On this special episode of the Futurum Tech Webcast – Interview Series, part of the HPE Executive Insights Series, I am joined by Daniel Frye, Vice President, Enterprise CISO for HPE. In this conversation we dive into what exactly is an edge-to-cloud security strategy and why it’s crucial in today’s marketplace.
In our conversation, we discussed the following:
- The security implications of edge-to-cloud
- How cybersecurity pros can proactively address the challenges they are facing
- Why organizations need a Security Share Responsibility Model
- A look at Zero Trust security strategies
- HPE’s priority for the future
Security has never been more important than it is today and this is one conversation you don’t want to miss. If you want to learn more about HPE and edge-to-cloud, download a copy of our latest research brief Why Edge-to-Cloud Platform? Why HPE?.
Watch the video of our conversation here:
Or stream the audio here:
If you’ve not yet subscribed to the Futurum Tech Webcast, hit the ‘subscribe’ button while you’re there and you won’t miss an episode.
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
Daniel Newman: Hey everyone. Welcome back to another episode of the Futurum Tech podcast. I’m your host, Daniel Newman, principal analyst, founding partner at Futurum Research. Excited for this interview series. I’ve got Daniel Frye with HPE joining me. We’re going to be talking about Edge to cloud security today. It’s going to be a great conversation. Daniel, without further ado, why don’t you come on and join me here. How are you today?
Daniel Frye: I’m great. Thanks for having me.
Daniel Newman: Yeah, it’s good to have you there. First and foremost, to you it’s first time on the show so give everyone a quick intro. Tell them about the work you’re doing at HPE.
Daniel Frye: Yeah, so I am the enterprise CISO. And really it’s as simple as my orgs responsibility is all of the backend operations that make HPE work. My organization’s responsible for securing it and watching after it for the business. And that’s as simple as it is. I’ve got the full complete strategy to the detection and monitoring. I’ve got one of my operations centers sitting right next to me right here.
Daniel Newman: Yeah, that’s a pretty big job though. So just to be clear, you’re doing it for HPE. So you’re doing the actual security for the company. Which important bifurcation or demarcation, I guess is probably the right word, between those because there’s a bunch of people in your org that sell this and help other organizations deal with their security strategy? You’re actually in that practicing group that’s dealing with everyday making sure that the HPE data ecosystem is secure, protected at the enterprise level.
Daniel Frye: Yeah, I’m here to look after the HPE’s business as well as the customers that we’re dealing with and our partners, just to make sure that we keep the bad guys out.
Daniel Newman: Big job protecting some pretty important sets of data given the customer list and partner list that HPE works with every day. So over the last few years, I follow very closely Antonio Neri strategy, moving everything to a service or XAAS as we like to call it. We’ve also seen the rise of kind of the edge to cloud story and narrative. Talk a little bit about that. Talk about just kind of like how you as a practitioner, as someone that actually leads and manages the security of such a huge enterprise thinks about edge to cloud and why this has become such a popular way of describing the ecosystem.
Daniel Frye: Yeah. Well, edge to cloud for me as a security practitioner is a big transformation for not only how HPE does business, but what we’re putting out there to our customers. And it really is moving away from the old model of you’ve got this centralized data center that you can all live around. And if you create a nice little hard shell around that, you’re good to go. In this world not so much, your compute, your storage is outside your perimeter. It is on that edge and in many cases is globally distributed. And so from a security perspective, that’s a big difference in how we tackle that challenge.
Daniel Newman: Yeah, it’s a huge challenge. And when you think edge to cloud, the one thing I think everybody that’s in tech and most people that are just in the world these days using their phones and devices realizes the volume and the veracity, the intensity of data creation is exponential. Literally, every day you wake up and there are mountains of additional data that are being created, that have to be managed, that have to be stored, that have to be utilized and accessed. And I think a lot of people when they’re thinking about it, think about it through the experience layer of the utilization of apps or how we can put this to work. But there’s a whole another world that thinks about it in terms of, well, with all this additional data we got to secure it. We got to figure out how do we make sure this data is all secured. So talk a little bit about the implications of this sort of edge to cloud world that we live in.
Daniel Frye: Well, you’re right. And the amount of data in that we’re dealing with… The old world of the data center, you are confined in that one little spot. But in the new world, this hybrid world, you’ve got countless providers and cloud solutions out there that just grow your data exponentially as you said. And so really what that does from a security perspective is your attack surface goes from this small perimeter data center to global attack service. And with that attack surface there’s our challenge, because our visibility is the biggest problem in that standpoint because it is distributed. It’s constantly new data exploding everywhere so that attack surface and our visibility at that tech surface is a big challenge. But it also enables the businesses to do more and to create more and to innovate more. And so as they do that and they’re able to innovate and create new things and new product and new data out there, chasing that is become a lot harder as well. And that gives us another big challenge of us in working with the business.
Daniel Newman: Yeah, so for someone like yourself though that’s in the role, like I said, you lead but you’re in the practice all this is happening, this growing threat surface has a lot of security people on their heels. From talking to many enterprises and of course reading endless and countless reports in this space, it seems like you’re always playing catch up. Meaning that it’s one of these worlds where the bad guy is always a little bit ahead because there’s so much surface, there’s so much data that there’s these best practices. And of course these are kind of the foundational starting points that you and all your peers put to use when they deploy. But then there’s got to be some proactivity here. There has to be like a hey, we are starting to better understand and assess is it AI, is it automation, is it data driven? Talk a little bit about as through your lens to the cyber professional audience, how do they proactively get ahead of this or even just stay on top of it not fall behind?
Daniel Frye: Well, you said it, the proactive is the key there. And for me a lot of that is engagement with the business. And it’s the importance of that partnership with our business and making sure that understanding where they’re going, so that we can go with them and not follow them. Because if we can enable the business to innovate securely, that gives them a competitive advantage over other providers that their security is constantly chasing the ball. If we are partnering with our business and helping them create secure product from the get go, and able to keep our eyes on it and understand, make sure that we don’t lose that visibility of where they’re going then we can be proactive. And we can plan ahead and make sure that my operations expands and brings in new technology and new ways of doing things at the same rate that they are.
Daniel Newman: Yeah, it’s interesting. And another thing that by the way, Daniel, that I’ve talked about for a while is security is not a one person job, meaning a CSO or enterprise or even a small team. We know over the course of the pandemic, I think this brought a lot of attention to it, but as we saw companies move from VPN to SD-WAN and they were trying to deploy these remote workforces, there was a lot of vulnerabilities opened up because network configurations were changing so rapidly. And I almost liken it to the supply chain. We all saw what happened when one little part of the supply chain starts to break down, every part of the ecosystem suffered. And in security it’s a little bit the same. It can be, I joke about the person that puts the sticky note on their keyboard and then goes to Starbucks and gets visually hacked. And ends up opening up a major corporate hole because of just really a bad or irresponsible moment.
And you I believe talk about what’s called a shared or security shared responsibility model. Talk about that because to me it feels like that is such a big opportunity and a missed opportunity that companies don’t do more, to make sure they don’t let silly and simple things become their downfall of their security strategy.
Daniel Frye: Yeah. And I think if you look at the cloud security world, you have a lot of people putting out metrics and things around the most common avenue for malicious actors or for security failures, if you will, is a misconfiguration. And it’s simply somebody not knowing what the right thing to do is. And so that’s where education is a very powerful tool in this. And it’s both education to our business and teaching them the secure way of doing things. But in that shared responsibility model, it’s really important for us to be as open and honest and collaborative with our customers that say, look, we are going to take our security measures this far and this is where we expect you to be able to pick up.
And if we get that out there with them up front and center and there’s no misunderstanding in that, then the thought of or getting into, oh, I thought you were doing that, goes away. And that they know what they need to do and they know what we are doing to protect them. And that’s really what the shared responsibility model is. It’s just an understanding of what we are going to do and where we expect things to kind of pick things up.
Daniel Newman: Yeah, and it’s so frequent though that… And I use that supply chain metaphor because a company like yours has partners, you have agencies, you have subcontractors, you have a massive ecosystem that you give varying degrees of access to your network or to your resources and assets, that create vulnerabilities that even if you’ve got a great practice within the HPE org… And of course you probably do audits and you make people fill out forms to tell you what they do and you try your best to inspect it. But like I said, it tends to be the fringes, the little weird activities, the little misses that you can have all the right policies and then someone just does something sort of silly that ends up creating a vulnerability. And we’ve seen it, I think Capital One was kind of a circumstance of that. And some of what happened at Target, the big hack that they had was something that was probably pretty simple to have prevented and it just got missed and it created this huge issue in the long term.
Another thing that has been really popular, I like the word MAC Architecture, is zero trust. And obviously there’s kind of a definition of it in terms of basically assuming everybody has no idea of what they’re doing. I’m being a little facetious. But that everybody’s vulnerable and by thinking that everybody’s at huge risk you prevent anything from happening because it’s over rotation to the model of trusting your team to, I don’t trust you at all and we’re going to make sure everything you do is really process driven. What are your kind of thoughts on that? Where do we land? Is it too much or is Zero Trust the answer.
Daniel Frye: Yeah, Zero Trust that’s a fun one to talk about. I think from a security professional perspective, the idea of hey, trust no one is intriguing. But to me, Zero Trust is it’s not a product. It’s not something you go install and you’re good to go really. The way we approach it really is it’s a framework, it’s a mindset, it’s a guidance that we take to how we build our security architecture. So when we go to build our security architecture for how we want to protect HPE, if you bring that zero trust mindset, meaning basically that you don’t trust anything implicitly. Nothing gets inherited as we go as we go through. And really that’s a mindset that we take to how we coordinate and how we bring our architecture together. And it’s less about go install this product and more about just a way to go about things. And that’s how we approach it.
I think I get to ask that question… I do a lot of customer meetups and I feel like every customer asks me, what do you think or what are you doing for Zero Trust? And by the end of the conversation everybody’s like yeah, that’s kind of the same way we go about it because I think some people may think it is, there’s this silver bullet product you can install out there and you’re good to go but it’s just not there.
Daniel Newman: Yeah, I zero trust your advice. Just kidding. All right, so the bottom line is I think you and I sort of seem to agree on the MAC architecture. There is a real underpinning to Zero Trust that stands for being extraordinarily cautious and thoughtful about access. And making sure your tools do not basically… You start to mitigate the human likelihood of creating those errors that we’ve talked about throughout this pod. But at the same time, you do have to give access. There are those requirements in order for the business to function. And you got to figure out where’s the balance between making things functional and not bringing experiences to their knees in order to deliver on the security side. That’s like the friction point like in order to be secure, does the experience have to stink?
And for a long time it’s kind of been like those two things have been frictionous to one another. Yeah, so if you want to be safe the user’s going to be sorry. But the long term it’s gotten so much better. So I guess beyond this kind of edge to cloud and zero trust, what are some of the other things on your mind in the security and space that you’re focused on?
Daniel Frye: Yeah, beyond the challenge of securing the corporation which is a tremendous challenge, really probably the biggest thing is talent, people resources. And I’m sure everybody’s heard the lack of security resources that seem to be out there. And you hear that all the time. There’s just not enough people with security skills for what the need is out there. And believe me, there is a tremendous need for resources because like I said, the attack surface is growing and so you’ve got to have the people to counter that. But really from our shop, from an HPE perspective, we see it less about skill sets in trying to hire somebody with this master’s degree in computer science and 1000 different security certifications. That’s not really what we go after really. What we are trying to change things into it’s about growing the talent versus finding the talent and bringing it in.
And so we put a lot of effort into our talent pipeline into try to grow that talent. And we have some programs that Bobby’s put out there and that we’ve put out there to try to cultivate that. And one of them is, we call it our career reboot program. And really what that is focused on is it’s an opportunity program, for lack of a better word. And really what it does is we look for people that don’t have 1000 security certifications. In fact, if you have that you know wouldn’t fit that program. It’s the person that was a chef and they lost their business over COVID and they’re looking to kind of do things differently. And so really it’s we’re looking for the mindset. We’re looking for people with the desire and then if you just given them an opportunity, we grow it from there.
And so the career reboot is really focused on giving people opportunities that may not have had the 7,000 security certifications to get through the front door. We’re giving them an opportunity to come on, learn what we do, contribute. And worst case scenario, they’ve learned some really cool skills and they can take that and… Or they can say, look, the security thing is not for me and go a different route. So it’s opportunity and growing talent for me. And that’s sort of how we are attacking it here.
Daniel Newman: Yeah, I think the career development, the up skilling, the corporate employment advancement, is going to continue to be a big thing. We saw a few of the big OEMs over the years really start these programs and certs. And I think that’s aged a little bit because those certs need to constantly be rebooted. But the idea of kind of that quick reboot to be able to learn a new skill, get into a new field, stay on top of your knowledge and continue to advance, it’s going to be critical. I think the whole construct of higher ed is changing. I think people that are going into things like computer science, like security, it is more hands on. And I mean sure, you can go to college and get a degree in computer science. But I think a lot of the best coders on the planet, that’s not actually the route they took.
Same thing with security, you kind of learn it by doing it. And that’s one of those things. And again, because it’s a constant change, new hardware, new software, new technology, new data, new firmware, middleware, new slick and architectures, all the things that these folks need to understand. And so I like what you’re doing. I love anything that’s kind of agile that way. So kudos to that. And by the way, when you mentioned Bobby, for everyone out there is talking about Bobby Ford, I think he’s the CSO. That’s right, the CSO for HPE
Daniel Frye: CSO, he’s our chief security officer.
Daniel Newman: Just want to make sure I gave him the right title and credit. But also, when you mentioned Bobby that’s who you were talking about. So let’s play crystal ball or let’s just kind of look into the future a little bit. I really appreciate you spending this time with me, Daniel, very interesting. Love talking security. But talk about the kind of your big priority in the coming year, where you want to see things going forward.
Daniel Frye: Our business is on a major transformation, our GreenLake transformation where we are building this sort of hybrid model to help companies deal with living on both sides of the fence. Really our priorities for our security world is continuing to be with the business and to innovate with them. And again, be proactive about that security and make sure that as our business innovates and creates new ideas that we can come alongside them. And so really our main priority is this transformation that HPE is on. And us making sure that we’re securing that transformation.
Daniel Newman: Well, someone that’s been watching that very closely, more through the lens of how your technology goes out to the partners and customers, it’s certainly a great surface to be testing, experimenting, learning, and being able to pass the value. As a major global enterprise you share so many of the complexities that many of your customers and partners have. And so a lot of great learnings I’m sure have come out of that. And I look forward to hearing more. Daniel Frye, enterprise CISO at HPE, I want to thank you so much for joining me here on the Futurum Tech podcast. Great having you.
Daniel Frye: Thank you very much.
Daniel Newman: Everyone out there, go ahead and hit that subscribe button. We love having you as part of our Futurum Tech podcast community and our interview series. We got lots of podcasts here on the Futurum Tech podcast and all the shows on Futurum Research. Hit that show notes, I’ll put some links there to learn more about the team at HPE, Daniel, Bobby and the others and what they’re doing on the security side. So you can keep up with all the things they’re learning by serving a massive global customer base. But for this show, for this episode, it’s time to say goodbye. I want to thank y’all for tuning in. As always, I’ll see you later.
Daniel Newman is the Principal Analyst of Futurum Research and the CEO of Broadsuite Media Group. Living his life at the intersection of people and technology, Daniel works with the world’s largest technology brands exploring Digital Transformation and how it is influencing the enterprise. Read Full Bio