It is always a worry when heading to a meeting with a ‘Cyber Strategist’ regarding the level of detail that will be required. Will it get down to a motherboard-esque level? Will there be a myriad of firewall specifications to wade through?
As many know, the technical knowledge of the IT foot soldiers contrasts heavily with the technical knowledge of the C-suite – leading to the much publicised ‘knowledge gap‘ in the industry.
The industry is crying out for people who speak plainly, tailoring views and processes to both the security community and to those who champion the business case.
Up steps Tim Grieveson, Chief Cyber Strategist of HP’s Enterprise Security Products. 6 months into the job, Grieveson previously coveted both the CIO and CISO roles at G4S Risk Management as well as roles at Constellium, BT Global Services and Morrison Utility Services.
It is his mix of experience, at both C-level and on the ground, which proves to cut through the more technical terminology to simple, plain English. Which is great, because I hate motherboards and firewall specifications.
Kicking off with a well worn question regarding the threat landscape, Grieveson was quick to address my, and many in the industry’s, mistake in terminology.
"A lot of people talk about the threat landscape; I actually talk about the threat battlefield or the landmine, because it’s all about the good guy trying to navigate around the bad guy.
"It’s all about trying to navigate a safe passage and that’s all we are trying to do in information security."
The strength of Grieveson’s approach to the threat landscape – apologies, threat battlefield – is that he has both spoken and consulted with the C-suite, and sat in the chair himself. It is with that experience that leads Grieveson to urge a total rethink in the approach to security.
"It’s a change in culture. It’s actually not a technology, its people process and procedure. Approach at a people and process level – think of it in the same way as health a safety. It is the health and safety and hygiene of your infrastructure, your IP, your data.
This change in culture is rooted in communication – communication at the C-level, communication between the C-Level and IT, and it is that lack of communication and collaboration which is hindering the adoption of the culture change Grieveson thinks is so needed.
"Try to quantify it in non-techie terms; the business does not understand it and they don’t want to.
"In my previous roles I started working for the CFO and it was about cost, then worked for the COO where it was more operational and then the final part of my tenure I was working for the CEO where security became the contributor.
"Security is everyone’s concern in the business. Talk about contribution rather than cost and then the conversation changes and your budget is easier to get.
"Befriend every other C-suite – the CIO and CISO tend to be the ones responsible for security, but what about the CMO, Chief Digital Officer, CFO? All of these people should be involved in the security by design discussion."
Multiple projects, devices, and operating systems, coupled with the proliferation of data, would point to communication between IT and C-Suite as an absolute necessary business process. So why is it not happening? Grieveson points to trust as the major contributing factor.
"The business doesn’t trust IT.
"Traditionally in the past, IT has done lots of projects which have either cost a fortune, overrun or gone over budget and that’s because IT hasn’t had a proper conversation.
"So what I tended to do when I was in the seat was change the conversation into a business conversation, get earlier involvement in the project and actually quantify it in a way people understand.
"I hate the terms business and IT because that automatically puts up a barrier. IT is part of the business, it helps enable. It should be an enabler not a disabler and the other thing is, get to know your organisation."
It is not just the business approach that enterprises have all wrong – their focus on what to protect has to be challenged too argues Grieveson.
"We are not very good at securing the device and the data, depending on the applications it’s used on.
"To a certain extent I do blame some of the developers for this because they have already fixed it on the internet, they have probably already fixed it on the card but when we are told to develop an app we are told to make it faster, quicker, cheaper, available across all devices – its less about the device, its more about the data and how we classify the data."
"Understand assets that you want to protect, don’t protect everything, and actually don’t just protect your crown jewels. Lots of suppliers will tell you to put a wrap around your crown jewels, but my view is what happens if it is in the supply chain?
"Focus on the data, rather than the device and then you get security rich and it becomes easier to control and manage."
Big Data
Big Data is one of my most loathed industry ‘buzz words’, a feeling shared by Grieveson and exasperated further when he informs me of ‘data puddles’ (a small amount of data that can be classified and quantified in a data lake). Again, much like his views on ‘threat landscape’, big data is not a term we should even use at all.
"I prefer the word Big Analytics because big data is only useful if it’s meaningful, it’s contextual and it’s accurate. It goes back to security…the best place to find a bad guy is when he is attacking your big data, because that is where you keep all your things together.
"So for me it’s about ensuring we classify the right big data and you only capture what you need. Don’t capture everything because you are going to have this massive data lake and it’s not going to be used."
What Grieveson is saying all sounds like common sense – don’t capture everything, just what you need. So the question remains, why are companies not doing this now? The problem lies, Grieveson believes, in the simple fact that people are just not very good at it.
"People don’t do data analytics very well because they don’t understand why they want to do it.
"They aren’t classifying it, they are all trying to put big technology in there that captures big data. They just try to capture everything. I agree to capture it, but try and understand why you want to capture it first. What are you going to do with it? What’s the value? Unstructured, structured?"
Internet of Things
When it comes to IoT and the much repeated stat of 30 billion connected devices by 2020, the threat comes from the fact that the threat vector is becoming bigger. Grieveson’s recent experience of buying a connected fridge highlighted the clear and present danger of unsecure connected devices.
"I was looking at buying a fridge a couple of weeks ago and that fridge is now internet connected, which is great because it automatically orders the food, bad for me because it now knows how much chocolate I eat and how many beers I am taking out of the fridge!
"More fundamentally, it is that the bad guys are using the fridge as the attack vector to get into the organisation."
That connected fridge could, as Grieveson pointed out, be potentially connected to the whole home network – a worrying thought for those who have already embarked on smartening up their homes. A major concern is as to why major manufacturers are not securing these new devices? Grieveson put it down to the traditional design process, with security as an afterthought.
"Traditionally, security is brought in at the last moment. They go out, develop a product, throw it over the fence and say now go lock that down, secure it.
"I think that is the wrong approach. I think that we should start by security by design and actually think about the enablement of security right from the beginning.
"When we are designing a product or a service it needs to meet business outcomes and business objectives, but start with security enablement at the beginning.
"We need to push the vendors by saying is this device really securing us, have we thought about the vulnerabilities, are we designing it with security to enable rather than disable.
"In my experience it costs around a third more to do it afterwards."
HP Split
Any interview with a HP exec will draw upon the impending split of the business. This interview is no different, and Grieveson is no different to many HP execs in saying that the split will be good for business.
"I think it’s a great thing for the company, because it will focus on the things that are key. I will be in HP enterprise and we will be bringing together the service and security into one piece.
"For me in the past, businesses have dealt with things in very siloed approaches, so in our new approach we have the mobility, cloud, big data, IoT and security all together.
Talking of a holistic approach to security as the business is splitting in two does raise questions regarding security on the HP Inc side of the business. Grieveson was quick to guarantee HP’s commitment to security, regardless of what side of the business it falls.
"What I will say is that security is absolutely key to HP’s strategy moving forward. Just because I’m in HP enterprise doesn’t mean I can’t talk to an HP Inc customer – those customers are going to buy from both parts of the business."
