HP execs debate reality of hacker expertise; lament most businesses don't understand

HP execs debate reality of hacker expertise; lament most businesses don't understand

Summary: Hewlett-Packard execs argue that the problem with the security culture today is that many businesses are still following a "check box" approach without understanding hackers' resources and capabilities.


But Gilliland lamented that if you add up all the market spending on security, most of it is spent on blocking -- and we forget that there are several other stages we need to defend.

"We're still doing check-box security," Gilliland quipped.

Joni Kahn, vice president of services and support for HP's ArcSight unit, said that the "technology is there" but there is an "IT issue" in applying security solutions effectively.

"It's amazing to see that they have not done the fundamentals yet required for basic perimeter security," Kahn commented.

Explaining that the ArcSight unit spends a lot of time "around the people process" in enabling customers to deploy its products, Kahn reflected that a lot of companies have compliance priorities when buying this technology.

But at the end of the day, she continued, it's about getting them to understand how to best leverage it.

"It's amazing to see that they have not done the fundamentals yet required for basic perimeter security," she commented.

While Gilliland also noted that another problem is that many companies don't have the expertise (or the money to hire the brainpower), the question was also raised about increasing awareness among software developers.

Software developers were described to be often hard pressed to churn out work quickly, making security often a second thought when it comes to performing basic tasks that are actually opening up a network to potential threats.

Describing himself as a long time security professional and former developer, Jacob West, chief technology officer HP's Fortify unit for enterprise security software, acknowledged that it's difficult to find a balance.

"We're still doing check-box security," Gilliland quipped.

He posited that we need to enable developers to know they are making decisions even every time they make queries.

West cited that his department has seen an increasing number of businesses with large investments in security tying developer bonuses to adequate performance in regards to security.

While forecasting that more schemes like this are starting to emerge, West admitted this culture shift is happening slowly.

Topics: Security, Hewlett-Packard, IT Priorities, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • HP can't even make good printers anymore, and that's what made its company

    great to begin with - solid, reliable printers - because only toddlers and salad dressing makers use the word "robust" to describe things...

    If HP can't even do its core business right, why should I care about any of its peripheral ventures?

    And having used and supported HP's printers since the days of the LJ 4050, I've been around the block. The greed game of integrating the drum kit into the toner cartridge was bad enough...
    • And, yes,

      HP's integrating the drum kit into the toner cart started long before the 4050 came out... keeping them separate wastes less toner, especially if the drum develops a fault or scratch...
  • HP execs debate reality of hacker expertise; lament most businesses ...

    as long as the monetary incentive is part of the equation, and as long as crime pays, cracking is here to stay. and as for hackers, as long as human beings remain inquisitive, hacking will always be part of human nature to better himself and to help push the frontier of technology and of civilization ...
  • HP is in no position to say others do not understand anything at the moment

    Over the past 8 years HP has been in a downward spiral. Let's touch on a few points, shall we?
    1) HP-UX. They killed it. With HP-UX v3 they were supposed to take some nice features of Tru64 and merge it in to build a better offering. Instead, they started pushing folks to Veritas add-on and stagnating their product offering. Really, who didn't see this coming. I did and I went as far as making the statements at a customer advisory meeting directly to them. They could have kept the Tru64 kernel and kept the HP-UX libraries for the win.
    2) Itanium, aka the Itanic. The hopes and dreams of compile time optimization and developers changing their ways was a big mistake. Combine this major error with HP-UX and they pushed their customers to Linux on x86 like crazy. They could have ported softbench to Linux to allow their customers to move more easily...and kept the customers using their product.
    3) CEO rotations. Carly was far from great, but far from the worst since the rotations began. Tragic.
    4) Autonomy, WebOS, Palm, ...etc. Lots of money blown, and customers confused with HP's direction.
    5) On the X86 line setting up "Dynamic Power Saving" mode as the DEFAULT, as opposed to O/S controlled. Many people have been bitten by extremely cruddy response and the approach masks what is happening within the O/S (Linux and Windows), so unless you know what HP decided, then you'll spend some time trying to figure out what is happening. Whomever at HP decided this was a wise default, should be canned.
    6) HP is in the top 10 of the most hated companies in the US. Check out marketwatch.

    I used to love HP's systems, fairly well performing and reliable. Then the leaders in engineering were driven out and replaced with followers. The product line has suffered. We have had IBM, Dell, and HP in our environment. Oddly enough we are considering removing HP from the lineup as we're seeing a steady erosion in quality. This makes me sad. Hopefully their ship can be righted. Fortify does not seem like a bad product, but it will not bail them out as a company. They should try to avoid further alienating customers or potential customers.

    Good luck HP.
  • For us a slow day

    Over here it is a slow day, so after reading this article I read this: About Rachel King
    Rachel King is a staff writer for ZDNet based in San Francisco. My question, is Rachel based in SF, or ZDNet based in SF? Maybe both perhaps, yet the sentence implies ZDNet is not Rachel.

    You were warned today is a slow day.