HP CISO Joanna Burkey On Securing The Hybrid Workforce And Her Biggest Fear
Burkey speaks with CRN about HP’s differentiators on endpoint security and the growing use of AI/ML in security.
As chief information security officer at HP Inc., Joanna Burkey is not only responsible for the PC and printer giant’s own cybersecurity posture, she’s also the preeminent expert when it comes to the security capabilities available in the vendor’s products. Burkey recently spoke with CRN on both topics — noting both the ways that the pandemic and the shift to hybrid work have altered security strategy, for her and for all CISOs, as well as on the ways that HP specifically is helping to enable secure work today.
[Related: HP CEO Lores: Hybrid Work Is ‘Driving Innovation Across Our Portfolio’]
Burkey is a longtime HP executive, who spent 13 years with the company during her first stint and then spent a few years at Siemens, before re-joining HP as CISO just a few months into the pandemic in 2020. While the hybrid world is nothing new at this point, the adjustments are massive and ongoing, particularly in security. For instance, “some of the tools we had that were specific to the office scenario are no longer as effective any longer,” Burkey said.
To help with that transition, HP has brought a focus on offering endpoint security capabilities that serve as “an embedded bolt-on with what we’re already selling,” she said. “And that’s music to the ears of CISOs like me … If I’m already purchasing and running my endpoint fleet from a vendor, and they can bolt-on some layers in there for me, that’s great.”
Burkey also spoke with CRN about the possibility that we will see a greater number of cyberattacks in 2023, the growing use of AI/ML in security and her biggest fear.
What follows is an edited portion of CRN’s interview with Burkey.
How would you summarize your strategy for securing HP Inc. as a company? And how has it evolved in recent years?
The hybrid way of working has definitely changed how we think about cyber strategy. Cyber leaders for a long time — and I’m a big believer in this strategy — we believe in layered defense, in “defense in depth.” However you want to call it, it’s the idea that no solution or tool or technology is going to be a magic bullet. But if you take them like pieces of strategically stacked Swiss cheese, you can stack the strengths and the holes in a way where you get a pretty good layer in there, all the way from protection to detection to resilience to recovery, when attackers are trying to do bad things to you. So the hybrid world changed those Swiss cheese slices a little bit. Some of the tools we had that were specific to the office scenario, are no longer as effective any longer.
That really grew the focus on what other layers we could put in there. And for example, when you’ve got a lot of people working on various types of endpoints, isolation becomes a really big tool in your tool belt. Isolation can help tremendously when you might have limited ability to activate real-time stuff on endpoints, when you might need people to have a certain layer of protection regardless of what endpoint they’re on. That’s an example of sort of a new layer of Swiss cheese that became more important in hybrid.
In terms of HP’s strategy as a provider of security tools, how would you summarize your strategy there?
We don’t [say], “Hey, HP is going to stand up a portfolio of standalone tools, and we’re going to go after a totally new [market].” That is not our strategy. Our strategy is an embedded bolt-on with what we’re already selling to a very large [total addressable market]. And that’s music to the ears of CISOs like me, because No. 1, we all need to do more with less. That means optimizing what I’ve got. If I’m already purchasing and running my endpoint fleet from a vendor, and they can bolt-on some layers in there for me, that’s great. But then secondly, we are able to do more things transparently to that user at the endpoint — things that used to happen transparently in the network, can now happen transparently at the endpoint. The user gets to continue with their life and their work. But we’re able to continue to put some of those layers in that layered approach by taking advantage of new tools.
In terms of endpoint security, how do you fit in with EDR (endpoint detection and response) tools?
The easiest way to put it is that we augment what the EDR does. We don’t look to replace EDR and we don’t look to duplicate functionality of an EDR or an XDR. EDR is actually a huge piece of my own strategy to cover the HP enterprise. What EDR is not always great at, though, can be detecting micro-movements at the endpoint — especially if something is happening at the BIOS and firmware level. EDR agents don’t always have visibility into that. They’re very much working at the OS and the application level, to look for abnormal behavior. So that BIOS and firmware level is a place where tools like HP’s can augment what EDR is doing, and sort of cover some of those holes in the Swiss cheese that EDR has by nature.
We’re not going to sell you tools that are going to sit on your Exchange server, and proactively go through and parse out your email. There’s other tools out in the market that do that. What we will do though — because we recognize that those tools aren’t foolproof — is we will give you the ability, when a user clicks a link in an email, we’ll take you to a micro VM before opening what’s actually in that email to make sure there’s nothing malicious. And that’s another example of how we want to augment the tools that are already out there, catch some of the holes that they have. We’re not looking to wholesale replace those or duplicate what they do.
Are there other examples of holes that you feel HP is able to fill in terms of security?
There’s another place where a lot of the email tools [have a hole]. I’m not calling the email tools weak. It’s all about the complexity of how a threat is actually made real. Tools that are sold today that sit either on the Exchange server, or they sit down the chain before email actually makes it to a user device, one of the strong [capabilities] that those use is they sort of crowdsource information. So if an email gets to a user, and that user notices there’s something weird about it, and reports it as a phish, then that tool will go in and pull that email from all the other users. But you still have a hole in there — because what about that first user? What if they didn’t detect that it was a phish? They thought it was real, they clicked on it. This is where isolation can really help you. By putting the results of that click in a micro VM, you’re able to put an additional net in there for the things that the email tools, writ large, don’t catch on the front end.
What role is HP looking to play in terms of helping to secure the distributed workforce?
There’s functionality that we’ve launched and been selling, called Protect and Trace, that is an additional offering that I think plays really well in the hybrid world. In the hybrid world, you’ve got people working from all kinds of devices — generally different types of devices all in one day and in different places. The amount of misplaced, stolen and lost devices has gone up a lot. We definitely see across the industry, folks leaving stuff at coffee shops, folks having stuff snatched out of their hands. Protect and Trace gives admins of an enterprise the ability to not only track and take certain actions on devices that might be out of the owner’s control now, but allows them to really execute on a large spectrum of, would you like to just find it? Do you want to lock it? Do you want to erase it? Do you want to follow what’s being done on it, to try to see what’s going on? So it’s another tool in that layer of Swiss cheese that is intended to maximize visibility and control to whatever level that administrator of the fleet really wants to do.
Do you expect we’re going to see a greater number of cyberattacks in 2023 because of the economic environment? And what should partners be doing to make sure that they’re secure and following the best practices of a Fortune 100 company?
Over the years, we definitely have seen a very strong correlation — [that] when economic times are a bit rough, the e-crime-based attacks go up. So there’s a lot of different kinds of threats out there. There’s hactivism, there’s political threats, there’s attacks for money. The attacks for money definitely go up in a period like this. [It’s important for] your CISO to understand what’s really a threat to your company, versus just, what’s a threat overall to the world?
It’s super critical to understand, is one of my values as a company my financial relationship with customers? Probably so. Is one of my values as a company the amount of money we sit on? Maybe so. Maybe you’re a company that’s very under-leveraged because you’re getting ready for some M&A activity and you’re sitting on a lot of money. That really does indicate that in a time of economic depression like this, you want to be super aware of e-crime threats. You mentioned, what are you going to do about it?
What that really translates to is, a lot of e-crime occurs originally through what we call a commodity attack. And a commodity attack means it’s not some APT advanced persistent threat, crafted for your enterprise with a bunch of super sneaky people doing a bunch of really complex stuff. Commodity attacks are the stuff you get in phishing emails that get blasted out to millions of inboxes, with the attacker hoping they’ll just get lucky on the other end. That’s how a lot of e-crime starts. It’s how a lot of ransomware starts because fundamentally ransomware is just e-crime. So this is really where protections that specifically guard against commodity attacks are important in a year like this.
AI has gotten pretty good at detecting cyberattacks, but we’re not comfortable yet with the idea of having AI/ML automatically make security decisions for us. But do you see that becoming a common thing at some point in the future, and if so, how soon do you think that could be?
I think we’re continually on an evolutionary curve where, year-over-year, [AI/ML is] getting stronger and getting more capable. And we as overseers of defense are gradually becoming more comfortable letting it make decisions. I don‘t believe there’s going to be a light switch, where one day we just go, “OK great, you can make all the decisions now.” It’s just going to be this gradual evolution that we’re already in the middle of, which is a good thing. I think that’s a great, sustainable way for a new technology to get incorporated into a strategy.
What’s your biggest fear?
Year over year, my biggest fear is that I knew about something, and I didn’t take the right action. It’s a waste of time to worry about what you don’t know — you don’t know what you don’t know. What I constantly think about is, what do I know, and am I doing the right things based on what I know?
What’s your biggest piece of advice for MSPs and other partners?
My biggest recommendation and piece of advice is [to invest in] anything that helps you optimize visibility. Visibility is one of the most key things to what a CISO does, regardless of the size of the company — if you’ve got five employees or you’ve got 500,000 employees. Any tool in your tool belt that helps you know your environment is going to give you data. The more data, the better decisions you can make.