’s fingerprints, hands, or a token. It’s still very painful to do two-factor authentication; there are ways to make it easier.

Q: The cost of enterprise security is rising steadily. How do CISOs think about security budget allocation for 2014 and beyond?

AG: The trick with security is finding and refocusing where we spend our money, so we are protecting only the most important things. Seventy to ninety percent of the data in your company, if somebody stole it, it wouldn’t matter. But there’s five to ten percent of your data, if somebody steals it, you’re in trouble.
If you just spend to protect that instead of protecting everything, you could get by with a lot less budget, or be much more effective at protecting what matters for the same money. You need to have a different conversation with the business person, so you know what data matters and zero in on protecting that.

Q: You’re talking about removing security from nonessential places. Won’t the business be uneasy about having less overall protection?

AG: Yes, that’s the conundrum we have, but that transition has to happen, and we have to help people understand why it’s more secure than what we had in the past.  We will have to be able to demonstrate that it’s better, and that the information and assets that matter are more secure.
As a CISO, the reality is, I'm going to ask for $10, and I’m going to get three to five bucks. If half of my programs aren’t going to get done anyway, I’d rather be strategic about it than follow the checkboxes on the policy.

Q: How will enterprise security be different in five years?

AG: Five years from now, our infrastructure is going to be radically different. Look at how quickly things changed over the last five years: we went from no mobile devices to mobile devices everywhere, and the rate of change is increasing. Where and what we need to protect is going to change dramatically. There is now, and will be in the future, an expectation that we will be able to easily access corporate information from everywhere. In this world, we will need to be more targeted and flexible in how we protect our enterprises.
For more on making the right strategic moves in the 2014 security landscape, visit HP Enterprise Security, and take our free HP/IDG IT security assessment.


IT leader assessment

This tool evaluates the correlation between IT attributes and business success and, based on how your answers compare with average scores, will advise you where to invest in IT.

It is based on data HP collected from 650 global companies about a range of IT characteristics (server capacities, approach to information management, security, BYOD, etc.) and how they correlate to revenue gain. This assessment will compare your answers to the average scores in that study.

There are 12 questions that will require an estimated 10 minutes of your time. You'll receive a summary of your rating upon completion.

Let's get started

Please select an answer.


Your answer:
Your score:
Average score:
Revenue leaders' score:


Please select an answer.



Your score:
Average score:
Revenue leaders' score:

Get detailed results:


Popular tags


Discover Performance Weekly

HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.

Enterprise 20/20

Security 20/20

Preparing today for tomorrow’s threats.

Introduction to Enterprise 20/20

What will a successful enterprise look like in the future?

CIO 20/20

Challenges and opportunities for the CIO of the future.

Dev Center 20/20

How will we organize development centers for the apps that will power our enterprises?

Marketing 20/20

Welcome to a new reality of split-second decisions and marketing by the numbers.

IT Operations 20/20

How can you achieve the data center of the future?

Employee 20/20

What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.

Mobility 20/20

Looking toward the era when everyone — and everything — is connected.

Data Center 20/20

The innovation and revenue engine of the enterprise.

Read more

HP Software related

Most read articles

Discover Performance


Tweets @ HPSecurity