Expertise in Spades - HP Enterprise Security Services' latest talent acquisition

  I’d like to introduce you all to Jim Tiller, a recent hire here at HP.  Jim just joined HP as the Head of Professional Services for Americas at HP Enterprise Security Services.  Jim has an extensive security background and he is an accomplished author as well. Check out the recent chat I had with him.

WR -       What brought you to HP and why now?

Jim Tiller:  A lot of things attracted me to HP. Of course, HP’s brand and heritage played a significant role in my decision. Before coming to HP I met a number of people who work here and they had only great things to share about the company. I wanted to be a part of that.

A key feature that stood out was HP’s commitment to information security. HP has committed a great deal of resources, energy, focus and investment in security products and people to be the leader in this space. For anyone who has decided to make their career as a security professional, nothing is more exciting than working for an organization that places a strategic importance on security. I’m passionate about security – it’s in my DNA – so this resonated deeply. More importantly, HP takes action on that strategy and is committed to that goal. A lot of companies say they want to be the leader, but few truly act on it.

Another key contributor was the focus on excellence for our customers. I’m all about providing value to customers, helping them achieve their goals, and enabling their business; it’s very important to me as a professional. It’s clear that this is exactly what HP is all about.

So, why now? Simply, HP is a true leader.  If you ask people, “Who is the leader in information security?” you’re going to get a lot of different answers. Given that security has become increasingly important to businesses of all shapes and sizes, they’re looking for a partner – a true leader - to come to the table with compelling and meaningful solutions that will help them meet their goals. In short, the market wants a leader, a company they can count on, and HP is committed to leading this market.

WR -       What do you bring to this organization that’s unique, and valuable to our customers?

Jim Tiller:  For those who know me, I’m not a fan of talking about myself!  I’m surrounded by great people here that bring their own unique capabilities and experience. Like many, I have a passion for security; I thrive on doing things better and making security more compelling and effective. As a professional, I demand excellence, a solution oriented mindset, and enthusiasm for quality and value. This mantra ties directly to our customers. I want to absolutely delight our customers; this is my focus, my mission and my passion.

WR -       What are the biggest [security related] challenges to ‘business’ you’ve seen in your career as a security professional?

Jim Tiller:  The biggest challenges are adaptability of security and demonstrating the value of security to the business. Threats are constantly changing and evolving, and I’m not just talking about hackers – that’s a given. Compliance demands are constantly putting pressure on organizations and gaps can be a direct threat to the business. Disruptive technologies that drive business opportunity, such as cloud computing and consumerization can strain established processes and potentially introduce undesirable security conditions if they’re not approached in compelling ways. I find that many organizations are good at security and have established a solid foundation, but threat dynamics require agility and, importantly, businesses are demanding it.

One of the long standing challenges is demonstrating the value of security. Companies typically seek returns and this can be difficult to accomplish for security investments, but not impossible. Security departments are constantly working to not only protect their company, but do so in a manner that resonates with the business. Doing both effectively is a challenge.

WR -       Do you agree many organizations have over-bought on “technology”?

Jim Tiller:  Not entirely, but it can be a slippery slope. There’s a lot of very good and sophisticated security technology out there that can do a great deal in helping to establish and maintain the desired security posture. However, issues begin to surface when technology is seen as the first and only step to security, when in fact it is only one of many ingredients. Security is omnipresent across the business and requires a full-spectrum balance. I’ve found it’s the people that can make the difference, and technology is about enabling people.

WR -      What do you think is the single most important piece of technology organizations should have operational right now?

Jim Tiller:  Wow, that’s a hard question, so I’ll go with my gut reaction – encryption. Protecting data is core to information security and encryption is at the heart of that objective. But, as you know, security is many layers, so I have to add in a couple of others. Identity and access management is also vital. Making sure you can identify, authenticate, effectively control access to resources with the appropriate authority, and log and monitor those processes is critical. On a more current topic, DLP is interesting, and I suspect it will become as common as firewalls in the very near future. OK, one last one… SIEM. Anything that helps you monitor your environment – from policy enforcement and change control to ID/PS and firewalls - is paramount. Without visibility and situational awareness you can’t focus your resources.

WR -       How do we in Information Security begin to solve the ‘people problem’?

Jim Tiller:  It will never get solved really. People are people and humans are just not good at perceiving risk, especially in the digital domain. Nevertheless, for me it’s always been about making it personal – making security mean something to you as an individual. Doing awareness training and security education for users is good and very helpful. However, what seems to make it “stick” is when they can relate their actions – or inaction – to their own lives. Once people come to grips with the reality of security, it’s far easier to translate that to their work environment and act responsibly.

WR:.      How do CIOs get off the hamster-wheel, chasing the latest industry buzz-word technologies to actually serve the business better?

Jim Tiller:  Although it’s far easier said than done, to effectively serve anyone you have to know their business, needs, mission and objectives as well as they do, and importantly, stay in sync with them as their business environment evolves to achieve their vision.  Nothing is static. Of course, the devil is in the detail. Just knowing the business isn’t always enough. You need to get a feel for how they operate day-to-day, their pain points and practices. At that point the strategic challenges concerning technology become less burdensome because there is greater clarity on what you need to accomplish.

Importantly, it’s also about leveraging what you have. It’s quite common to invest in a technology, but not fully exploit all its features and capabilities, or get it fully integrated with other aspects of the infrastructure. When this occurs existing solutions can appear less effective making new stuff look more exciting. Again, far easier said than done, but the best CIO’s I’ve been lucky enough to come in contact with are very in tune with their customers and deeply understand the nuance of their current environment.

WR -       What advice do you give organizations just ‘waking up’ to the big security/risk problems facing them today?

Jim Tiller:  Interestingly, this is coming up more and more as threats begin to challenge industries that have historically been very low on the target list. Unfortunately, now that they are on the list they’re getting attacked by sophisticated threats and not your average script kiddies, so it’s a real problem. The first point is helping them come to grips that they are a target and while no matter how seemingly benign their business may appear to them, what they do, who they are, and the data they create and process is valuable in some way to someone. The advice I usually start with is getting insight to their environment from a security perspective. You can’t defend against what you can’t see.

Also, you’ll find that some companies will have good baseline security in place, but it’s in a “fire and forget” condition with limited forms of monitoring and governance. It’s important to understand security is a process and not static. After that, it’s about knowing where your information is and how you’re protecting it. Start with the big and obvious stuff and work your way out from there.  Lastly, I encourage them to not move too quickly, ironically. If you force-feed anything into the environment it will come with some form of cost down the line. I always say: slow is smooth and smooth is fast – don’t confuse time with effectiveness. Make the effort to define a mission, set clear goals, plan and design with purpose, remove wasted effort, and act.

You can hear more from Jim on Twitter at @real_security.