This next edition of the HP Discover Performance Podcast Series looks at how IT leaders are improving security and reducing risks as they adapt to new—and often harsh—realities of doing business online.
In Part 2 of our cybersecurity series, we now explore how CSC, itself in a strategic partnership with HP, is improving its cybersecurity posture—drinking their own champagne, as it were.
Earlier, in Part 1 of our series, we examined the tough challenges facing companies and how they need to adjust their technology and security operations. We saw how they were all now facing a "weapons-grade threat," with big commercial incentives for online attacks and also a proliferation of more professional attackers.
We also learned how older IT security methods have proven inadequate to the escalating risks that are also expanding beyond corporate networks to include critical infrastructure, supply chains, and even down to devices and sensors.
So take a deeper dive here now into how CSC is going beyond just technology and older methods to understand a better path to improve cybersecurity.
Please welcome the panel: Dean Weber, the Chief Technology Officer for CSC Global Cybersecurity, and Sam Visner, Vice President and General Manager for CSC Global Cybersecurity. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]
Here are some excerpts:
Gardner: In Part 1 of our series, we examined the tough challenges facing companies and how they need to adjust. What's the most impactful thing that CSC has done in the past several years, in concert with HP, that's proven to be a major contributor to a more secure environment?
Visner: There are three things. The first is the recognition that cybersecurity is an important issue for any organization today, whether they're a Global 1000 company, a Fortune 500 company, or a government agency—everybody has a stake in cybersecurity.
There has to be a recognition that the cybersecurity of the commercial world and the cybersecurity of the public sector are really the same.
The commercial world provides the technology on which governments depend. Governments express the interest that the public has and the cybersecurity of those parts of the private sector that manage energy, transportation, critical manufacturing, aerospace, defense, chemicals, banking, healthcare, and any other thing that we call critical infrastructure.
In our company—where we serve both the public sector and private sector—we recognized early on that it made sense to address commercial and public sector cybersecurity from a common strategy. That's the first thing.
The second thing is that we then built a unified capability, a unified P&L, a unified line of business and delivery capability for cybersecurity that brings together our commercial and our public-sector business. We're end to end. So from consulting and assessments, then education, through managed cybersecurity services and systems integration, all the way through incident response, we make our full portfolio available to all our customer set, not just part of our customer set.
And the third thing is a lot of people think about cybersecurity as tools. What's my firewall? What's my user provisioning? What's my password policy? How am I handling passwords? What should I be doing about endpoint protection?
That's a recipe for disaster, because you're always playing catch up against the problem and you don't even know if the tools work together. You certainly don't have the means to take the information that these tools generate, put them together, analyze them and give yourself the big picture that allows you to be effective in understanding the total threat you face and the total situation that you have internal in your organization.
So the third thing is moving from a tools-based perspective to an architecture-based perspective, one in which before we buy tools or develop tools, or even in which we define offerings, we define the architecture of our offerings.
Weber: As Sam pointed out, the idea here is that we created an integrated capability to combat the current and emerging threats. You do that based on a global ability to detect and defer the threats, remediate as quickly as possible from threats that have manifested themselves, and recover.
Not only are we a services provider of managed security services to enterprise and government, we also consume those services ourselves on the inside. There's no difference. We drink our own champagne, or eat our own dog food, or however you want to put it.
But at the end of the day we have made this very security operations center (SOC)-centric offering, where we have elected to use a common technology framework across the globe. All of our SOCs worldwide use the same security and information event management—SIEM technology, in this case HP ArcSight.
That allows us to deliver the same level of consistency and maturity and, given some of the advanced capabilities of ArcSight, it has allowed us to interconnect them using a concept we call the global logical SOC where, for data protection and data privacy purposes, data has to reside in the region or country of its origin, but we still need to share threat intelligence, both internally generated and externally applied. The ArcSight platform allows us to build on that basis.
Separate and apart from that, any other tools that we want to bring to bear, whether that's antivirus or vulnerability scanning, all the way up the stack to application security lifecycle, with a product like HP Fortify, we can plug all of that into the managed framework regardless of where it's delivered on the globe and we can take advantage of that appropriately and auditably across the entire hemisphere or across the entire planet.
Gardner: It sounds as if an important pillar of those three items you brought up, Sam—the common strategy, unified capability, and architecture—is to know yourself as an organization. Do the HP Fortify and HP ArcSight technologies come to bear on that aspect of better self-awareness?
Visner: We have to be able to bring together data across a very wide range of environments. Although there are some great global threats out there, some of those threats are being crafted to be specific to some of the industries and some of the government’s activities that we try to safeguard.
Therefore, in the case of ArcSight, we needed an environment that would allow us to use a broad range of tools, some of which may have to be selected to be fit for purpose for a specific customer environment and yet to accrue data in a common environment and use that common environment for correlation and analysis.
This is a way in which our self-awareness as a company that does cybersecurity across many sectors of the private sector, as well as a broad range of public sector organizations, told us that we needed an environment that could accrue a wide range of data and allow us to do correlation.
In terms of what we're doing with Fortify and application security testing, one of the things we've learned about ourselves is that we're going to support organizations that have very specific applications requirements. In some cases, these requirements will relate to things like healthcare or banking. In some cases, it will be for transactions. In some cases, it will be specific workflows associated with these industries.
What’s common to this, we have learned, is the need for secure applications. What’s also common is that, globally, the world isn’t doing enough in terms of testing the security of applications. This is something we found we could do that would be of value to a broad range of CSC customers. Again, that's based on our own self-awareness.
Gardner: How important are big-data capabilities for creating a secure organization?
Weber: As we generate more data across our grids, both sensor data and event data, and as we combine our information technology networks with our operational technology networks, we have an exploding data problem. No longer is it finding a needle in a haystack. It’s finding a needle amongst needles in a haystack.
The problem is absolutely a big data problem. Choosing technologies like ArcSight that allow us to pinpoint technology aberrations from a log, alert, or an event perspective, as well as from a historical trending perspective, is absolutely critical to trying to stay ahead of the problem. At the end of the day, it’s all about identity, access, and usage data. That's where we find the indicators of these advanced threats.
As the trade craft of our opponents gets better, as Sam likes to put it, we have to respond, and it’s not easy to respond at that level. One of the reasons that Fortify is going to become one of the cornerstones of our offering is because, as we get better at securing infrastructure using the technologies we've already talked about, the next low-hanging fruit is the application vulnerabilities themselves.
Recently, Android announced that they have a vulnerability in their crypto product. There are 900 million Android products that are affected by that. While Google has released a patch for that particular crypto vulnerability, all the rest of the vendors who use an Android platform are still struggling with how to patch, when to patch, where to patch, how do they know they patched.
Gardner: When you talk about responsibility and tracking, who is doing what and how it’s getting done? We started to talk about key performance indicators (KPIs). How much of a shift have you had to go about there at CSC to put in place the ability to track metrics of success and KPIs? How do you measure and gauge these efforts?
Visner: It’s not enough to know that I have patched my desktop. It’s not enough to know that I have good governance, risk, and compliance (GRC) and enterprise-wide password maintenance and password reset.
I have to know everything about my enterprise today, all the way down to the industrial control systems on the shop floor, the supervisory control and data acquisition systems that coordinate my enterprise, the enterprise databases and applications that I use for global transactions, as well as individual desktops and smartphones.
What we're really talking about is a level of awareness that people are not used to having. They're really not. People don’t worry about what goes on beyond their own computer. Even CIOs haven’t really worried about the cybersecurity of computers that are embedded in manufacturing systems or control systems. Now, I think they have to be.
We have to go beyond the status of an individual device to treat the status of the entire enterprise as important corporate knowledge. That's important corporate knowledge.
Gardner: What have you done there to allow for a KPI-oriented or a results-oriented organizational approach that leverages all this awareness data?
Weber: You've just touched on the value proposition for a global managed security services provider (MSSP) in the fact that we have data sources that span the planet. While CSC, as a 90,000-plus person organization, is considered a large-scale organization—it pales in comparison to the combined total of CSC's customer base.
Being able to combine intelligence and operational knowledge from multiple enterprises spanning multiple countries and geographic regions with differing risk postures and business models, sometimes even with differing technologies employed in those models—that gives us a real opportunity to see what the global threat looks like.
From the distribution of that threat perspective our ability to, within the laws appropriate across the globe and auditable against those laws, share that threat intelligence without rushing up against or breaking those laws is very important to an organization. This ultimately keys to the development of the value proposition of why do business with the global MSSP in the first place.
Gardner: Have any customers, or have you yourself, been able to demonstrate that taking the opportunity to improve your cyber posture also improves your business posture?
Weber: That's becoming evident. Not everybody gets it yet, but more and more people do. The general proposition is that an organization that doesn't understand, for example, its financial position is not well-managed and isn't a good investment. It probably can't mobilize its resources to support its customers.
It isn't in a position to bring new products to market and probably can't support those products. Or it might find that those product lines are stolen, manufactured at a lower standard by somebody else, and not properly supported, so that the customer suffers, the company suffers, and everybody but the cyber thief suffers.
A financial organization that can't take care of their own financial position can't serve their customers, just as an organization that doesn't understand its cybersecurity posture can't preserve value for shareholders and deliver value for its customers.
Weber: There absolutely is a return on investment (ROI) in security. In fact, there is actually a concept of return on security investment (ROSI), but I would say generally that most people don't really understand what those calculations mean.
Where the rubber hits the road is more along the lines of keeping the CEO and the CFO out of jail when they have to sign off on things like Sarbanes–Oxley. Or the fact that you don't have to make an SEC filing as a result of a financial systems breach that impacts your ability to keep revenues that you may have already attained.
The real return on investment is less measured in savings than it is in—as Sam likes to say—keeping us off the front page of "The Wall Street Journal" above the fold, because the real impact to these things traditionally is not in the court of law, but in the court of public opinion.
They tend to look at organizations that can't manage themselves well and end up in the news at not managing themselves well, less favorably than they do for companies that do manage their operations well.
Visner: What is a pound of cybersecurity worth? I'll put it to you this way. What is a pound of stolen intellectual property worth? That that intellectual property means that somebody else is stealing patient data, manufacturing your products, or undermining your power grid.
One way of thinking is that it's not the value of the cybersecurity so much, but the diminished value of the assets that you would lose that you could no longer protect.
That’s as good a place as any to measure that ROI. If you do measure that ROI, the question is not how much are you spending on cybersecurity. The question is what would you lose if you didn’t make that spend. That’s where you see the positive return on investment for cybersecurity, because for any organization, the spend on cybersecurity is almost insignificant compared to the value that would be lost if you didn’t make that spend.
Gardner: Can you offer some recommendations for how others could proceed based on lessons learned from what you've done?
Visner: We recognized early on that this is not a one-company problem.
This is a problem where we are dealing with weapons-grade threats from nations. This is a problem where we are dealing with weapons-grade threats from organized criminals who have vast resources at their disposal. This is a problem of intellect and, therefore, no one organization is going to have sufficient intellect to be able to deal with this problem globally.
As a company, CSC tends to seek out partners to whom we can couple our intellect and get a synergistic result. In this case, the process of making that relationship real when it flows through defining our portfolio, defining the services that comprise the portfolio, managing the development of those services through our offering lifecycle management process, and then choosing companies whose technology provides the needed strength for each one of those offerings, each one of the elements of that portfolio.
In this case, that process serves us well, because we're going to need a wide range of technology. Nobody is in a position to confront this problem on their own—absolutely nobody. Everybody needs partners here. But the question is whom?
We have people show up on our doorstep with ideas and technologies and products every day. But the real issue is, what is a good organizing principle? That organizing principle has two components. One, you need a wide range of capabilities and, two, you need to choose from among the wide range of technologies you need for that wide range of capabilities. You need a process that’s disciplined and well-ordered.
Believe me, we have people show up and ask why it takes so long, why it's such an elaborated process, and can't you see that our product is absolutely the right one.
The answer is that it's like a single hero going out onto the battlefield. They maybe a very effective fighter, but they're not going to be able to master the entirety of the battlefield. That can't be done. They're going to need partners. They're going to need mates in the field. They're going to need to be working alongside other people they trust.
So in working with HP and the ArcSight tool as our security information and management player of our global logical SOC, our global logical managed cybersecurity service, and in working with HP Fortify we chose a partner we thought—and we think correctly—is a strong long-term strategic partner.
It's somebody with whom we can work. HP recognizes that we do. They're not going to solve this problem on their own. What one company is going to solve a problem on their own when they are up against the global environment of nation-state and trade actors? We all need these partnerships.
Our company is unique in that we've always looked to our partner relations for key technologies to enable offerings in our portfolio.
We've always believed that you go to market and you serve your customers with strategic partners, because we've always believed that every problem that had to be solved would require not only our abilities as an integrator, but the abilities of our partners to help in the development of some of this technology. That’s what makes the most sense.
Gardner: Based on your experiences as the Chief Technical Officer at CSC, are there any lessons learned that you could share?
Weber: I'll leave you with two thoughts. One is again the value proposition of doing business with a global business MSSP. We do have those processes and processes in our background where we are trying to bring the best price-performance products to market.
There may be higher-priced solutions that are fit for purpose in a very small scale, or there may be some very low-price solutions which are fit for purpose in a very large scale, but don't solve for the top-end problems. The juggling act that we do internally is something that the customer doesn't have to do, whether that’s the CSC internal account or any of our outside paying customers.
The second thing is the rigor with which we apply the evaluation process through an offering lifecycle or product lifecycle management program is really part and parcel of the strength of our ability to bring the correct product to market in the correct timeframe and with the right amount of background to deliver that at a level of maturity that an organization can consume well.