A third member is Justine Bone, who began her career doing reverse engineering and vulnerability research at New Zealand’s version of the U.S. National Security Agency before leading security for companies, including Bloomberg LP. She’s now the CEO of MedSec, which analyzes technology security for healthcare companies.
The Security Advisory Board will work with HP to identify evolving threats and help companies adapt to the fundamental changes taking place in the security landscape. One of these changes is that inadequate security can’t be hidden anymore; the hackers’ armory is too deep and sophisticated and automated attack tools are constantly on the lookout for flaws to exploit. Bone says it takes only two and a half minutes after you plug in a smart camera or screw in a smart light bulb for an internet bot to compromise that device. Billions of connected devices span every inch of our economy and our lives, from supply chains and energy grids to connected cars.
That’s putting everyone under a microscope, from the top of the chain to the bottom. “Security has become an imperative for our customers,” says HP’s Balacheff. With the average U.S. breach costing $7 million and intensifying scrutiny from consumers and investors, it’s increasingly clear that everyone throughout an organization, from a company’s security group up to the board, needs to be involved in anticipating security threats. “Originally cybersecurity was an IT problem. What we’re seeing is now it's being heavily looked at by the board and the audit and risk committee and treated like any other risk,” says Masse. “I think now's the time where we really have the opportunity to improve things at a much better level than before.”
Additionally, organizations need help understanding just how profoundly the thinking behind security strategy needs to change. Traditionally, companies felt that software or network security solutions would be the answer, however with the evolution of attacker sophistication and our increased dependency on devices for everything we do, it is no longer that simple. Security needs to start at the lowest level of hardware and firmware design.
When baby monitors are conscripted into botnets to launch assaults that take down Twitter and Netflix, it’s clear that any connected device can be attacked. And as the flood of network-connected gadgets continues to rise — 20 billion such devices are expected to be in service by 2020 — this challenge will only grow.
That’s why every device must be built from the ground up to be secure and able to adapt, says Calce. This principle is one the tech industry has always preached, but hasn’t always practiced. An example of this, Calce explains, is when a computer or printer boots up: up to a million lines of code can be executed before the device’s operating system is even loaded, in what is known the device's 'firmware' (often still referred to as BIOS in PCs). This occurs before the user is even able to see any kind of welcome screen. Designing protections, but also the ability to detect attack and recover a compromised device, that is how far HP has gone, trailblazing the future of endpoint security by designing hardware-enforced cyber-resilient devices.
“For years,” says Bone, “software and hardware makers were able to rely on security by obscurity. There was no upside to building in this quality all the way through the product because nobody was asking questions. Now, though, people are definitely asking.”
That’s where HP has been focused for years. The security board members say it’s paying off — that’s why they’re eager to work with HP to get this message out.
“HP is looking to implement security on anything and everything they develop,” says Calce. “That’s the type of mindset we need if we ever want to have some level of security in this world.”
Learn how HP is creating the most secure business devices in the world.