Brett Wahlin is responsible for all the security within HP. Here he offers a fascinating insight into the role of a CISO at a global mega corporation as it goes through the biggest shakeup in its history. All the while it is being attacked by potentially everyone from hacktivists to state sponsored adversaries.
Q: Why would anyone want to attack HP?
A: Hp is a large target. So there are many motivators for adversaries. They are after fame, fortune, ‘hey its hp, I took down a really big company.’ Monetarily there’s a lot to gain with HP. HP is everywhere from a global perspective. My team monitors 2% of the entire internet. We’re just big so its hard not to trip across something that is HP at some point.
Q: What are your responsibilities?
I have global responsibility for information security and for the security of our products. What goes into our products, as well as the business supply chain. HP takes a different view: We’re breaking out of the IT security mould and look at IT security across the company.
Q: You are a target and a protector? What’s the challenge?
When I looked at this role, dealing with a very large multi-national company, there was a challenge around the scale of how we do security. There are typical practices of how we do security. I’ve been doing this for 26 years and there similar things that you do across industries.
The challenge with HP, being the largest technology manufacturer in the world is scale. We have 39 million IP addresses under our control (that’s the 2% of the internet mentioned above).
What works in a smaller company won’t work in HP so it forces the innovation. You have to think differently about how you protect an enterprise that is as large as HP. For someone as a practitioner there are challenges and it is difficult. How do you keep up with the number things you have to handle. We have 4 billion events we have to process each day. We actually generate 21 billion events. It is a big numbers game. How do we look at something so big. The other really interesting thing is that you see everything. If there is an exploit out there or an attack then we’re going to see it.
So it gives you a very broad perspective on things you will encounter.
Q: What is your most effective policy for controlling security within HP?
A: From a policy perspective we look for things that are defined as security controls. There is a policy you can set. There is a behaviour that says ‘you should do this and we rely on you to follow the policy and we potentially can detect when you don’t and there are consequences.’
It is really about where the company wants to go and that discussion has to be had with the senior leadership.
And then you understand where to put the controls. So if I say ‘no, don’t do this’ and apply technology then there is no grey area.
We’re trying to culturally change HP at the moment and trying to raise awareness and it is all around the Security Transformation – that’s the name of our programme and it is really to get security to be if not first and foremost then but a constant consideration in everything you do.
Q: How do deal with the type of attention you were getting recently? Is that a higher risk level.
A: I tend to look at where is the business currently. Look at a company like HP.
When we set out the turnaround journey we asset out a very specific set of objectives year over year. In order for HP to succeed in those steps, I looked at the cyber risk in each one of those. In a particular portion of the turnaround what impactful event could happen from a cyber perspective could happen that could prevent us from continuing. And I ranked our risk that way. I would talk to the board and say ‘we would have a hard time moving through this particular phase if this particular series of event were to occur. And here’s what we should do about those series of events.
Now the risk, if you level it out might be a little different but it was the connection to what was the company going through at that particular time that really made it stick. And once you made that framework on how to describe and handle the risk then you can move the different parts around to address specific items.
Or there might be something around reputational damage during a particular time that might affect us so we really want to be extra vigilant. Those are just examples of the type of risk awareness.
Q: How do you build a strategy to mitigate risk across a company as large as HP?
A: Any time you announce a change to the organisation there is an uptick in interest. It is not that they break in but we see people looking. It just goes to show how opportunistic the adversary is.
I was at Sony and I came in after the Playstation breach. And although it was different companies within Sony that got hit, because they all carry the same name when one gets hit they all get hit.
So one of the things we will be very careful about going forward, having recently announced the separation, is that whatever carries the hp name will be secured in the same way.
A lot of board conversations are going on now on how to secure the company. CISOs try to educate the board and do it in such a way that is not technical. They understand risks to the business and that the security function can also be very strategic. We can help the business and enable the business.
Q: Europol says there are 100 cyber criminal kings in the world – is that how you see it that there a dark cabal of evil people working on dark internet trying to break into corporates and undermine their systems.
A: I don’t think it is helpful to describe it as a dark underground. There are elements that are like that. But remember they only have to be right once, we have to be right all the time. It could a dark force or it could be your own internal personnel who do something. So I don’t like to cast it like that because a threat can come from anywhere. What we try to look at is who or what in particular is interested in HP – or whatever company you are working for – what is that particular threat.
When you take hundreds and hundreds of adversaries, they are not all interested in your company, it may be four, who knows what the number is. But it is the responsibility of the CISO to secure the organisation to understand which ones matter. And to use intelligence to work out how capable the adversary is, what do they look like and what are their motivations.
And it changes. One day there may be state sponsored actors that are interested in HP, the next it may be hacktivists because they disagree with a certain policy we have or a certain geopolitical location in which we do business. It will eventually happen from someone at some point but it is not all this shady underground.
When I talk to the business leaders and use those kind of terms they say ‘you’re just trying to scare me.’
I just like to look at what the business is doing now and what is a credible threat to us right now as well as what’s coming down the line. And we never know. We woke up this morning and there are three new significant vulnerabilities that we didn’t know about yesterday.
And we didn’t plan for that two days ago but we are off and running. The adversary will be successful and companies will eventually suffer attacks, but what is key is how you prepare to react to them and work to manage that risk.
Fortunately our processes are sound. We know what the incidences are we know what the fixes are. So you have to be flexible because whatever your adversary looks like today, it will be different tomorrow.