Wednesday, September 11, 2013

BYOD trend brings new security challenges for IT: Allowing greater access while protecting networks

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Dell Software.

While so-called BYOD isn't necessarily new -- IT departments, after all, have been supporting mobile "road warriors" since the 1980s, the rising tide of end users seeking the use and support of their own consumer devices is something quite different.

It’s so different that IT departments are grasping for any standard or proven approaches that make bring your own device (BYOD) access of enterprise resources both secure and reliable. The task is dauntingly complex, and new and unforeseen consequences of BYOD are cropping up regularly -- from deluged help desk to app performance snafus to new forms of security breaches.

The next BriefingsDirect discussion then works to bring clarity to solving the BYOD support, management, and security dilemma. To do so, we gathered a panel to explore some of the new and more-effective approaches for making BYOD both safe and controlled.

The panel consists of Jonathan Sander, Director of IAM Product Strategy at Dell Software, and Jane Wasson, Senior Product Marketing Manager for Mobile Security at Dell Software. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: Dell Software is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:
Wasson: Industry analysts are now seeing that more than 50 percent of workers are using personal mobile devices in some capacity to access business networks. Increasingly, they're asking to access not just email and calendar, but also enterprise apps and resources.

IT did a great job of supporting mobile workers with laptops and early mobile devices for quite some time, but much of that was with IT-controlled systems.

Ease and speed

What we're seeing now that’s a little bit different is increasingly those mobile workers like the ease of use and the speed at which they can get to their email and their calendar apps with their own mobile devices. They now want IT to extend that so that they can get the same access to enterprise apps and resources on mobile devices that they've enjoyed on their IT controlled laptops over the years.

Wasson
That creates a new challenge for IT. All of a sudden, rather than having a controlled set of devices and a controlled environment, that they can manage, they have a variety of devices that end users have purchased. IT had no control over that choice and what’s already loaded on those devices.

They're trying to figure out, given that environment, how to securely enable access to enterprise apps and resources and give those end users that speed of access that they want and the ease of access that they want, but still maintain security.

They don't want their back-end networks infected with malware. They don't want to have rogue users finding laptops or mobile devices and being able to access enterprise systems. It’s a huge challenge for IT support groups.


Gardner: It seems that there are unintended consequences here. What’s happening now that we have this pull in the BYOD direction?

Sander: There are a lot of consequences, and understanding all of them is still in process. That’s part of the problem. Of all the problems that people are going to have as a result of BYOD are TBD. One of the ones that's most apparent right away is security. The approaches that people have taken in the past to lock down anything that’s related to mobile have all centered on exactly what Jane pointed out. They were in charge of the device in some fashion. They had a foot in that door and they could use some kind of lock down.

Sander
I was sitting with someone at one of the big financial firms in New York City the other day. We asked them about their BYOD strategy and he took a humorous approach to it. He said, "Yes, we have a really well-defined BYOD strategy ... As long as the device is the one we assign to you and uses the software that we approved and control all the policy on, you can bring it." I think that that’s not too uncommon.

A lot of the firms that are very security sensitive have worked it out. On the other end of the scale, I've talked to people who say that BYOD is not something that is they are doing but rather is being inflicted on them. That’s the language they put it in. It relates back to that security problem, because when they're looking at trying to understand how their data is going to be present on these devices and what impact that will have on their risk standpoint, it's almost impossible to quantify.

History of breaches

If you look at the history of breaches, even with the controlled laptops that they had, you had laptops being stolen with tons of data on them. You know what happens the first time you get one of those breaches stemming from someone leaving their cellphone in the backseat of a taxi cab? These are things that are keeping people up at the night.

Add to this that a lot of times the security approaches they have taken have all been leveraging the fact that there is a single vendor that is somehow responsible for a lot of what they do. Now, with the explosion of the variety of devices and the fact that they have no control over what their employee might purchase to bring in, that notion is simply gone. With it went any hope of a standard, at least anytime soon, to help secure and lock down the data on all these different devices.

Gardner: Another aspect of this is the diversity of the variables. There is web access, native apps, a variety of different carriers, different types of networks within those carriers, and all these different plans.

I suppose it’s difficult to have just a standard operating procedure. It seems like there have to be dozens of standard operating procedures. Is that what they're finding in the field, and how does any organization come to grips with such diversity?
How do you insert any control into that scenario at all? It gets very complex, very quickly.

Sander: You're absolutely right. Diversity, first and foremost, is the challenge. There are also a lot of other trends that are bringing more diversity into IT at the same time, and then BYOD just becomes one dimension of diversity.

You mentioned web control. If you're assuming that this is a web application that they're rolling out on their own, that's one thing. If it’s a cloud app, what happens when you have somebody using a cloud app on a BYOD device? How do you insert any control into that scenario at all? It gets very complex, very quickly.

Gardner: Let’s look at some specific types of starting points, putting in the blocking and tackling necessary to start to get a handle on this. Jane, what should companies be doing, in terms of setting up some building blocks, the means to tackle the reliability, security, and diversity?

Wasson: The good news is that being able to support remote workers is not new, because most companies already have policies in place to manage remote workers. What’s new is that, rather than the devices that are accessing the enterprise apps and resources being IT controlled, those devices are no longer IT controlled.

Very often, the policies are there. What they need to do is rethink those policies in light of a mobile worker, a mobile device, environment with so much of the same capability. You have to be able to know which devices are connecting to the network. Are those devices harboring malware that could infect your network? Are those devices locked down, so that authentication is necessary to get into your network?

Forced authorization

You need to find technologies basically that allow you to force authentication on those mobile users before they can access your network. You need to find technologies that can help you interrogate those mobile devices to make sure that they're not going to infect your network with anything nasty. You need to find the technologies that allow you to look at that traffic, as it’s coming onto your network, and make sure that it's not carrying malware or other problems.

What mobile device management needs to do for them is what laptop device management has done for them in the past. The key things to think about there are looking at when you're actually deploying those devices. Maybe you have end users that are purchasing personal units, and maybe you don't know initially. Maybe you don't have the same level of knowledge about that unit or ways to track it.
A mobile device management platform needs to do those functions for the IT support organization across mobile operating systems.

What you can do is introduce technologies onto your network, so that when your users log into the network or authenticate onto the network, the device is queried, so that you are able to do some level of tracking of that device. You're able to potentially provide self-service portals, so that employees have the ability to download enterprise mobile applications onto that device.

You have the ability to very simply load onto those devices agents that can automatically query devices and make sure that they're configured to meet your security requirements.

There are technologies available to do mobile device management and provide that level of oversight, so that you can inventory devices. You can have a level of knowledge and management over configuration and software applications. And you do have the ability to control, at some level, the security settings on those devices. A mobile device management platform needs to do those functions for the IT support organization across mobile operating systems.

Gardner: I should imagine, Jonathan, that an organization that’s had experience with managing laptops and full clients, as well as thin clients and zero clients, would have a leg up on moving into mobile device management. Is that the case?

Sander: To Jane’s point, they should have policies in place that are going to apply here, so that in that sense they have a leg up. They definitely need the technology in place to deliver on it, and that’s on the device layer.

On the application layer, the data layer, the place where all the intellectual property (IP) for an organization sits in most cases, those layers should be -- the word "should" is tricky -- pretty well secured already. The idea is that they have already been on there on laptops, trying to get in from the outside, for a while and there should be some level of lock-down there.

Layered defense

If you have a healthy layered defense in place so that you can get the access to people outside of your walls, then your mobile access people coming in with their own devices, in a lot of cases, are just going to look like a new client on that web application.

The trick comes when you have organizations that want to take it to the next level and supply some sort of experience that is different on the mobile device. That might mean the paranoid version, where I want to make sure that the user on the mobile device has a lot less access, and I want that to be governed by the fact that they are on the mobile device. I need to take that into account. But there is also the very proactive view that you don’t have to be paranoid about it, and you can embrace it.

Gardner: Jane, I have also heard that you need to think about networks in a different way. With some relevance to the past, network containment has been something organizations have done for remote branches. They've used VPNs with the end devices, fat clients, if you will. How does network containment mature for BYOD support?
The good news is that IT departments have a lot of experience with managing networks and managing their network securely.

Wasson: What’s different here is that now you have a mobile device that is the conduit coming into the network. Whereas in the past, folks had been using primarily laptop VPN clients, that paradigm changes a little for the mobile world. Mobile users like the convenience and the ease of being able to use mobile applications.

The challenge for IT departments is how to create a simple user experience for mobile device to access the back-end network and how to make sure that for the mobile user not only is it simple and easy, but they are authenticating to that network for security.

Also because with that mobile user it’s a personal device and they control what mobile service they are using, IT groups need to care a lot about the networks from which the user is accessing the corporate environment.

For example, you want to make sure that you're using an encrypted SSL VPN connection to go back into your corporate data centers. It needs to not only be encrypted as SSL VPN, but you also want to make sure that it's a very easy and simple experience for your mobile user.

What IT groups need to be looking for is that very simple mobile worker experience that allows you to very quickly authenticate onto the network and establish encrypted SSL VPN into the networks, so that you don't have to worry about interception on a wi-fi network or interception on a mobile service network in a public place.

Access control

The need for network access control, so that once you know that users are coming in securely, once you know they are authenticated onto the network, you can easily enable them to access the correct enterprise applications and resources that they should have privileges for.

The challenge there for IT is that you want to make sure that it’s easy for IT to provision. You want a technology that recognizes that you have mobile users coming and allows you to very easily provision those users with the privileges you want them to have on your network and make sure that they are coming in over secure networks. There are lots of implications for networks, there but there are solutions to help address that.

Sander: It goes back to that idea of trying to be either both paranoid or proactive about the whole BYOD sphere. When you're trying to figure out what data you want people to have access to, you're not just going to take into account some rigid set of rules based on who they are.
Context is king in a lot of cases these days, when you are trying to figure out a good approach to security.

Context is king in a lot of cases these days, when you are trying to figure out a good approach to security. What better context to be aware of then one person sitting at a desk behind all of corporate protection accessing a system versus the same person on their tablet in a Starbucks.

These are clearly two different risk categories. If they want to get access to the same data, then you're probably going to do slightly different things to have things happen.

You are going to have lots of different layers of security but they all need to be very well connected to one another. They need to be able to share data, share that context, and in that sharing, be able to create the right circumstance to have a secure access to whatever data is going to make the efficiency for that person be maximized.

Gardner: When you do go mobile first, with your network containment activities, with your connected security around access control, and when you've elevated management to mobile device management, you're probably an organization with better policies and with better means or security in total.

Am I off-base here, or is there a more robust level within an IT organization when they embrace BYOD in mobile and mobile first becomes really a just better way of doing IT?

Sander: I agree that the worst consequence of not doing the mobile first is that you're going to have people end-gaming IT. You're going to have shadow IT spring up in lines of business. You're going to have smart end users simply figuring it out for themselves. Believe me, if you don’t proactively lock it down, there are lots of ways to get it as mobile devices. Those companies that do think mobile first are the ones that are going to innovate their way out of those problems.

They're the ones who are going to have the right mentality at the outset, where they formulate policy with that in mind and where they adopt technology with that in mind. You can see that happening today.

I see companies that have taken advantage of a mobile platform and tried to make sure that it is going to boost productivity. But the very first thing that happens, when they do that, is they get a huge push back from security, from the risk people, and sometimes even from executive-level folks, who are a little more conservative in a lot of cases, and tend to think in terms of the impact first. Because they want to push into that mobility mindset, that pushback forces them to think their way through all the security impacts and get over those hurdles to get what they really want.

The idea is that, if you do it well, doing good security for mobility and BYOD on the first try, getting that good security, becomes an enabler as more waves of it hit you, because you've already got it figured out. When the next line of business shows up and wants to do it seriously, you've got a good pattern there which completely discourages all of that shadow IT and other nonsense, because if you can give them good answers, and they want them.

Be an enabler

They don’t want to figure out ways around you. They want you to be an enabler. I was reading recently how security has to go from being the "department of no" to the "department of how," because a lot of times, that’s really what it boils down to. If you're simply going to say no, they're going to figure out a way around you. If you tell them how to do it in a secure fashion, they'll do that. That’s why they're asking in the first place. They want you to enable them.

Gardner: Do we have any examples or anecdotes of organizations that have taken this plunge, embraced BYOD, perhaps with some mobile first mentality thrown in, and what are the results? What did they get?

Wasson: Educational institutions are probably some of the earlier adopters for using mobile platforms to access their back-end systems, and yet educational institutions also are very often required by law not to make inappropriate sites and things available to students.

We've seen educational institutions deploying mobile device management platforms, and in this case our KACE K3000 Mobile Management platform with our mobile security solutions, such as our Mobile Connect application on devices, and Secure Remote appliances, enabling secure SSL VPN connection. What we're seeing is that the IT organizations have the level of control over those devices that they need.

They can still give the freedom to the end user to choose those devices, yet they have the ability to manage those devices, manage security settings on those devices, authenticate those devices before they connect to the educational institution data centers, and automatically establish encrypted secure SSL VPN.
They can still give the freedom to the end user to choose those devices, yet they have the ability to manage those devices.

They're able to query the traffic to make sure that traffic isn’t coming from or going to inappropriate sites and making sure that there's no malware on the network. And they're able to gain control and security of the mobile students, while still enabling those students to use their personal devices and the tools of their choice.

Sander: The first one that comes to mind is a healthcare system we were working with. They were in a unique position in that they actually had a high percentage of doctor ownership. What I mean by that is that a lot of people who had an executive stake in the healthcare system were themselves doctors.

The doctors clearly wanted to use mobile devices as much as possible. They wanted to enable themselves to work on the run. They were running between hospitals. They were doing lots of different things where it's not a luxury to be on the tablet, but more of a necessity. So they challenged their IT folks to enable that.

Just as with this situation in other places, the first push back was from security. We worked with them, and the results were very similar to what Jane describes from a technology standpoint. Dell was able to supply them with mobile-device management and network controls. They had a really good single sign-on platform as well. So the doctors weren’t constantly logging in again and again and again, even though they switched context and switched devices.

Productivity gain

What they gained from that was a huge amount of productivity from the doctors. In this case, coincidentally, they gained big in the executive team’s eyes for IT, because as I mentioned, a lot of them happened to be doctors. That was a good feedback loop. As they made that constituency very happy, that also fed directly into their executive team.

In this particular case they got a double benefit, not just happy users, but happy executives. I guess it’s one of those, "I'm not just a president, but also user" type of things, where they were able to benefit twice from the same work.

Gardner: Any thoughts Jane on where the security equation might shift in the future?

Wasson: Today much of the malware is targeting PCs and laptops, but now, as smartphones have become more prevalent in the marketplace, increasingly hackers and cyber terrorists are recognizing that that’s a great new platform to go after.

We're seeing an increase development of malware to go after mobile devices as a conduit to get into back-end networks. We should absolutely expect that that’s going to continue. We're seeing a trend towards more targeted attacks. As technologies to protect are developed, it’s going to be very important to find those technologies that specifically protect from targeted attacks.

The thing that’s becoming increasingly important is to make sure that your security technologies aren't just looking at the reputation of who is trying to get into the network and protocols, but is actually looking at the actual traffic packets themselves. It's important to be able to identify those targeted attacks, advanced persistent threats, or malware that’s hidden within your traffic, because in the network at large, the presence of malware is only growing.

For mobile platforms, historically it wasn’t as big a problem. Now that we see more of them out there, they're becoming a more important target. So it’s very important for IT support organizations to get ahead of this.

They need to recognize that where they had previously focused mostly on what’s happening with PC laptop traffic, they really need to focus a lot more on making sure that they have good strategies and good policies in place also to address that mobile traffic.

Gardner: Let’s get a little bit more on the BYOD vision from Dell Software. Let’s hear what you have in mind in terms of how one should go about, as an IT organization, getting a better handle on this.

Sander: Our overall vision for security and we would definitely apply this to the BYOD sphere as well, is approaching it from a connected viewpoint. The word "connected" has a very specific context here.

You often hear talk from Dell and others about converged solutions, where essentially you bring a whole bunch of technologies into one solution, usually a box of some kind, and you deliver it as such.

Moving parts

Security is never going to look like that. Security is always going to have a lot of different moving parts, and that’s because essentially security needs to map itself to the needs of the infrastructure that you've built. That’s going to be dictated by organic growth, mergers and acquisitions, and everything in between.

We think about it as being a connected set of solutions. The focus of that is to make sure that we can deliver on all these different points that are necessary to build up the right context and the right controls, to make security meaningful in a context like BYOD, but not do it in a way that makes too many demands of the infrastructure. The way you get benefit from that is by having these connected pieces attached at the right points. You then get both the protection of going inside-out and outside-in.

Inside-out is the way you normally think about security in a lot of cases, where you build the controls for the things you are in charge of. You make sure that, as they go out into the world, they're heavily secured using all the themes you have at your disposal.
Security is always going to have a lot of different moving parts, and that’s because essentially security needs to map itself to the needs of the infrastructure that you've built.

Outside-in is the traditional bad guys trying to get into your little world scenario. We want to make sure that the connected security solutions that we deliver can do both of these things, not only protect you from any insider threats and all of the things that can crop up from the way you build your technology that you are going to use to propel the business, but also protect you from the threats from the outside as well.

Wasson: The good news is that our vision basically supports IT in helping to enable the mobile worker to get that simple, secure, fast access to enterprise apps and resources. The way that we are doing this is by providing mobile-friendly technologies, IT friendly technologies, that give both the ease of use and simplicity that mobile users need.

For example, our Mobile Connect App acts both as a VPN client and also a policy-enforced network access control app client, so that you have that simple one click access into the corporate data center that is secured by encrypted SSL VPN, with our Secure Remote Access appliances.

You also have the support for IT to reduce complexity, because we make it very easy to create those policies, automatically enforce those policies, and implement network access control and security throughout the network.
Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Dell Software.

You may also be interested in:

Tuesday, September 10, 2013

Unum Group architect charts a DevOps course to a hybrid cloud future

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: HP.

The next edition of the HP Discover Performance Podcast Series highlights how employee benefits provider Unum Group has been building a DevOps continuum, and is further exploring the benefits of a better process around cloud-assisted applications development and deployment.

To learn more about how they've been using certain tools and approaches to improve their applications delivery, we sat down with Tim Durgan, an Enterprise Application Architect at Unum Group, and Petri Maanonen, Senior Product Marketing Manager for Application Performance Management at HP Software.

The discussion, which took place at the recent HP Discover 2013 Conference in Las Vegas, is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:
Gardner: Let's talk a little bit about what's important for your company. You're a large insurer. You're in the Fortune 500. You're one of the largest employee benefits providers in the U.S. and you have a big presence in the UK as well. What are some of the imperatives that have driven you to try to improve upon your applications delivery?

Durgan: Even though, as you said, we're one of the largest employee benefits providers in the United States, we began to realize that there were smaller companies starting to chip away in segments of the market.

Durgan
It became imperative to deliver products more rapidly to the market, because delivery was a multi-year effort, which was unacceptable. If it took that long from concept to delivery, there would be a completely new market dynamic at play.

We started to look at application architectures like service-oriented architecture (SOA) to deliver agility, process automation, and rules automation -- all very mainstream approaches. We discovered pretty quickly that to use those approaches effectively you needed to have a level of governance.

Governance initiative

We had an SOA governance initiative that I led and we brought in technology from HP to aid us with that. It was the Business Service Management (BSM) suite of tools, the Systinet Repository, and some partner products from HP.

What we discovered very quickly is that in enterprise architecture, where I am from in the company, bringing in an operational tool like monitoring was not hailed as, "Thanks for helping us." There was this organizational push back. It became very clear to me early on that we were operating in silos. Delivery was doing their efforts, and we would throw it over the wall to QA. QA would do their job, and then we would ultimately move it out to a production environment and operational aspects would take over.

It really dawned on me early on that we had to try to challenge the status quo around the organization. That's what started to get me focused on this DevOps idea, and HP has a number of products that are really allowing that philosophy to become a reality.

I have a couple of principles that I use when I talk about DevOps, and I try to use titles for these principles that are a little disruptive, so people pay attention.
For instance, I'll say "eliminate the monkeys," which essentially means you need to try to automate as much as possible. In many companies, their development process is filled with committees of people making decisions on criteria that are objective. Machines are very good at objective criteria. Let's save the humans for subjective things.
We want to put a product out quickly, but if it's going to fail, we would love to know it's going to fail very quickly, not make millions of dollars in investments.

That's what I talk about when we say eliminate the monkeys, get people out of the middle. It's really interesting, because as an architect, I recognize the automation of business process. But somehow I missed the fact that we need to automate the IT process, which in a lot of ways, is what DevOps is about.

Another principle is "fail fast." If you're going to deliver software fast, you need to be able to fail fast. As an example that I presented here at the conference last year -- which I knew most of the HP people loved -- was Palm. I'm sure they wished they had failed faster, because that was a pretty painful lesson, and a lot of companies struggle with that.

Unum does. We want to put a product out quickly, but if it's going to fail, we would love to know it's going to fail very quickly, not make millions of dollars in investments.

Another one is visibility throughout. I will say monitoring is a team sport. In a lot of companies, there are 50 or 60 monitoring tools. Each team has a monitoring tool. You have to have a secret decoder ring to use each monitoring tool.

While diversity is normally a great thing, it isn't when it comes to monitoring. You can't have the ops guy looking at data that's different from what the developer is looking at. That means you're completely hopeless when it comes to resolving issues.

Working collaboratively

My last one is "Kumbaya." A lot of IT organizations act competitively. Somehow infrastructure believes they can be successful without development and without QA and vice versa. Business sees only IT. We are a complete team and we have to work collaboratively to achieve things.

So those are really the ways I think about DevOps at the company.

Gardner: Petri, when you hear words like "process automation for IT" and a common view of the data across IT groups, it must be music to your ears?

Maanonen: Oh, sure. And the team has been very accurately capturing the essence of how DevOps needs to be supported as a function and of course shared among different kinds of teams in silos.

Maanonen
If you look at HP, we've been supporting these various teams for 15 years, whether it has been testing a performance of an application or monitoring from the end-user perspective and so forth. So we've been observing from our customers -- and Unum is a brilliant example of that -- them growing and developing their kind of internal collaboration to support these DevOps processes. Obviously the technology is a good supporting factor in that.

Tim was mentioning the continuous delivery type of demands from the business. We have been trying to step up, not only by developing the technology, but actually bringing very quickly supportive software-as-a-service (SaaS) types of offerings, Agile Manager and Performance Anywhere for example. Then, customers can quickly adopt the supporting technology and get this collaboration and a DevOps cycle, the continuous improvement cycle, going.

Gardner: When you said Kumbaya, obviously this is about getting people to see the vision, buy into the vision, and then act on the vision. So tell me a little bit more, Tim, about the politics of DevOps.
We are a complete team and we have to work collaboratively to achieve things.

Durgan: I think the problem that a lot of companies have, and Unum as well, is that unfortunately we all have individual expectations and performance. We all have a performance review at the end of the year and we have things that we need to do. So it is, as you mentioned, getting everybody to buy into that holistic vision, and having these groups all sign up for the DevOps vision.

We've had good success in the conversation so far at Unum. I know we've talked to our Chief Technology Officer, and he's very supportive of this. But because we're still on the journey, we want data, metrics, and some evidence to support the philosophy. I think we're making some progress in the political space, but it's still a challenge.

I'm part of the HP BSM CAB (Customer Advisory Board), and in that group is, they talk about these other different small monitoring products trying to chip away at HP's market. The product managers, will ask, "Why is that? And I say that part of the problem is BSM is pitching enterprise monitoring.

The assumption is that a lot of organizations sign on to the enterprise monitoring vision. A lot of them don't, because the infrastructure team cares about the server, the application team cares about the app, and the networking team cares about the network. In a lot of ways, that's the same challenge you have in DevOps.

Requests for visibility

But I hear a lot of requests from the infrastructure and application teams for that visibility into each other's jobs, into their spaces, and that's what DevOps is pitching. DevOps is saying, "We want to give you visibility, engineer, so that you can understand what this application needs, and we want to give you visibility, developer, into what's happening in the server environment so you can partner better there."

There is a good grassroots movement on this in a lot of ways, more than a top-down. If you talk about politics, I think in a lot of cases it has to be this “Occupy IT” movement.

Gardner: What are some of the paybacks that are tangible and identifiable when DevOps is done properly, when that data is shared and there is a common view, and the automation processes gets underway?

Maanonen: What we hear from our customers, and obviously Unum is no exception to that, is that they're able to measure the return on investment (ROI) from the number of downtime hours or increased productivity or revenue, just avoiding the old application hiccups that might have been happening without this collaborative approach.

Also, there's the reduction of the mean time to resolve the issues, which they see in production and, with more supportive data than before, provide the fix through their development and testing cycles. That's happening much faster than in the past.
There is a good grassroots movement on this in a lot of ways, more than a top-down.

Where it might have been taking days or weeks to get some bugs in the application fixed, this might be happening in hours now because of this collaborative process.

Gardner: Does DevOps put you in a better position vis-à-vis what we all seem to see coming down the pike, with the whole mobile-first mentality, and then more cloud options?

Durgan: It is, if you think about movement to the cloud, which Unum is very much looking at now. We're evaluating a cloud-first strategy. My accountability is writing this strategy.

And you start to think about, "I'm going to take this application and run it on a data center I don’t own anymore. So the need for visibility, transparency, and collaboration is even greater."

It’s a philosophy that enables all of the new emerging needs, whether it’s mobile, cloud, APIs, edge of the enterprise, all those types of phenomena. One of the other major things  we didn’t touch on it earlier that I would contend is a hurdle for organizations is, if you think about DevOps and that visibility, data is great, but if you don’t have any idea of expectations, it’s just data.

What about service-level management (SLM) and ITIL process, processes that predated ITIL, just this idea of what are the expectations, performance, availability, what have you for any aspect of the IT infrastructure or applications? If you don’t have a mature process there, it’s really hard for you to make any tangible progress in a DevOps space, an ALM space, or any of those things. That’s an organizational obstacle as well.

Make it real

One of the things we're doing at Unum is we're trying to establish SLAs beginning in dev, and that’s where we take fail fast to make it real. When I come to the conference and presented it, I had a lot of people look surprised. So I think it's radical.

If I can’t meet that SLA in dev, there's no way I am going to magically meet it in production without some kind of change. And so that’s a great enhancement. At first people say, that’s an awful lot of burden, but I try to say, "Look, I'm giving you, developer, an opportunity to fail and resolve your problem Monday through Friday, versus it goes to production, you fail, and you're here on the weekends, working around the clock."

That, to me is just one of those very simple things that is at the heart of a DevOps philosophy, a fail fast philosophy, and a big part of that development cycle. A lot of the DevOps tooling space right now is focused on some ALM on the front end, HP Agile Manager, and deployment.

Well, those are great, but as an application architect, I care about design and development. I think HP is well-positioned to do some great things with BSM, which has all that SLA data, and integrate that with things like the Repository, which has great lifecycle management. You start having these enforcement points and you say, "This code isn't moving unless it meets an SLA." That decision is made by the tool, objective criteria, decided by the system. There's no need to have a human involved. It's a great opportunity for HP to really do some cutting-edge and market-leading stuff.
Cloud and mobile are coming into play and are increasing the velocity of the applications and services being provisioned out to the end users.

Maanonen: We see that the cloud and mobile, as you mentioned, Dana, are coming into play and are increasing the velocity of the applications and services being provisioned out to the end users. We see that this bigger and larger focus, looking from the end user perspective of receiving the service, whether it’s a mobile or a cloud service, is something that we've been doing through our technology as a unifying factor.

It's very important when you want to break the silos. If the teams are adopting this end-user perspective, focusing on the end user experience improvement in each step of the development, testing, and monitoring, this is actually giving a common language for the teams and enhancing the chances of improved collaboration in the organization.

Gardner: HP may be unique in that it has a very strong presence in the applications test, dev, deployment, fostering Agile, and fostering DevOps. But only an architect might see that. How essential to the future of HP is it to make architects like Tim happy?

Maanonen: Tim has been pointing out that they're coming from a traditional IT environment and they're moving to the cloud now very fast. So you can see the breadth of the HP portfolio. Whatever technology area you're looking at, we should be pretty well-equipped to support companies and customers like Unum and others in different phases of their journey and the maturity curve when they move into cloud, mobile, and so forth. We're very keen to leverage and share those experiences we have here over the years with different customers.

But the portfolio breadth is one of the strengths for HP, and we're trying to stay competitive in each area. So I am happy that you have been observing that in the conference.
The portfolio breadth is one of the strengths for HP, and we're trying to stay competitive in each area.

Gardner: Tim, what would you like to see differently -- not necessarily just from a product perspective, but in terms of helping you cross the chasm from a siloed development organization and a siloed data center and production organization? What do you need to be able to improve on this DevOps challenge?

Durgan: The biggest thing HP can do for us is to continue to invest in those integrations of that portfolio, because you're right, they absolutely have great breadth of the offerings.

But I think the challenge for HP, with a company the size they are, is that they can have their own silos. You can talk to the Systinet team and talk to the BSM team and say, "Am I talking to the same company still?" So I think making that integration turnkey, like the integrations we're trying to achieve, is using their SOA Repository, their Systinet product as the heart of an SOA governance project.

We're integrating with Quality Center to have defects visible in the repository, so we can make an automated decision that this code moves because it has a reasonable number of defects. Zero is what we'd like to say, but let's be honest here, sometimes you have to let one go, if it’s minor. Very minor for any Unum people reading this.

Then, we are integrating with BSM, because we want that SLA data and that SLM data, and we are integrating with some of their partner products.

There’s great opportunity there. If that integration can be a smoother thing, an easier thing, a turnkey type operation, that makes the portfolio, that breadth something that you can actually use to get significant traction in the DevOps space.
Listen to the podcast. Find it on iTunesRead a full transcript or download a copy. Sponsor: HP.

You may also be interested in:

Thursday, September 5, 2013

Deeper intelligence shared widely via HP Vertica harvests analytics gems for Guess's retail strategy

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: HP.

The next edition of the HP Discover Performance Podcast Series highlights how retailer Guess, Inc. has used HP Vertica to both speed up and better distribute its big-data analytics capabilities.

We'll see how Guess can increasingly predict how to satisfy its shopping customers, and we'll specifically look at how Guess's IT organization came to grips with adopting and implementing a big-data platform to bring more of a democratization of data and better access to its employees.

To learn more about how Guess has slashed the latency between data gathering and actionable insights, join Bruce Yen, Director of Business Intelligence at Guess, Inc. The discussion, which took place at the recent HP Discover 2013 Conference in Las Vegas, is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:
Gardner: Tell me why just plain, old relational databases and legacy IT weren’t doing the job for you.

Yen: About three years ago we began searching for a new database platform. We were hitting a lot of performance bottlenecks on our data loads and performance. We also saw the competitive landscape out there with lot of our competitors embracing alternative solutions to their traditional database platforms.

Gardner: What sort of requirements did you have to get to where you wanted to be?

Yen: The first thing was performance. We needed to improve the query performance. A lot of our users were asking us to do a lot of queries with very low-level detail inventory, and it was very costly from a performance standpoint to be able to serve those queries up. Some queries wouldn't even come back.

Secondly, from a performance standpoint, we wanted to make sure that a lot of our East Coast stores would be able to receive the reports early in the morning, and we were having problems just serving those up on a daily basis on time.

New solution

The last part was to support any kind of innovative analytics, any kind of cutting-edge analytics. We knew that that platform really wasn't going to help us do any of that. So we needed to find a new solution.

Gardner: We know one of your popular and well-known products is your jeans, Guess Jeans, but there is more to it than that. Tell us a bit about the organization.

Yen
Yen: Guess has been around for more than 30 years now and we've grown from primarily a U.S. retailer into more of an international retailer.

If you look at the '80s, lot of people from the States remember us for the triangle on the jeans. We were primarily a wholesaler in the beginning. Now, we have over 1,600 stores worldwide, and about half of those are run by licensees. We sell a wide variety of lifestyle products, targeting primarily younger women in their late teens to early 30s.

Gardner: So it's critical to understand that market, and this is a dynamic market. People's tastes change and tastes are also, of course, different from area to area around the world.

What have you gotten as a result of using Vertica? Can you give me some of the key performance indicators that now demonstrate what you can do when you've got the right platform and the right data.

Yen: I like to look at it this way. First of all, it's foundational, the foundations for just baseline performance. Have we met those goals? With Vertica we have. We've been able to meet all of our service-level agreements (SLAs) and serve up the reports on time. Not only that, but now we're able to serve up the queries that we weren't able to do at all.
We've been able to meet our daily needs, but we've been able to set ourselves up to be competitive in this area.

When you move aside from the foundational, the next steps are analytics, being able to apply analytics and go through our data to figure out how we can apply best practices to see how we can gain a competitive advantage. We've been able to take our transactional data and look at ways of taking the stored data and applying that into our e-commerce site to get better product recommendations for our e-com customers. That’s something that we couldn't have done with our existing system.

We have our customer relationship management (CRM) system. We have our loyalty segmentation for which we use Vertica to do all of the analytics and we feed that data back into our CRM system. With the data volume that we have, we could not have done that with our old system.

So it's opened up new doors, but not only from a foundational standpoint. We've been able to meet our daily needs, but we've been able to set ourselves up to be competitive in this area.

Gardner: And has being able to gain the speed and handle the complexity prompted you to then seek out additional data to put into your analytics, so in a sense of not feeling limited as to where you can go and what information you could bring to bear?

Different data

Yen: Definitely. We've been looking at different things lately. We've been looking at different types of data -- loyalty data and customer data -- that we get from our customers.

In being able to give our users a holistic 360-degree view of what's happening from that customer standpoint, Vertica has been very critical in keep pace and enabling us to do that.

Gardner: Of course, it's important to get more data, manage it, and perform what you need to do with it. It's also important to deliver it in a way that people can use and to get to what we mentioned earlier about that democratization. Tell me how you've been able to deliver this out to more people and in an interface and device fashion that they really want.

Yen: That’s a great point. Everyone talks about big data these days, but big data, if you can't serve it up to people, if they can't use it, and if there's not a pervasive use of the data, is really useless.

We're pretty innovative in what we do from a mobile standpoint. For the last two years we've had an iPad app that's powered by the Vertica back end. We have this iPad app that over a 100 merchants in North America and Europe use.
The exciting thing is being able to see our users look at the data and make the decisions.

It's been able to take a lot of the data, a lot of the stores’ data, a lot of the selling information. It's allowed them to travel to the stores, be in meetings, or at home on the weekends, and they can look at the best-seller information. They can look at the sales and do it in a way that is actually fun.

It's not just a bunch of dashboards or reports that you open up and look at, but we've made it very interactive and we’ve created workflows in there. So that really draws the user into wanting to use that information and wanting to ask different questions.

Gardner: And for this combination of the power of the platform, the quality of the data, and this distribution capability, can you give us some metrics of business success? Where this has helped you? Do you have any concrete things you can point at and say it's really working and here is how?

Yen: We’ve looked at that in different ways. One of the initial points that we're analyzing in terms of return on investment (ROI), the easiest one is the amount of paper that’s being saved. You can count up the reams, how much they cost, and multiply that, and there is some significant saving there.

But that doesn’t really excite anyone. It's great that we've been able to save paper, but the argument is, well, you also had to buy new equipment. These iPads aren’t free and the mobile device management software and everything else that's associated to it is a new ecosystem. So there is a lot of new cost there.

The exciting thing is being able to see our users look at the data and make the decisions. Before, they would have to stop at a meeting and go back to their desks. That decision that takes an instant now used to drag on for two or three days, maybe even a week, and I've seen that in action.

It's done a good job

I can't give you an actual dollar figure, but I've seen them make decisions to change the allocation of certain items as they are looking at that information. As I was training some of our executives or power users, I would see them pick up the phone and actually make decisions to impact the business. So I know that it definitely has done a good job there.

The exciting thing is it's kind of democratized this information and this data and demystified it to a point where everyone can access it and everyone wants to access it. I’ve never seen users get so excited about a platform or an app. We've got emails saying, "Can I please have this app. I saw one of my coworkers using it. Could I please?" Before, we were never asked that way.

It was always, "Can I get a copy of that report. No big deal if I get it now or later." But here, people really, really want to use it, and we could tell that we hit something.
The one thing that I'm proud of is that our team was able to conquer all of these hurdles, and also we had a great partner in Vertica.

Initially, we had to deal with just our internal IT folks being very skeptical. A lot of the claims, "30 to 300 to 400 times faster in performance," "you’re only going to need a quarter of a DBA," were the first two items where a lot of us were a little skeptical -- myself included -- but the performance has really proved itself.

Aside from that, we have to look at it more realistically. How do we implement a system like this? A lot of it has to do with changing the data loads, and that, in and of itself, takes a lot of time. That's one of the things that's always going to take a lot longer than we thought, and it would be a lot more challenging than we had initially anticipated.

The one thing that I'm proud of is that our team was able to conquer all of these hurdles, and also we had a great partner in Vertica. They were there with us in the trenches, even though we were the first retailer and we had a different use case than all of the other previous clients and customers that they had.

We took a chance with them, they took a chance with us, and it worked out. We were able to prove that their software works on a multitude of different use cases. As a retailer, we have a lot of updates with our data. This was three years ago. Their clients then, lot of the telcos and banks were just loading data, not really doing a lot of updates with it. They were doing a lot of queries with it and it was coming back fast, but not really transforming the data all that much. So we had a lot more use cases like that and they were able to come through for us.

Gardner: What about the future? Do you have a sense of taking this powerful capability and pointing it in new directions, perhaps into supply chain, the ecosystem of partners, perhaps even into internal operations? What's the next step?

Exciting times

Yen: It's actually exciting times, because Vertica has proved itself so well. It's also very cost-effective. One of the projects that we're working on right now is that we have a relational database for our MRP system. It's more of an ODS reporting system. We’re actively converting the ODS system, which is actually a replicated database of the relational database, into a Vertica database. We're able to kind of replicate, mimic the native database replication scheme on the relational side, and use Vertica for it.

It's a use case that we were a little skeptical about in the beginning. Could this be done in Vertica? We thought, the payoff would be great if we could do this on Vertica, the speed for performance, the storage footprint, would be amazing. So far, it's turned out very well for us. We’re still in the middle of it, but all things point to success there.
Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: HP.

You may also be interested in:

Wednesday, September 4, 2013

Panel explains how CSC creates a tough cybersecurity posture against global threats

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: HP.

This next edition of the HP Discover Performance Podcast Series targets on how IT leaders are improving security and reducing risks as they adapt to new -- and often harsh -- realities of doing business online.

In Part 2 of our cybersecurity series, we now explore how CSC itself, in a strategic partnership with HP, is improving its cybersecurity posture -- drinking their own champagne, as it were.

Earlier, in Part 1 of our series, we examined the tough challenges facing companies and how they need to adjust their technology and security operations. We saw how they were all now facing a "weapons-grade threat," with big commercial incentives for online attacks and also a proliferation of more professional attackers.

We also learned how older IT security methods have proven inadequate to the escalating risks that are also expanding beyond corporate networks to include critical infrastructure, supply chains, and even down to devices and sensors.
So take a deeper dive here now into how CSC itself is going beyond just technology and older methods to understand a better path to improve cybersecurity.

Please welcome the panel: Dean Weber, the Chief Technology Officer for CSC Global Cybersecurity, and Sam Visner, Vice President and General Manager for CSC Global Cybersecurity. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]
 Here are some excerpts:
Gardner: In Part 1 of our series, we examined the tough challenges facing companies and how they need to adjust. What's the most impactful thing that CSC has itself done in the past several years, in concert with HP, that's proven to be a major contributor to a more secure environment?

Visner: There are three things. The first is the recognition that cybersecurity is an important issue for any organization today, whether they're a Global 1000 company, a Fortune 500 company, or a government agency -- everybody has a stake in cybersecurity.

There has to be a recognition that the cybersecurity of the commercial world, and the cybersecurity of the public sector, are really the same.

Visner
The commercial world provides the technology on which governments depend. Governments express the interest that the public has and the cybersecurity of those parts of the private sector that manage energy, transportation, critical manufacturing, aerospace, defense, chemicals, banking, healthcare, and any other thing that we call critical infrastructure.

In our company -- where we serve both the public sector and private sector -- we recognized early on that it made sense to address commercial and public sector cybersecurity from a common strategy. That's the first thing.

The second thing is that we then built a unified capability, a unified P&L, a unified line of business and delivery capability for cybersecurity that brings together our commercial and our public-sector business. We're end to end. So from consulting and assessments, then education, through managed cybersecurity services and systems integration, all the way through incident response, we make our full portfolio available to all our customer set, not just part of our customer set.

And the third thing is a lot of people think about cybersecurity as tools. What's my firewall? What's my user provisioning? What's my password policy? How am I handling passwords? What should I be doing about endpoint protection?
That's a recipe for disaster, because you're always playing catch up against the problem and you don't even know if the tools work together.

That's a recipe for disaster, because you're always playing catch up against the problem and you don't even know if the tools work together. You certainly don't have the means to take the information that these tools generate, put them together, analyze them and give yourself the big picture that allows you to be effective in understanding the total threat you face and the total situation that you have internal in your organization.

So the third thing is moving from a tools-based perspective to an architecture-based perspective, one in which before we buy tools or develop tools, or even in which we define offerings, we define the architecture of our offerings.

Architectural level

Weber: As Sam pointed out, the idea here is that we created an integrated capability to combat the current and emerging threats. You do that based on a global ability to detect and defer the threats, remediate as quickly as possible from threats that have manifested themselves, and recover.

Weber
Not only are we a services provider of managed security services to enterprise and government, we also consume those services ourselves on the inside. There's no difference. We drink our own champagne, or eat our own dog food, or however you want to put it.

But at the end of the day we have made this very security operations center (SOC)-centric offering, where we have elected to use a common technology framework across the globe. All of our SOCs worldwide use the same security and information event management -- SIEM technology, in this case HP ArcSight.

That allows us to deliver the same level of consistency and maturity, and given some of the advanced capabilities of ArcSight, it has allowed us to interconnect them using a concept we call the global logical SOC, where for data protection and data privacy purposes, data has to reside in the region or country of its origin, but we still need to share threat intelligence, both internally generated and externally applied. The ArcSight platform allows us to build on that basis.

Separate and apart from that, any other tools that we want to bring to bear, whether that's antivirus or vulnerability scanning, all the way up the stack to application security lifecycle, with a product like HP Fortify, we can plug all of that into the managed framework regardless of where it's delivered on the globe and we can take advantage of that appropriately and auditably across the entire hemisphere or across the entire planet.
The idea here is that we need an integrated capability to combat the current and emerging threats.

Gardner: It sounds as if an important pillar of those three items you brought up, Sam -- the common strategy, unified capability, and architecture -- is to know yourself as an organization. Do the HP Fortify and HP ArcSight technologies come to bear on that aspect of better self-awareness?

Visner: We have to be able to bring together data across a very wide range of environments. Although there are some great global threats out there, some of those threats are being crafted to be specific to some of the industries and some of the government’s activities that we try to safeguard.

Therefore, in the case of ArcSight, we needed an environment that would allow us to use a broad range of tools, some of which may have to be selected to be fit for purpose for a specific customer environment and yet to accrue data in a common environment and use that common environment for correlation and analysis.

This is a way in which our self-awareness as a company that does cybersecurity across many sectors of the private sector, as well as a broad range of public sector organizations, told us that we needed an environment that could accrue a wide range of data and allow us to do correlation.

In terms of what we're doing with Fortify and application security testing, one of the things we've learned about ourselves is that we're going to support organizations that have very specific applications requirements. In some cases, these requirements will relate to things like healthcare or banking. In some cases, it will be for transactions. In some cases, it will be specific workflows associated with these industries.
We are trying to raise the bar globally to one, high, common level of application security testing.

What’s common to this, we have learned, is the need for secure applications. What’s also common is that globally the world isn’t doing enough in terms of testing the security of applications. This is something we found we could do that would be of value to a broad range of CSC customers. Again, that's based on our own self-awareness.

Gardner: How important are big-data capabilities for creating a secure organization?

Weber: As we generate more data across our grids, both sensor data and event data, and as we combine our information technology networks with our operational technology networks, we have an exploding data problem. No longer is it finding a needle in a haystack. It’s finding a needle amongst needles in a haystack.

Big-data problem

The problem is absolutely a big-data problem. Choosing technologies like ArcSight that allow us to pinpoint technology aberrations from a log, alert, or an event perspective, as well as from a historical trending perspective, is absolutely critical to trying to stay ahead of the problem. At the end of the day, it’s all about identity, access, and usage data. That's where we find the indicators of these advanced threats.

As the trade craft of our opponents gets better, as Sam likes to put it, we have to respond, and it’s not easy to respond at that level. One of the reasons that Fortify is going to become one of the cornerstones of our offering is because as we get better at securing infrastructure using the technologies we've already talked about, the next low-hanging fruit is the application vulnerabilities themselves.

Recently, Android announced that they have a vulnerability in their crypto product. There are 900 million Android products that are affected by that. While Google has released a patch for that particular crypto vulnerability, all the rest of the vendors who use an Android platform are still struggling with how to patch, when to patch, where to patch, how do they know they patched.

Gardner: When you talk about responsibility and tracking, who is doing what and how it’s getting done? We started to talk about key performance indicators (KPIs). How much of a shift have you had to go about there at CSC to put in place the ability to track metrics of success and KPIs? How do you measure and gauge these efforts?

Visner: It’s not enough to know that I have patched my desktop. It’s not enough to know that I have good governance, risk, and compliance (GRC) and enterprise-wide password maintenance and password reset.

I have to know everything about my enterprise today, all the way down to the industrial control systems on the shop floor, the supervisory control and data acquisition systems that coordinate my enterprise, the enterprise databases and applications that I use for global transactions, as well as individual desktops and smartphones.

What we're really talking about is a level of awareness that people are not used to having. They're really not. People don’t worry about what goes on beyond their own computer. Even CIOs haven’t really worried about the cybersecurity of computers that are embedded in manufacturing systems or control systems. Now, I think they have to be.

We have to go beyond the status of an individual device to treat the status of the entire enterprise as important corporate knowledge. That's important corporate knowledge.

Holistic global view

Gardner: What have you done there to allow for a KPI-oriented or a results-oriented organizational approach that leverages all this awareness data?
We have to treat the state of cybersecurity in an organization with the same seriousness, and consider it to be the same level of resource and asset, as the global cash flow of a global organization.

Weber: You've just touched on the value proposition for a global managed security services provider (MSSP) in the fact that we have data sources that span the planet. While CSC, as a 90,000-plus person organization, is considered a large-scale organization -- it pales in comparison to the combined total of CSC's customer base.

Being able to combine intelligence and operational knowledge from multiple enterprises spanning multiple countries and geographic regions with differing risk postures and business models, sometimes even with differing technologies employed in those models -- that gives us a real opportunity to see what the global threat looks like.

From the distribution of that threat perspective our ability to, within the laws appropriate across the globe and auditable against those laws, share that threat intelligence without rushing up against or breaking those laws is very important to an organization. This ultimately keys to the development of the value proposition of why do business with the global MSSP in the first place.

Gardner: Have any customers, or have you yourself, been able to demonstrate that taking the opportunity to improve your cyber posture also improves your business posture?

Not well managed

Weber: That's becoming evident. Not everybody gets it yet, but more and more people do. The general proposition is that an organization that doesn't understand, for example, its financial position is not well-managed and isn't a good investment. It probably can't mobilize its resources to support its customers.

It isn't in a position to bring new products to market and probably can't support those products. Or it might find that those product lines are stolen, manufactured at a lower standard by somebody else, and not properly supported, so that the customer suffers, the company suffers, and everybody but the cyber thief suffers.

A financial organization that can't take care of their own financial position can't serve their customers, just as an organization that doesn't understand its cybersecurity posture can't preserve value for shareholders and deliver value for its customers.
Where the rubber hits the road is more along the lines of keeping the CEO and the CFO out of jail when they have to sign off on things like Sarbanes–Oxley.

Weber: There absolutely is a return on investment (ROI) in security. In fact, there is actually a concept of return on security investment (ROSI), but I would say generally that most people don't really understand what those calculations mean.

Where the rubber hits the road is more along the lines of keeping the CEO and the CFO out of jail when they have to sign off on things like Sarbanes–Oxley. Or the fact that you don't have to make an SEC filing as a result of financial-systems breach that impacts your ability to keep revenues that you may have already attained.

The real return on investment is less measured in savings than it is in -- as Sam likes to say -- keeping us off the front page of "The Wall Street Journal" above the fold, because the real impact to these things traditionally is not in the court of law, but in the court of public opinion.

They tend to look at organizations that can't manage themselves well and end up in the news at not managing themselves well, less favorably than they do for companies that do manage their operations well.

Visner: What is a pound of cybersecurity worth? I'll put it to you this way. What is a pound of stolen intellectual property worth? That that intellectual property means that somebody else is stealing patient data, manufacturing your products, or undermining your power grid.

One way of thinking is that it's not the value of the cybersecurity so much, but the diminished value of the assets that you would lose that you could no longer protect.

Measuring ROI

That’s as good a place as any to measure that ROI. If you do measure that ROI, the question is not how much are you spending on cybersecurity. The question is what would you lose if you didn’t make that spend. That’s where you see the positive return on investment for cybersecurity, because for any organization, the spend on cybersecurity is almost insignificant compared to the value that would be lost if you didn’t make that spend.

Gardner: Can you offer some recommendations for how others could proceed based on lessons learned from what you've done?

Visner: We recognized early on that this is not a one-company problem.
This is a problem where we are dealing with weapons grade threats from organized criminals who have vast resources at their disposal.

This is a problem where we are dealing with weapons-grade threats from nations. This is a problem where we are dealing with weapons-grade threats from organized criminals who have vast resources at their disposal. This is a problem of intellect, and therefore, no one organization is going to have sufficient intellect to be able to deal with this problem globally.

As a company, CSC tends to seek out partners to whom we can couple our intellect and get a synergistic result. In this case, the process of making that relationship real when it flows through defining our portfolio, defining the services that comprise the portfolio, managing the development of those services through our offering lifecycle management process, and then choosing companies whose technology provides the needed strength for each one of those offerings, each one of the elements of that portfolio.

In this case, that process serves us well, because we're going to need a wide range of technology. Nobody is in a position to confront this problem on their own -- absolutely nobody. Everybody needs partners here. But the question is whom?

We have people show up on our doorstep with ideas and technologies and products every day. But the real issue is, what is a good organizing principle? That organizing principle has two components. One, you need a wide range of capabilities, and two, you need to choose from among the wide range of technologies you need for that wide range of capabilities. You need a process that’s disciplined and well-ordered.

Believe me, we have people show up and ask why it takes so long, why it's such an elaborated process, and can't you see that our product is absolutely the right one.

The answer is that it's like a single hero going out onto the battlefield. They maybe a very effective fighter, but they're not going to be able to master the entirety of the battlefield. That can't be done. They're going to need partners. They're going to need mates in the field. They're going to need to be working alongside other people they trust.

Strategic partner

So in working with HP and the ArcSight tool as our security information and management player of our global logical SOC, our global logical managed cybersecurity service, and in working with HP Fortify we chose a partner we thought -- and we think correctly -- is a strong long-term strategic partner.

It's somebody with whom we can work. HP recognizes that we do. They're not going to solve this problem on their own. What one company is going to solve a problem on their own when they are up against the global environment of nation-state and trade actors? We all need these partnerships.

Our company is unique in that we've always looked to our partner relations for key technologies to enable offerings in our portfolio.

We've always believed that you go to market and you serve your customers with strategic partners, because we've always believed that every problem that had to be solved would require not only our abilities as an integrator, but the abilities of our partners to help in the development of some of this technology. That’s what makes the most sense.

Gardner: Based on your experiences as the Chief Technical Officer at CSC, are there any lessons learned that you could share?
Although there's a wide range of potential partners, we work with companies that we think are going to be long-term strategic partners against high-value problems and challenges.

Weber: I'll leave you with two thoughts. One is again the value proposition of doing business with a global business MSSP. We do have those processes and processes in our background where we are trying to bring the best price-performance products to market.

There maybe higher-priced solutions that are fit for purpose in a very small scale, or there may be some very low-price solutions which are fit for purpose in a very large scale, but don't solve for the top-end problems. The juggling act that we do internally is something that the customer doesn't have to do, whether that’s the CSC internal account or any of our outside paying customers.

The second thing is the rigor with which we apply the evaluation process through an offering lifecycle or product lifecycle management program is really part and parcel of the strength of our ability to bring the correct product to market in the correct timeframe and with the right amount of background to deliver that at a level of maturity that an organization can consume well.
Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: HP.

You may also be interested in: