The Open Group Conference to Emphasize Healthcare as Key Sector for Ecosystem-Wide Interactions

Transcript of a BriefingsDirect podcast on how the healthcare industry is poised to take advantage of enterprise architecture to bring benefits to patients, doctors, and allied health professionals.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hello, and welcome to a special BriefingsDirect Thought Leadership Interview series, coming to you in conjunction with The Open Group Conference on July 15, in Philadelphia. Registration to the conference remains open. Follow the conference on Twitter at #ogPHL.

Gardner

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator throughout these discussions on enterprise transformation in the finance, government, and healthcare sector.

We're here now with a panel of experts to explore how new IT trends are empowering improvements, specifically in the area of healthcare. We'll learn how healthcare industry organizations are seeking large-scale transformation and what are some of the paths they're taking to realize that.

We'll see how improved cross-organizational collaboration and such trends as big data and cloud computing are helping to make healthcare more responsive and efficient.

With that, please join me in welcoming our panel, Jason Uppal, Chief Architect and Acting CEO at clinicalMessage. Welcome, Jason.

Jason Uppal: Thank you, Dana.

Inside of healthcare and inside the healthcare ecosystem, information either doesn’t flow well or it only flows at a great cost.

Gardner: And we're also joined by Larry Schmidt, Chief Technologist at HP for the Health and Life Sciences Industries. Welcome, Larry.

Larry Schmidt: Thank you.

Gardner: And also, Jim Hietala, Vice President of Security at The Open Group. Welcome back, Jim. [Disclosure: The Open Group and HP are sponsors of BriefingsDirect podcasts.]

Jim Hietala: Thanks, Dana. Good to be with you.

Gardner: Let’s take a look at this very interesting and dynamic healthcare sector, Jim. What, in particular, is so special about healthcare and why do things like enterprise architecture and allowing for better interoperability and communication across organizational boundaries seem to be so relevant here?

Hietala: There’s general acknowledgement in the industry that, inside of healthcare and inside the healthcare ecosystem, information either doesn’t flow well or it only flows at a great cost in terms of custom integration projects and things like that.

Fertile ground

From The Open Group’s perspective, it seems that the healthcare industry and the ecosystem really is fertile ground for bringing to bear some of the enterprise architecture concepts that we work with at The Open Group in order to improve, not only how information flows, but ultimately, how patient care occurs.

Gardner: Larry Schmidt, similar question to you. What are some of the unique challenges that are facing the healthcare community as they try to improve on responsiveness, efficiency, and greater capabilities?

Schmidt: There are several things that have not really kept up with what technology is able to do today.

For example, the whole concept of personal observation comes into play in what we would call "value chains" that exist right now between a patient and a doctor. We look at things like mobile technologies and want to be able to leverage that to provide additional observation of an individual, so that the doctor can make a more complete diagnosis of some sickness or possibly some medication that a person is on.

We want to be able to see that observation in real life, as opposed to having to take that in at the office, which typically winds up happening. I don’t know about everybody else, but every time I go see my doctor, oftentimes I get what’s called white coat syndrome. My blood pressure will go up. But that’s not giving the doctor an accurate reading from the standpoint of providing great observations.

Technology has advanced to the point where we can do that in real time using mobile and other technologies, yet the communication flow, that information flow, doesn't exist today, or is at best, not easily communicated between doctor and patient.

There are plenty of places that additional collaboration and communication can improve the whole healthcare delivery model.

If you look at the ecosystem, as Jim offered, there are plenty of places that additional collaboration and communication can improve the whole healthcare delivery model.

That’s what we're about. We want to be able to find the places where the technology has advanced, where standards don’t exist today, and just fuel the idea of building common communication methods between those stakeholders and entities, allowing us to then further the flow of good information across the healthcare delivery model.

Gardner: Jason Uppal, let’s think about what, in addition to technology, architecture, and methodologies can bring to bear here? Is there also a lag in terms of process thinking in healthcare, as well as perhaps technology adoption?

Uppal: I'm going to refer to a presentation that I watched from a very well-known surgeon from Harvard, Dr. Atul Gawande. His point was is that, in the last 50 years, the medical industry has made great strides in identifying diseases, drugs, procedures, and therapies, but one thing that he was alluding to was that medicine forgot the cost, that everything is cost.

At what price?

Today, in his view, we can cure a lot of diseases and lot of issues, but at what price? Can anybody actually afford it?

Uppal

His view is that if healthcare is going to change and improve, it has to be outside of the medical industry. The tools that we have are better today, like collaborative tools that are available for us to use, and those are the ones that he was recommending that we need to explore further.

That is where enterprise architecture is a powerful methodology to use and say, "Let’s take a look at it from a holistic point of view of all the stakeholders. See what their information needs are. Get that information to them in real time and let them make the right decisions."

Therefore, there is no reason for the health information to be stuck in organizations. It could go with where the patient and providers are, and let them make the best decision, based on the best practices that are available to them, as opposed to having siloed information.

So enterprise-architecture methods are most suited for developing a very collaborative environment. Dr. Gawande was pointing out that, if healthcare is going to improve, it has to think about it not as medicine, but as healthcare delivery.

There are definitely complexities that occur based on the different insurance models and how healthcare is delivered across and between countries.

Gardner: And it seems that not only are there challenges in terms of technology adoption and even operating more like an efficient business in some ways. We also have very different climates from country to country, jurisdiction to jurisdiction. There are regulations, compliance, and so forth.

Going back to you, Larry, how important of an issue is that? How complex does it get because we have such different approaches to healthcare and insurance from country to country?

Schmidt: There are definitely complexities that occur based on the different insurance models and how healthcare is delivered across and between countries, but some of the basic and fundamental activities in the past that happened as a result of delivering healthcare are consistent across countries.

As Jason has offered, enterprise architecture can provide us the means to explore what the art of the possible might be today. It could allow us the opportunity to see how innovation can occur if we enable better communication flow between the stakeholders that exist with any healthcare delivery model in order to give us the opportunity to improve the overall population.

After all, that’s what this is all about. We want to be able to enable a collaborative model throughout the stakeholders to improve the overall health of the population. I think that’s pretty consistent across any country that we might work in.

Ongoing work

Gardner: Jim Hietala, maybe you could help us better understand what’s going on within The Open Group and, even more specifically, at the conference in Philadelphia. There is the Population Health Working Group and there is work towards a vision of enabling the boundaryless information flow between the stakeholders. Any other information and detail you could offer would be great.[Registration to the conference remains open. Follow the conference on Twitter at #ogPHL.]

Hietala: On Tuesday of the conference, we have a healthcare focus day. The keynote that morning will be given by Dr. David Nash, Dean of the Jefferson School of Population Health. He'll give what’s sure to be a pretty interesting presentation, followed by a reactors' panel, where we've invited folks from different stakeholder constituencies.

Hietala

We're are going to have clinicians there. We're going to have some IT folks and some actual patients to give their reaction to Dr. Nash’s presentation. We think that will be an interesting and entertaining panel discussion.

The balance of the day, in terms of the healthcare content, we have a workshop. Larry Schmidt is giving one of the presentations there, and Jason and myself and some other folks from our working group are involved in helping to facilitate and carry out the workshop.

The goal of it is to look into healthcare challenges, desired outcomes, the extended healthcare enterprise, and the extended healthcare IT enterprise and really gather those pain points that are out there around things like interoperability to surface those and develop a work program coming out of this.

We want to be able to enable a collaborative model throughout the stakeholders to improve the overall health of the population.

So we expect it to be an interesting day if you are in the healthcare IT field or just the healthcare field generally, it would definitely be a day well spent to check it out.

Gardner: Larry, you're going to be talking on Tuesday. Without giving too much away, maybe you can help us understand the emphasis that you're taking, the area that you're going to be exploring.

Schmidt: I've titled the presentation "Remixing Healthcare through Enterprise Architecture." Jason offered some thoughts as to why we want to leverage enterprise architecture to discipline healthcare. My thoughts are that we want to be able to make sure we understand how the collaborative model would work in healthcare, taking into consideration all the constituents and stakeholders that exist within the complete ecosystem of healthcare.

This is not just collaboration across the doctors, patients, and maybe the payers in a healthcare delivery model. This could be out as far as the drug companies and being able to get drug companies to a point where they can reorder their raw materials to produce new drugs in the case of an epidemic that might be occurring.


Real-time model

It would be a real-time model that allows us the opportunity to understand what's truly happening, both to an individual from a healthcare standpoint, as well as to a country or a region within a country and so on from healthcare. This remixing of enterprise architecture is the introduction to that concept of leveraging enterprise architecture into this collaborative model.

Then, I would like to talk about some of the technologies that I've had the opportunity to explore around what is available today in technology. I believe we need to have some type of standardized messaging or collaboration models to allow us to further facilitate the ability of that technology to provide the value of healthcare delivery or betterment of healthcare to individuals. I'll talk about that a little bit within my presentation and give some good examples.

It’s really interesting. I just traveled from my company’s home base back to my home base and I thought about something like a body scanner that you get into in the airport. I know we're in the process of eliminating some of those scanners now within the security model from the airports, but could that possibly be something that becomes an element within healthcare delivery? Every time your body is scanned, there's a possibility you can gather information about that, and allow that to become a part of your electronic medical record.

There is a lot of information available today that could be used in helping our population to be healthier.

Hopefully, that was forward thinking, but that kind of thinking is going to play into the art of the possible, with what we are going to be doing, both in this presentation and talking about that as part of the workshop.

Gardner: Larry, we've been having some other discussions with The Open Group around what they call Open Platform 3.0, which is the confluence of big data, mobile, cloud computing, and social.

One of the big issues today is this avalanche of data, the Internet of things, but also the Internet of people. It seems that the more work that's done to bring Open Platform 3.0 benefits to bear on business decisions, it could very well be impactful for centers and other data that comes from patients, regardless of where they are, to a medical establishment, regardless of where it is.

So do you think we're really on the cusp of a significant shift in how medicine is actually conducted?

Schmidt: I absolutely believe that. There is a lot of information available today that could be used in helping our population to be healthier. And it really isn't only the challenge of the communication model that we've been speaking about so far. It's also understanding the information that's available to us to take that and make that into knowledge to be applied in order to help improve the health of the population.

As we explore this from an as-is model in enterprise architecture to something that we believe we can first enable through a great collaboration model, through standardized messaging and things like that, I believe we're going to get into even deeper detail around how information can truly provide empowered decisions to physicians and individuals around their healthcare.

So it will carry forward into the big data and analytics challenges that we have talked about and currently are talking about with The Open Group.

Healthcare framework

Gardner: Jason Uppal, we've also seen how in other business sectors, industries have faced transformation and have needed to rely on something like enterprise architecture and a framework like TOGAF in order to manage that process and make it something that's standardized, understood, and repeatable.

It seems to me that healthcare can certainly use that, given the pace of change, but that the impact on healthcare could be quite a bit larger in terms of actual dollars. This is such a large part of the economy that even small incremental improvements can have dramatic effects when it comes to dollars and cents.

So is there a benefit to bringing enterprise architect to healthcare that is larger and greater than other sectors because of these economics and issues of scale?

Uppal: That's a great way to think about this thing. In other industries, applying enterprise architecture to do banking and insurance may be easily measured in terms of dollars and cents, but healthcare is a fundamentally different economy and industry.

It's not about dollars and cents. It's about people’s lives, and loved ones who are sick, who could very easily be treated, if they're caught in time and the right people are around the table at the right time. So this is more about human cost than dollars and cents. Dollars and cents are critical, but human cost is the larger play here.

Whatever systems and methods are developed, they have to work for everybody in the world.

Secondly, when we think about applying enterprise architecture to healthcare, we're not talking about just the U.S. population. We're talking about global population here. So whatever systems and methods are developed, they have to work for everybody in the world. If the U.S. economy can afford an expensive healthcare delivery, what about the countries that don't have the same kind of resources? Whatever methods and delivery mechanisms you develop have to work for everybody globally.

That's one of the thing that a methodology like TOGAF brings out and says to look at it from every stakeholder’s point of view, and unless you have dealt with every stakeholder’s concerns, you don't have an architecture, you have a system that's designed for that specific set of audience.

The cost is not this 18 percent of the gross domestic product in the U.S. that is representing healthcare. It's the human cost, which is many multitudes of that. That's is one of the areas where we could really start to think about how do we affect that part of the economy, not the 18 percent of it, but the larger part of the economy, to improve the health of the population, not only in the North America, but globally.

If that's the case, then what really will be the impact on our greater world economy is improving population health, and population health is probably becoming our biggest problem in our economy.

We'll be testing these methods at a greater international level, as opposed to just at an organization and industry level. This is a much larger challenge. A methodology like TOGAF is a proven and it could be stressed and tested to that level. This is a great opportunity for us to apply our tools and science to a problem that is larger than just dollars. It's about humans.

All "experts"

Gardner: Jim Hietala, in some ways, we're all experts on healthcare. When we're sick, we go for help and interact with a variety of different services to maintain our health and to improve our lifestyle. But in being experts, I guess that also means we are witnesses to some of the downside of an unconnected ecosystem of healthcare providers and payers.

One of the things I've noticed in that vein is that I have to deal with different organizations that don't seem to communicate well. If there's no central process organizer, it's really up to me as the patient to pull the lines together between the different services -- tests, clinical observations, diagnosis, back for results from tests, sharing the information, and so forth.

Have you done any studies or have anecdotal information about how that boundaryless information flow would be still relevant, even having more of a centralized repository that all the players could draw on, sort of a collaboration team resource of some sort? I know that’s worked in other industries. Is this not a perfect opportunity for that boundarylessness to be managed?

Hietala: I would say it is. We all have experiences with going to see a primary physician, maybe getting sent to a specialist, getting some tests done, and the boundaryless information that’s flowing tends to be on paper delivered by us as patients in all the cases.

So the opportunity to improve that situation is pretty obvious to anybody who's been in the healthcare system as a patient. I think it’s a great place to be doing work. There's a lot of money flowing to try and address this problem, at least here in the U.S. with the HITECH Act and some of the government spending around trying to improve healthcare.

We'll be testing these methods at a greater international level, as opposed to just at an organization and industry level.

You've got healthcare information exchanges that are starting to develop, and you have got lots of pain points for organizations in terms of trying to share information and not having standards that enable them to do it. It seems like an area that’s really a great opportunity area to bring lots of improvement.

Gardner: Let’s look for some examples of where this has been attempted and what the success brings about. I'll throw this out to anyone on the panel. Do you have any examples that you can point to, either named organizations or anecdotal use case scenarios, of a better organization, an architectural approach, leveraging IT efficiently and effectively, allowing data to flow, putting in processes that are repeatable, centralized, organized, and understood. How does that work out?

Uppal: I'll give you an example. One of the things that happens when a patient is admitted to hospital and in hospital is that hey get what's called a high-voltage care. There is staff around them 24x7. There are lots of people around, and every specialty that you can think of is available to them. So the patient, in about two or three days, starts to feel much better.

When that patient gets discharged, they get discharged to home most of the time. They go from very high-voltage care to next to no care. This is one of the areas where in one of the organizations we work with is able to discharge the patient and, instead of discharging them to the primary care doc, who may not receive any records from the hospital for several days, they get discharged to into a virtual team. So if the patient is at home, the virtual team is available to them through their mobile phone 24x7.

Connect with provider

If, at 3 o’clock in the morning, the patient doesn't feel right, instead of having to call an ambulance to go to hospital once again and get readmitted, they have a chance to connect with their care provider at that time and say, "This is what the issue is. What do you want me to do next? Is this normal for the medication that I am on, or this is something abnormal that is happening?"

When that information is available to that care provider who may not necessarily have been part of the care team when the patient was in the hospital, that quick readily available information is key for keeping that person at home, as opposed to being readmitted to the hospital.

We all know that the cost of being in a hospital is 10 times more than it is being at home. But there's also inconvenience and human suffering associated with being in a hospital, as opposed to being at home.

Those are some of the examples that we have, but they are very limited, because our current health ecosystem is a very organization specific, not  patient and provider specific. This is the area there is a huge room for opportunities for healthcare delivery, thinking about health information, not in the context of the organization where the patient is, as opposed to in a cloud, where it’s an association between the patient and provider and health information that’s there.

Extending that model will bring infinite value to not only reducing the cost, but improving the cost and quality of care.

In the past, we used to have emails that were within our four walls. All of a sudden, with Gmail and Yahoo Mail, we have email available to us anywhere. A similar thing could be happening for the healthcare record. This could be somewhere in the cloud’s eco setting, where it’s securely protected and used by only people who have granted access to it.

Those are some of the examples where extending that model will bring infinite value to not only reducing the cost, but improving the cost and quality of care.

Schmidt: Jason touched upon the home healthcare scenario and being able to provide touch points at home. Another place that we see evolving right now in the industry is the whole concept of mobile office space. Both countries, as well as rural places within countries that are developed, are actually getting rural hospitals and rural healthcare offices dropped in by helicopter to allow the people who live in those communities to have the opportunity to talk to a doctor via satellite technologies and so on.

The whole concept of a architecture around and being able to deal with an extension of what truly lines up being telemedicine is something that we're seeing today. It would be wonderful if we could point to things like standards that allow us to be able to facilitate both the communication protocols as well as the information flows in that type of setting.

Many corporations can jump on the bandwagon to help the rural communities get the healthcare information and capabilities that they need via the whole concept of telemedicine.

That’s another area where enterprise architecture has come into play. Now that we see examples of that working in the industry today, I am hoping that as part of this working group, we'll get to the point where we're able to facilitate that much better, enabling innovation to occur for multiple companies via some of the architecture or the architecture work we are planning on producing.

Single view

Gardner: It seems that we've come a long way on the business side in many industries of getting a single view of the customer, as it’s called, the customer relationship management, big data, spreading the analysis around among different data sources and types. This sounds like a perfect fit for a single view of the patient across their life, across their care spectrum, and then of course involving many different types of organizations. But the government also needs to have a role here.

Jim Hietala, at The Open Group Conference in Philadelphia, you're focusing on not only healthcare, but finance and government. Regarding the government and some of the agencies that you all have as members on some of your panels, how well do they perceive this need for enterprise architecture level abilities to be brought to this healthcare issue?

Hietala: We've seen encouraging signs from folks in government that are encouraging to us in bringing this work to the forefront. There is a recognition that there needs to be better data flowing throughout the extended healthcare IT ecosystem, and I think generally they are supportive of initiatives like this to make that happen.

Gardner: Of course having conferences like this, where you have a cross pollination between vertical industries, will perhaps allow some of the technical people to talk with some of the government people too and also have a conversation with some of the healthcare people. That’s where some of these ideas and some of the collaboration could also be very powerful.

We've seen encouraging signs from folks in government that are encouraging to us in bringing this work to the forefront.

I'm afraid we're almost out of time. We've been talking about an interesting healthcare transition, moving into a new phase or even era of healthcare.

Our panel of experts have been looking at some of the trends in IT and how they are empowering improvement for how healthcare can be more responsive and efficient. And we've seen how healthcare industry organizations can take large scale transformation using cross-organizational collaboration, for example, and other such tools as big data, analytics, and cloud computing to help solve some of these issues.

This special BriefingsDirect discussion comes to you in conjunction with The Open Group Conference this July in Philadelphia. Registration to the conference remains open. Follow the conference on Twitter at #ogPHL, and you will hear more about healthcare or Open Platform 3.0 as well as enterprise transformation in the finance, government, and healthcare sectors.

With that, I'd like to thank our panel. We've been joined today by Jason Uppal, Chief Architect and Acting CEO at clinicalMessage. Thank you so much, Jason.

Uppal: Thank you, Dana.

Gardner: And also Larry Schmidt, Chief Technologist at HP for the Health and Life Sciences Industries. Thanks, Larry.

Schmidt: You bet, appreciate the time to share my thoughts. Thank you.

Gardner: And then also Jim Hietala, Vice President of Security at The Open Group. Thanks so much.

Hietala: Thank you, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator throughout these thought leader interviews. Thanks again for listening and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast on how the healthcare industry is poised to take advantage of enterprise architecture to bring benefits to patients, doctors, and allied health professionals. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

• Managing transformation to Platform 3.0 a major focus of The Open Group Philadelphia Conference on July 15
• Platform 3.0 Ripe to Give Standard Access to Advnaced Intelligence and Automation, Bring Commercial Benefits to Enterprises
• The Open Group July conference seeks to better contain cybersecurity risks with FAIR structure
• Managing transformation to Platform 3.0 a major focus of The Open Group Philadelphia conference on July 15
• The Open Group Gets Under Enterprise Architecture, Business Architecture, and Enterprise Transformation
• The Open Group Panel Explains How the ArchiMate Modeling Language and The Open Group Architecture Framework Impact Such Trends as Big Data and Cloud

HP-Fueled Application Delivery Transformation Pays Ongoing Dividends for McKesson

Transcript of a BriefingsDirect podcast on healthcare giant McKesson's continuing multi-year, pan-IT journey toward service management transformation.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Gardner

Once again, we're focusing on how IT leaders are improving their services' performance to deliver better experiences and payoffs for businesses and end users alike, and this time we're coming to you directly from the HP Discover 2013 Conference in Las Vegas.

We’re here the week of June 10 to explore some award-winning case studies from leading enterprises. Our next innovation case study interview highlights how McKesson Corp. accomplished a multi-year, pan-IT management transformation.

We’ll see how McKesson's performance journey, from 2005 to the present, has enabled it to better leverage an agile, hybrid cloud model.

To learn more about how McKesson gained a standardized services orientation to gain agility in deploying its applications, please join me now in welcoming Andy Smith, Vice President of Applications Hosting Services at McKesson. Welcome, Andy. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Andy Smith: Thank you, Dana. Glad to be here.

Gardner: It's good to have you back. It's hard to believe it's been a full year since we last spoke. I was very interested in how McKesson had been progressing and maturing its applications delivery capabilities back then. What's new? What's different? What's changed in the last year?

Smith: Probably one of the things that have changed in the last year is that our performance metrics have continued to improve. We're continuing to see a drop in the number of outages from the standardization and automation. The reliability of the systems has increased, the utilization of the systems has increased, and our system admin ratios have increased. So everything, all the key performance indicators (KPIs) are going in the right direction.

That allowed us to make the next shift, which was to focus on how can we do better at providing capabilities to our customers. How do we do it faster and better through provisioning, because now it's taking less time to do the support side of it.

Gardner: It's really interesting to me that a big part of all this is the provisioning aspect going from fewer manual processes and multiple points of touch to more self-provisioning. How has that worked out? Have the people stepped up to the plate on that, and do they seem to want to take more initiative in terms of how applications are developed and deployed?

Smith: It's been very well received. We've been in production now roughly two-and-a-half months. Rather than delivering requests via business requests to add some compute capacity in an average of six months, we’re down to less than four days. I think we can get it down to less than 10 minutes by the time we hit the end of summer.

Well received

So, it's been well received. It's been a challenge to get people to think differently about their processes internal to IT that would allow us to do the automation, but it's been very well received.

Gardner: Just for the edification of our listeners, tell us a bit about McKesson. You’re not just a small mom-and-pop shop.

Smith: No, I think we’re Fortune 14 now, with more than $122 billion in revenue and more than 43,500 employees. We focus specifically on healthcare, how to ensure that whatever is needed by  healthcare organizations is there when they need it.

Smith

That might be software systems that we write for providers. That could be claims processing that we do for providers. But, the biggest chunk of our business is supply chain, ensuring that the supplies, whether they be medical, surgical, or pharmaceutical, are in the hospital's and providers' hands as soon as they need them.

If a line of business needs to make an improvement in order to capture a need of a customer, with the old way of doing business, it would take me six months to get the computer on the floor. Then they could start their development. Now, you're down to less than a week and days. So they can start their development six months earlier, which really helps us be in a position to capture that new market faster. In turn, this also helps McKesson customers deliver critical healthcare solutions more rapidly to meet today's emerging healthcare needs and enable better health.

Gardner: And there are also some other factors in the market. There's even more talk now about cloud than last year, it's hard to believe, focusing on hybrid capabilities, where you can pick and choose how to deploy your apps. Then, there's the mobile factor. Is the compression of time something that you’re still feeling, perhaps more so now with mobile, or is that now a part of your applications’ speed initiatives?

Smith: It's not part of my speed initiatives right now, but we are recognizing that we have to build that next generation of application. Part of that is the mobility piece of it, because we have to separate the physical application, the software-as-a-service (SaaS) application from the display device that the customer is going to use. It might be an Android, an iPhone,  or something else, a tablet.

We really have to separate that mobile portion from it, because that display device could be almost anything.

So we're recognizing the fact that for next-generation of product, we really have to separate that mobile portion from it, because that display device could be almost anything.

Gardner: So there are more complexity factors always coming into the picture. Let's go back to this services orientation and standardization. What were some of the difficulties that you had. What were the hurdles in terms of trying to get standardized and creating that operating procedure that people could rally behind, self provision, and automate? What's for those people that are just starting on this journey? What might they expect?

Smith: The first piece is just a change in culture. We believe we were customer-centric providers of services. What that really translated to was that we were customer-centric customized providers of services. So every request was a custom request. That resulted in slow delivery, but it also resulted in non-standardized solutions.

One of the most difficult things was getting the architects and engineers to think differently and to understand that standardization would actually be better for the customer. We could get it to them faster, more consistently, and more reliably, and on the back end, provide the support much more cheaply to get that mind shift.

But we were successful. I think everybody still likes to customize, but we haven't had to do that.

The right culture

Gardner: We’re here at HP Discover, and you’ve won an award. Congratulations, incidentally. How have the HP products and services come together to help you not only tackle these technical issues, but to foster the right culture?

Smith: When we talked last year, we had a lot of the support tools in place from HP -- operations orchestration, server automation, monitoring tools -- but we were using them to do support better. What we're able to do from the provisioning side is leverage that capability and leverage those existing tools.

All we had to do is purchase one additional tool which is a Cloud Service Automation (CSA) that sits on top of our existing tools. So it was a very minor investment, and we were able to leverage all the support tools to do the provisioning side of the business. It was very practical for us and relatively quick.

Gardner: Of course, a big emphasis here at HP Discover is HP Converged Cloud and talking about these different hybrid models. How has the automation provisioning services orientation, and standardization put you in a place to be able to avail yourselves of some of these hybrid models and the efficiencies and speed that come with that? How do they tie together -- what you’ve done with applications now and what you can perhaps do with cloud?

From a technology standpoint, we know we can do it. We’ve done it in the labs.

Smith: We’ll be the first to admit that providing the services internally is not necessarily always the best. We may not be the cheapest and we may not be the most capable. By getting better at how we do provisioning and how we do our own internal cloud frees up resources, and those resources now can start thinking about how we work with an external provider.

That's a lot of concern for us right now, because there is that risk factor. Do you put your intellectual property (IP) out there? Do you put your patients’ medical records out there? How do you protect it? And so there are a lot of business rules and contracting issues that we have to get through.

From a technology standpoint, we know we can do it. We’ve done it in the labs. We’ve provisioned out to third-party providers. It all works from a technology standpoint with the tools we have. Now we have to get through the business issues.

Gardner: It's interesting that you are seeing this relationship between applications and the transformation you've made to make your applications delivery more agile and the deployment opportunities you have with cloud and hybrid cloud models. HP has its fingers in both sides of that equation -- the apps and then also the cloud.

Is there a certain advantage that you see working with HP that will perhaps allow you to pull those together for your benefit?

Smith: I think so, because a lot of companies, HP included, are on the same journey. You’ve got some legacy that you have to keep. You’ve got some legacy that you need to improve on. But you also need to be ready to build that next-generation application.

On the same journey

It's fortunate, in some ways, that HP is on the same journey. We partner on a lot of these things. When we brought CSA in, it was one of the earlier releases, and now we’ve partnered with them through the Customer Advisory Boards (CABs) and other methods. They continue to enhance this to meet our needs, but also to meet their needs.

Gardner: With CSA,  are you on the latest version of that?

Smith: We might be down one point release, we’re at 3 point something, so we are maybe one back. But we brought it in as 1.0, then 2.0, and now we’ve moved into 3, and it's continued to improve.

Gardner: Now that you've been on this journey from 2005, where do you see yourselves in a couple of years? How does this tie together? What are your new goals and requirements that you're setting for yourselves and are interested in achieving?

Smith: Because we’re in healthcare, very similar to banking, we've hit a point where we don't believe we can afford to be down anymore.

Instead of talking about three nines, four nines, or five nines, we're starting to talk about, how we ensure the machines are never down, even for planned maintenance. That's taking a different kind of infrastructure, but that’s also taking a different kind of application that can tolerate machines being taken offline, but continue to run.

That's where our eye is, trying to figure out how to change the environment to be constantly on.

That's where our eye is, trying to figure out how to change the environment to be constantly on.

Gardner: To have those levels of performance, you can't just look at the infrastructure or the apps. It needs to be all of those things, and the apps from beginning to end, in terms of their lifecycle.

Smith: Exactly. If the application isn't smart enough to tolerate a piece of machine going down, then you have to redesign the application architecture. Our applications are going to have to scale out horizontally across the equipment as the peaks and valleys of the customer demands change through the day or through the week.

The current architecture doesn't scale horizontally. It scales up and down. So you end up with a really big box that’s not needed some times of the day. It would be better if we could spread the load out horizontally.

Gardner: So just to close out, we have to think about applications now in the context of where they are deployed, in a cloud spectrum or continuum of hybrid types of models. We also have to think about them being delivered out to a variety of different endpoints.

Different end points

What do you think you’ll need to be doing differently from an application-development, deployment, and standardization perspective in order to accomplish both that ability to deploy anywhere and be high performance, as well as also be out on a variety of different end points?

Smith: The reality is that part of our journey over the last several years has been to consolidate the environment, consolidate the data centers, and consolidate and virtualize the servers. That's been great from a customer cost standpoint and standardization standpoint.

But now, when you're starting to deliver that SaaS mobile kind of application, speed of response to the customer, the keystroke, the screen refresh, are really important. You can't do that from a central data center. You've got to be able to push some of the applications and data out to regional locations. We’re not going to build those regional locations. It's just not practical.

That's where we see bringing in these hybrid clouds. We’ll host the primary app, let's say, back in our corporate data center, but then the mobile piece, the customer experience piece, is going to be have to be hosted in data centers that are scattered throughout the country and are much physically much closer to where the customer is.

You’re going to really have to be watching the endpoints so you can see that customer experience.

Gardner: Of course, that’s going to require a different level of performance monitoring and management.

Smith: Exactly, because then you really have to monitor the application, not just the server at the back end. You’ve got to be watching that performance to know whether you have a local ISP that’s come down, if you have got a local cloud that’s come down. You’re going to really have to be watching the endpoints so you can see that customer experience. So it is a different kind of application monitoring.

Gardner: Well, we look forward to speaking with you again, Andy, in a year or two to see how that’s progressing. But I am afraid we’ll have to leave it there for today. We’ve been learning about how McKesson accomplished a multi-year, pan-IT Management Transformation and we’ve seen how McKesson’s performance journey has enabled it to create an agile hybrid cloud model.

And so join me now please in thanking our guest, Andy Smith, Vice President of Applications Hosting Services at McKesson. Thank you, Andy.

Smith: Thank you, Dana.

Gardner: And I’d like to thank our audience too for joining us for this special HP Discover Performance Podcast coming to you from the HP Discover 2013 Conference in Las Vegas.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HP sponsored discussions.

Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP

Transcript of a BriefingsDirect podcast on healthcare giant McKesson's continuing multi-year, pan-IT journey toward service management transformation. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

• CSC and HP team up to define the new state needed for comprehensive enterprise cybersecurity
• Converged Cloud News from HP Discover: What It Means
• With Cloud OS, HP takes up mantle of ambassador to the future of hybrid cloud models
• Podcast recap: HP Experts analyze and explain the HAVEn big data news from HP Discover 
• Discover Case Study: Health Care Giant McKesson Harnesses HP ALM for Data Center Transformation and Dev-Ops Performance Improvement
• HP's Project HAVEn rationalizes HP's portfolio while giving businesses a path to total data analysis
• Insurance leader AIG drives business transformation and IT service performance through center of excellence model
• HP BSM software newly harnesses big-data analysis to better predict, prevent, and respond to IT issues
• Right-sizing security and information assurance, a core-versus-context journey at Lake Health

Defining the New State for Comprehensive Enterprise Security Using CSC Services and HP Security Technology

Transcript of a BriefingsDirect podcast on the growing menace of cybercrime and what companies need to do to protect their intellectual property and their business.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Gardner

Once again, we're focusing on how IT leaders are improving security and reducing risks as they adapt to new and often harsh realities of doing business online. I am now joined by our co-host for this sponsored podcast series, Paul Muller, Chief Software Evangelist at HP Software. Welcome back, Paul. How are you?

Paul Muller: I'm great, Dana. Thanks for having me back. It's good to be back, and I'm  looking forward to a great conversation.

Gardner: We do have a fascinating discussion today. We’re going to be learning how HP’s Strategic Partner and IT services and professional services global powerhouse CSC is helping its clients to better understand and adapt to the current cybersecurity landscape. Let's welcome our guests, Dean Weber, Chief Technology Officer, CSC Global Cybersecurity. Welcome, Dean.

Dean Weber: Hi, Dana. Happy to be here.

Gardner: Great to have you. And we’re also joined by Sam Visner, Vice President and General Manager, CSC Global Cybersecurity. Welcome.

Sam Visner: Thank you, and thanks for having us. We’re very grateful. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Gardner: This is obviously a hot topic. Now, we can sit here and gnash our teeth, and people can head to the hills, but I don't think that's going to do any good. Let's start with you, Dean. What is the scale of the threat here? Are we only just catching up in terms of the public perception of the reality? How different is the reality from the public perception?

Weber: The difference is night and day. The reality is that we are under attack, and have been for quite some time. We are, as Sam likes to put it, facing a weapons-grade threat.

Gardner: Is there something that people are missing in terms of understanding the threat, not just in the severity, but perhaps something else?

Visner: When I think about the threat, I think about several things happening at once. The first thing is that we’re asking IT, on which we depend, to do more. It's not just emails, collaboration, documents, and spreadsheets. It isn’t even just enterprise systems.

IT for manufacturing

It extends all the way down to the IT that we use for manufacturing, to control power plants, pipelines, airplanes, centrifuges, and medical devices. So, the first thing is that we’re asking IT to do more, and therefore there's more to defend. Secondly, the stakes are higher. It's not just up to us.

Visner

Government has said that the cybersecurity of the private sector is of public concern. If you're a regulated public utility for power, water, healthcare, finance, or transportation, your cybersecurity is an issue of public interest. So, this isn’t just the public cybersecurity, it's the cybersecurity of the private sector, which is in the public interest.

Third is the point that Dean made, and I want to elaborate on it. The threat is very different.

Today, intellectual property, whether or not it's possessed by the public sector or the private sector, if it's valuable, if it's worth something. It's worth something to a bad guy who wants to steal it. And if you have critical infrastructure that you’re trying to manage, and a bad guy may want to disrupt it, because their government may want to be able to exercise power.

And the threats are different. The threats are not just technically sophisticated. That's something a hacker, a teenager, can do. In addition to being technically sophisticated, they’re operationally sophisticated.

The threats are not just technically sophisticated. That's something a hacker, a teenager, can do.

That means this is foreign governments, or in some cases, foreign intelligence services that have the resources and the patience to study a target, a company, or a government agency over a long period of time, use social networking to figure out who has administrative privileges inside of that organization, and use that social networking to identify people whom they may want to subvert and who may help them in introducing malware.

Then, once they have decided what information they want, who safeguards it, they use their technical sophistication to follow up on it to exploit their operational knowledge. This is what differentiates a group of hackers, who maybe technically very bright, from an actual nation-state government that has the resources, the discipline, the time, and the patience to stick with the target and to exploit it over a long, long period of time.

So, when we use the term "weapons grade," what we mean is a cyber threat that's hard to detect, that's been wielded by a foreign government, a foreign armed force, or a foreign intelligence service -- the way a foreign government wields a weapon. That's what we’re really facing today in the way of cybersecurity threats.

Muller

Muller: You asked if the headlines are simply reflecting what has always been going on, and I think the answer is, yes. Definitely, there is an increased willingness of organizations to share the fact that they have been breached and to share what some of those vulnerabilities have been.

That's actually a healthy thing for society as a whole, rather than pretending that nothing is going on. Reporting the broken window is good for everybody. But, the reality is the sophistication and the scale of attacks as we have just heard, have gone up and have gone up quite measurably.

Cost of cybercrime

Every year we conduct a Cost of Cyber Crime Study with the Ponemon Institute. If we look just at the numbers between 2010 and 2012, from the most recent study in October, the cost impact of cyber crime has gone up 50 percent over that period of time. The number of successful attacks has gone up by two times. And the time to resolve attack is almost doubled as well. So it has become more expensive, greater scale, and it's becoming more difficult to solve.

The number of successful attacks has gone up two times. And the time to resolve attack is almost doubled as well.

Gardner: What strikes me as being quite different from the past, too, is when businesses encountered risks, even collective risks, they often had a law enforcement or other regulatory agency that would come to their rescue.

But, in reading the most recent The New Yorker, the May 20 issue, in an article titled Network Insecurity by John Seabrook, Richard McFeely, the Executive Assistant Director of the F.B.I, says quite straightforwardly, "We simply don't have the resources to monitor the mammoth quantity of intrusions that are going on out there."

So, enterprises, corporations, governments even can't really wait for the cavalry to come riding in. We’re sort of left to our own devices, or have I got that a little off-base, Dean?

Weber: The government can provide support in talking about threats and providing information about best practices, but overall, the private sector has a responsibility to manage its own infrastructures. The private sector may have to manage those infrastructures consistent with the public interest. That's what regulation means.

Weber

But the government is not going to provide cybersecurity for power companies’ power grid or for pharmaceutical companies’ research program. It can insist that there be good cybersecurity, but those organizations have always had to manage their own infrastructures.

Today, however, the threat to those infrastructures and the stakes of losing control of those infrastructures are much higher than they have ever been. That's what's amplified now.

There is also a tradeoff that can be done there in terms of how the government shares its threat intelligence. Today, threat intelligence shared at the highest levels generally requires a very, very high level of security, and that puts it out of reach of some organizations to be able to effectively utilize, even if they were so desirous.

So as we migrate ourselves into dealing with this enhanced threat environment, we need to also deal with the issues of enhancing the threat intelligence that we use as the basis of decision.

Gardner: Well, we've defined the fact that the means are there and that the incidences are increasing in scale, complexity, and severity. There is profit motive, the state secrets, and intellectual-property motives. Given all of that, what's wrong with the old methods?

Current threat

Weber: Against the current state-of-the-art threat, our ability to detect them, as they are coming in or while they are in has almost diminished to the point of non-existence. If we're catching them at all, we're catching them on the way out.

We've got to change the paradigm here. We've got to get better at threat intelligence. We've got to get better at event correlation. We've got to get better at the business of cybersecurity. And it has to be a public-private partnership that actually gets us there, because the public has an interest in the private infrastructure to operate its countries. That’s not just US; that’s global.

Visner: Let me add a point to that that’s germane to the relationship between CSC and HP Software. It's no longer an issue of finding a magic bullet. If I could just keep my antivirus up to fully updated, I would have the best signatures and I would be protected from the threat. Or if my firewall were adequately updated, I will be well protected.

Today, the threat is changing and the IT environment that we're trying to protect is changing. The threat, in many cases, doesn’t have a known signature and is being crafted by nations/states not to have it. Organizations ought to think twice about trying to do these themselves.

Our approach is to use a managed cybersecurity service that uses an infrastructure, a set of security operation centers, and an architecture of tools. That’s the approach we're using. What we're doing with HP Software is using some key pieces of HP Software technology to act as the glue that assembles the cybersecurity information management architecture that we use to manage the cybersecurity for Global 1000 companies and for key government agencies.

Customers, who try to manage a piece at a time, invariably get into trouble, because they can't do it.

Our security operations centers have set of tools, some of which we've developed, and some of which we've sourced from partners, bound together with HP’s ArcSight Security Information and Event Management System. This allows us to add new tools, as we need to retire old tools, when they are no longer useful.

They do a better job of threat correlation and analysis, so that we can help organizations manage that cybersecurity in a dynamic environment, rather than leave them to the game of playing Whac-A-Mole. I've got a new threat. Let me add a new tool. Oh, I've got another new threat. Let me add another new tool. That's opposed to managing the total environment with total visibility.

So that managed cybersecurity approach is the approach that we're using, and the role of HP Software here is to provide a key technology that is the sort of binder, that is the backbone for much of that architecture that allows us to manage organically, as opposed to a piece at a time.

Customers, who try to manage a piece at a time, invariably get into trouble, because they can't do it. They're always playing catch up with the latest threat and they are always at least one or two steps behind that threat by trying to figure out what is the latest band-aid to stick over the wound.

Increased sophistication

Muller: Sam makes a great point here, Dana. The sophistication of the adversary has risen, especially if you're in that awkward position -- you're big enough to be interesting to an attacker, especially when it’s motivated by money, but you are not large enough to have access to up-to-date threat information from some of the intelligence agencies of your national government.

You're not large enough to be able to afford the sort of sophisticated resources who are able to dedicate the time taken to build and maintain honey pots to understand and hang out in all of the deep dark corners of the internet that nobody wants to go to.

Those sort of things are the types of behaviors you need to exhibit to stay ahead, or at least to not get behind, of those threat landscape. By working with an organization that has that sort of capacities by opting for managed service, you're able to tap into a skill set that’s deeper and broader and that often has an international or global outlook, which is particularly important. When the threat is distributed around the planet, your ability to respond to that needs to be distributed likewise.

Gardner: So I'm hearing two things. One that this is a team sport. I'm also hearing that this is a function of better analytics -- of really knowing your systems, knowing your organization, monitoring in real time, and then being able to exploit that. Maybe we could drill down on those. This new end-state of a managed holistic security approach, let's talk about it being a team sport and a function of better analytics. Sam?

Visner: There's no question about it. It is a team sport. Fortunately, in the United States and in a few other countries, people recognize that it's a team sport. More and more, the government has said that the cybersecurity of the private sector is an issue of public interest, either to regulation, standards regulation, or policy.

There's no question about it. It is a team sport.

More and more in the private sector, people have realized that they need threat information from the government, but there are also accruing threat information they need to share with the government and proliferate around their industries.

That has happened, and you can see coming out of the original Comprehensive National Cybersecurity Initiative of 2006-2007, all the way to the current recent executive order from the President of the United States, that this is a team sport. There is no question about that.

At the same time, a lot of companies are now developing tools that have APIs, programming interfaces that allow them to work together. Tools like ArcSight provide an environment that allows you to integrate a lot of different tools.

What's really changing is that global companies like CSC have become a global cybersecurity provider based on the idea that we will do this as a partner. We're not going to just sell a tool to a customer. We're going to be their partner to manage this environment.

More and more, they have the discussion underway about improved information sharing from the government to the private sector, based on intelligence information that might be provided to the private sector, and the private sector being provided with more protected means to share information relating to incidents, events, and investigations with the public sector.

Team sport

At the same time, enterprises themselves know that this has to be a team sport within an enterprise. It used to be that the email system was discreet, or your SAP system was discreet, inside of an enterprise. That might have been 10 years ago. But today, these things are part of a common enterprise and tomorrow they're going to be part of a common enterprise, where these things are provided as a service.

And the day after that, they'll be provided as a common enterprise with these things as a service on a common infrastructure that we call a cloud. And the day after that, that cloud will extend all the way down to the manufacturing systems on the shop floor, or the SCADA systems that control a railway, a pipeline, or the industrial control systems that control a medical device or an elevator, all the way out to 3D manufacturing.

The cybersecurity partner and the enterprise have to work together with the public sector and with regulatory and policy authorities.

The entire enterprise has to work together. The enterprise has to work together with its cybersecurity partner. The cybersecurity partner and the enterprise have to work together with the public sector and with regulatory and policy authorities. Governments increasingly have to work together to build a secured international ecosystem, because there are bad actors out there who don’t regard the theft of intellectual property as cyber crime.

Now fortunately, people get this increasingly and we're working together. That’s why we're finding partners who do the manage cybersecurity, and finding partners who can provide key pieces of technology. CSC and HP is an example of two companies working together in differentiated roles, but for a common and desirable outcome.

Three-step process

Weber: So let me think about how we chop this up, Dana. It’s a three-step process. The first is see, understand, and act -- at the risk of trivializing the complexity of approaching the problem. Seeing, as Sam has already pointed out, is to just try to get visibility of intent to attack, attacks in progress, or worse case, attacks that have taken place, attacks in progress, and finally, how we manage the exfiltration process.

Understanding is all about trying to unpack the difference between "bragging rights attacks," what I call high-intensity but low-grade attacks in terms of cyber threat. This is stuff that’s being done to deface the corporate website. Don’t get me wrong, it’s important, but in this scheme of things, it’s a distraction from some of the other activities that’s taking place. Also understanding is in terms of shifting or changing your compliance posture for some sort of further action.

Then, the last part is acting. It’s not good enough to simply to understand what’s going on, but it’s shutting down attacks in progress. It’s being able to take proactive steps to address breaches that may exist and particularly to address breaches in the underlying software.

We have always been worried about protecting the perimeter of our organization through the technologies, but continue to ignore one of the great issues out there, which is that software itself, in many cases, is inherently insecure. People are not scanning for, identifying, and addressing those issues in source code and binary vulnerability.

Gardner: Well, it certainly sounds to me as if we're going after this new posture with added urgency because of cybersecurity, but it’s dovetails with a lot of what companies should have been doing for a lot of reasons. That is to get to know yourself better, know your systems better, putting in diagnostics and monitoring capabilities, and elevating those to a more centralized approach for management and reporting.

These are investments that will pay back dividends in many ways, in addition to helping you mitigate risk.

Cybersecurity is a catalyst, but these are going to make companies more healthy. These are investments that will pay back dividends in many ways, in addition to helping you mitigate risk. Any thought about why this is just good business, not just good cyber-security prevention? Sam.

Visner: Security is a journey. Paul was saying that organizations have to stay up with it. They can’t just rest on their laurels regarding their defenses. They have to continually evolve with the threat and to do that means that, as we get better at one level of security, another level of security becomes the low hanging fruit. As we get better at infrastructure security, application security becomes more of an issue.

And organizations aren’t doing the appropriate level of source code and binary scanning. They aren’t doing the ad hoc or interval scanning that is necessary to make sure that their applications not only were developed correctly, but they were also deployed correctly, and remain correctly deployed throughout their lifecycle.

Again, this is where integration of the technologies that are available to us today and that has never been done before is important for organizations to consume. With that being said, this is a huge undertaking, to be able to include your application code scanning in with your security event and information management is a difficult prospect. But it's one that CSC and HP have collectively decided to take up.

Muller: Having terrified everybody, shall we talk about next steps?

Gardner: We're coming up a bit on the end of our time. Before we sign out, I'd like to try to do just that. What are some of the two or three major pillars that organizations should start to inculcate as a culture, as a priority, given how pervasive these issues are, how existential they are, for some many companies and organizations? What do you have to do in terms of thinking differently in order to start really positioning yourself to be proactive and aggressive in this regard? Let's go down our list of speakers. Let's start with you, Sam.

Visner: The first thing is that you’ve got to make an adequate assessment of the kind of organization you are. The role information and information technology plays in your organization, what we use the information for, and what information is most valuable. Or conversely, what would cause you the great difficulty, if you were to either lose control of that information or confidence in its integrity.

That has to be done not just for one piece of an enterprise, but for all pieces of the enterprise. By the way, there is a tremendous benefit, because you can re-visualize your enterprise. You can sort of business-process reengineer your enterprise, if you know on and what information you rely, what information is most valuable, what information, if was to be damaged, would cause you the most difficulty.

Rather than trying to manage it yourself, get a confident managed cyber-security services provider.

That’s the first thing I would do. The second thing is, since as-a-service is the way organizations buy things today and the way organizations provide things today, consider taking a look at cybersecurity as a service.

Rather than trying to manage it yourself, get a confident managed cyber-security services provider, which is our business at CSC, to do this work and be sure that they are equipped with the right tools and technologies, such as ArcSight Security Information and Event Management and other key technologies that we are sourcing from HP Software.

Third, if you're not willing to have somebody else manage it for you, get a managed cybersecurity services provider to build up your own internal cybersecurity management capabilities, so that you are your own managed cybersecurity services provider.

Next, be sure you understand, if you are part of critical infrastructure -- and there are some 23 critical infrastructure sectors -- what it is that you are required to do, what standards the government believes are pertinent to your business.

What information you should have shared with you, what information you are obligated to share, what regulations are relevant to your business, and be sure you understand that those are things that you want to do.

Strategic investment

Next, rather than trying to play Whac-A-Mole, having made these decisions, determine that you're going to make a strategic investment and not think of security as being added on and what's the least you need to do, but realize that cybersecurity is as organic to your value proposition as R&D is. It's as organic to your value proposition as electricity is. It's as organic to your value proposition as the good people who do the work. It's not once the least you need to do, but what are the things that contribute value.

Cybersecurity doesn’t just protect value, but in many cases, it can be a discriminator that enhances the value of your business, particularly if your business either relies on information, or information is your principal product, as it is today for many businesses in a knowledge economy. Those are things that you can do.

Lastly, you can get comfortable with the fact that this is a septic environment. There will always be risks. There will always be malware. Your job is not to eliminate it. Your job is to function confidently in the midst of it. You can, in fact, get to the point, both intellectually and emotionally, where that’s a possibility.

The fact that you can have an accident doesn’t deter us from driving. The fact that you can have a cold doesn’t deter us from going out to dinner or sending our kids to school.

What it does is make sure that we're vaccinated, that we drive well, that we are competent in our dealings with the rest of the society, and that we're prudent, but not frightened. Acting as if we are prudent, but not frightened, is a step we need to take.

It's as organic to your value proposition as the good people who do the work.


Our brand name is CSC Global Cybersecurity. The term we use is Cyber Confidence. We're not going to make you threat proof, but we will make you competent and confident enough to be able to operate in the presence of these threats, because they are the new norms. Those are the things you can do.

Gardner: Dean, quickly, a number of things from your perspective that our top of line thoughts, and perceptions, ideas that people should consider as they move to this new posture?

Weber: In addition to what Sam talked about, I'm a huge fan of data classification. Knowing what to protect, gives you the opportunity to decide how much protection is necessary by whatever data classification that is.

Whether that’s a risk management framework like FISMA, or it’s a risk management framework like the IL Series Controls of the UK Government or similar in Australia, these are risk management frameworks. They are deterministic about the appropriate level of security. Is this public information, in which case all you have to do is worry about whether it’s damaged and how to recover if and when it is? Or is this critical? Is this injurious to life, limb, or the pursuit of profits? And if it is, then you need to apply all the protections that you can to it.

And last but not least, again, as I pointed out earlier, our ability to detect every intrusion is almost nil today. The state of the threat is so far advanced. Basically, they can get in when they want to, where they want to.

They can be in for a very long period of time without detection. I would encourage organizations to beef up their perimeter controls for egress filtering and enclaving, so that they have the ability to manage the data that is being actually traded out of their networks.

Cultural shift

Gardner: Paul Muller, last word to you, top of the line thoughts, cultural shift what is the new rethinking that needs to take place to get to this new posture?

Muller: There has been so much great content today that summarizing the action is going to be challenging. Sam made a point. It’s important to be alert, but not alarmed. Do not let security send you into a sense of panic and inaction. Don’t hire an organization to help you write security policy that then just sits on the shelf. A policy is not going to give you security. It’s certainly not going to stop any of bad guys from exfiltrating any of that information that you have.

I'll say a couple of things. First, it’s not like buying an alarm and locks for your organization. Before, physical security was kind of a process you went through, where you started, it had a start and middle and an end. This is an ongoing process of continually identifying incoming threats and activities from an adversary that is monetized and has a lot to gain from their success.

It’s an ongoing process. As a result, as we said earlier today, security is a team sport. Find a friend who does it really well and is prepared to invest on an ongoing manner to make sure that they're able to stay here.

I'd concur with Dean's point as well. Ultimately, it's about the exfiltrating of your data. Put in place processes that help you understand the information that is leaving your organization and take steps to mitigate that as quickly as possible. Those are my highest priorities.

This is an ongoing process of continually identifying incoming threats and activities from an adversary that is monetized and has a lot to gain from their success.

I'd also add that if you're having trouble identifying some of the benefits for your organization, and even having trouble trying to get a threat assessment prioritized in your organization, have a look at the Cost of Cyber Crime Study that we've conducted across the Globe, United Kingdom, Germany, Australia, Japan and of course the US, was the third in the series, now we do it annually. You can get to hpenterprisesecurity.com and get a copy of that report and hopefully shift a few of the, maybe more intransigent people in your organization to action.

Gardner: Well I'm afraid we will have to leave it there. We've been learning how HP’s Strategic Partner and IT Services and Professional Services, global powerhouse CSC is helping its clients to better understand and adapt to the current cybersecurity landscape.

I like to thank our supporter for this series, HP Software and remind our audience to carry on the dialogue with Paul Muller and others through their blog tweets and their Discover Performance Group on LinkedIn, and I'd also like to thank our co-host Paul Muller.

Muller: Always a pleasure.

Gardner: And also huge thanks to our special guests, Dean Weber, the Chief Technology Officer for CSC Global Cybersecurity. Thank you, Dean.

Weber: Thank you.

Gardner: And also Sam Visner, the Vice President and General Manager there at CSC Global Cybersecurity. Thanks so much, sir.

Visner: Thank you, it's been a pleasure.

Gardner: And a last thank you to our audience for joining this special HP Discovered Performance Podcast. You can learn more about the best of IT Performance Management at www.hp.com/go/discoverperformance and you can always access this in other episodes of our HP Discover Performance Series on iTunes under to BriefingsDirect.

This is Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this on going discussion of IT innovation and how it's making an impact on people's lives. Thanks again for listening and comeback next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on the growing menace of cybercrime and what companies need to do to protect their intellectual property and their business. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

• The Open Group July conference seeks to better contain cybersecurity risks with FAIR structure
• Converged Cloud News from HP Discover: What it means
• Liberty Mutual Insurance melds regulatory compliance and security awareness to better protect assets, customers, and employees
• With Cloud OS, HP takes up mantle of ambassador to the future of hybrid cloud models
• Right-sizing security and information assurance, a core-versus-context journey at Lake Health
• Podcast recap: HP Experts analyze and explain the HAVEn big data news from HP Discover 
• Heartland CSO instills novel culture that promotes proactive and open responsiveness to IT security risks
• HP's Project HAVEn rationalizes HP's portfolio while giving businesses a path to total data analysis