Clicky

Rebellions, Rejections, and Solving Security in the Hybrid World of Work – Futurum Tech Webcast Interview Series
by Daniel Newman | February 22, 2022

On this episode of the Futurum Tech Webcast – Interview Series, I am joined by Joanna McDaniel Burkey, Chief Information Security Officer at HP Inc., for a conversation around security in the hybrid world.

Solving Security in the Hybrid World of Work

In our conversation we discussed the following:

• The driving trend behind workers growing increasingly rebellious to security measures
• Staying on track without creating more tension in the company culture, as ITDMs are becoming disheartened and finding their efforts aren’t taking hold
• What CISOs are doing to drive change for new hybrid work
• What role Shadow IT is playing in the challenges and gaps in security
• A few of the endpoint security needs for organizations
• Recommendations for CISOs that are dealing with modern security competitivities

It was a great conversation and one you don’t want to miss. To learn more about HP, Inc. check out their website.

Watch my interview with Joanna here:

Or listen to my interview with Joanna on your favorite streaming platform here:

Don’t Miss An Episode – Subscribe Below:

 

Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.

Transcript:

Daniel Newman: Hey everybody, welcome back to another episode of The Futurum Tech Webcast. I’m Daniel Newman, your host, principal analyst, founding partner at Futurum Research, excited for this Futurum Tech Webcast Interview Series, where today I have Joanna Burkey, CISO at HP, joining me today. We’re going to talk a little bit about work from home, security, privacy, what companies are doing to keep employees more thoughtful in how they’re securing their technologies and endpoints. And then of course, we’re going to talk about things that are on the minds of CISOs, like Joanna herself. So without further ado, Joanna, welcome to the show.

Joanna Burkey: Thank you, Daniel. Happy to be here.

Daniel Newman: Yeah, it’s great to have you. We’ve had some chances to speak in the past, but good to get you on video and put you on the record here. A lot going on, and we’ve had several conversations over the past, I don’t know, year or two, and it’s been a constant flux because of COVID. We live in the same city, more or less, but yet meeting in person is still, it’s starting to become a possibility, but I think everybody’s still super cautious. So we’re doing these kinds of meetings on video. So I’m going to talk to you today about hybrid work. But before I do that, I always like to give my guests an opportunity to just say hello to everybody and do a quick introduction because every company, a role like yours can be a little bit different. So talk a little bit about yourself and the CISO role at HP, and what you are up to.

Joanna Burkey: Sure. And it is fascinating having talked to you and e-met you a couple of times, I feel like I know you. And one day when we see each other in person, it’ll either be weird, it’ll be like, “Oh, long lost friends,” which…

Daniel Newman: It’ll be awesome.

Joanna Burkey: Which sort of encapsulates how we work with a lot of people these days. As Daniel said, I’m the CISO at HP Inc. And I was a pandemic hire into HP. None of us knew it at the time, but I started at HP in April of ’20, when we all thought that we were under just a, “Oh, four weeks and this is all going to get better.” So I think it has made me better and stronger at what I do having gone through it myself. My scope at HP is very typical of CISOs these days, which is to say basically anything that you can put cyber into the name of.

We all, I think, are working with, I’m not going to say struggling with, I’m going to say we’re working within our enterprises to really evolve our mandate. Our mandate is not IT infrastructure only anymore, it can be all the way to products and services that are sold to partner ecosystems. You name it, and CISOs tend to have a finger in it these days. So I’m happy to talk to you about what that means and both the silver linings as well as some of the challenges.

Daniel Newman: Yeah. I’m happy to have a chance to pick your brain. We work closely across the organization. I’ve spoken to people in your leadership team, from Enrique, all the way across to people that are leading your go-to-market strategies. And of course, this has been a multi-pod series for me, talking about your whole Wolf campaign, which is part of the backdrop of this. And by the way, I loved Mr. Robot, so I was super stoked back in the day when you guys actually originally created this partnership. And so there’s just so much going on, and what we’ve basically identified is that hybrid work probably will be one of the remnants of COVID, no matter what actually happens with the persistence.

Of course, we’re all crossing our fingers between vaccines and therapeutics, and various methods that we’re all using to mitigate the transmission, and improve the outcomes for patients around COVID. And in fact, I think we’re all a little exhausted, just because like, God, we’re still talking about this. But at the same time, it’s very real. And what we have learned from this is that companies have found a level of productivity, connectivity, collaboration that has come from new work styles, new patterns of work, you could call it. And of course, one of them is, I don’t say so much just work from home, but it’s kind of work from wherever. People say work from anywhere, work from home, work from coffee shop, but the second place, third place, fourth place, we’ve all figured out we can be really productive anywhere with the right technology and tools. It was Enrique and Alex Cho, who leads the PC group, they call it.

The PC is essential, they said it at our Six Five Summit event. But you guys also did an interesting study, and maybe we can start there because part of this is, we’ve gotten more productive and we’re working harder, we’re working more often, but employees are also maybe getting a little confident, you could even say cocky with technology. You’ve got a lot of shadow IT, and we’ll talk more about that later, but let’s just say they’re more rebellious with something that your study found. Talk a little bit about what you see and what you’ve both personally, and from reading through research yourself about work from home workers, their attitudes, and what they’re thinking about security.

Joanna Burkey: I have really, I have learned a lot from this research that HP’s been doing about working styles. And of course, the company wanted to do this research, not only with a security lens, but really learning what is the working experience for people these days? And I say these days, it’s about two years now, but as you alluded in the beginning, it kind of runs together a bit. For me personally, the real light bulb, when I was reading the research was, people need to get their jobs done, kids need to get their schooling done, families need to just accomplish what they need to do every day. And I believe we, as technologists, can either give tools that help enable that, we can recognize that this is truly the imperative on the individual now.

They are tasked with running a household, running a family, having a job, meeting certain deliverables. So we do see a bit of rebellion sometimes against why in the world do I have to do that? You tell me it’s for security, but in reality, you’re just making my job harder. That’s a very real feeling. And I think those of us, not only setting cybersecurity strategies, but in IT strategies, we need to take that seriously. It’s very easy to look at rebellion and say, “Well, you need to follow the policies,” but we’re missing that empathy to understand what is their lived experience right now? And how can we make that lived experience something that still allows them to get everything done? That whole spectrum, again, from get your job done, to get the kids’ education done, to get everyone where they need to be, I think that empathy element was, again, the first light bulb that stood out to me in some of those findings that we had.

Daniel Newman: Yeah. You bring up a great point. And probably the most relatable experiences I’ve had have been, I’ve lived in two places since the pandemic started, but in both places, my children have been given Chromebooks. They had them when they were in school and then they had them when they were remote. And when they went to that Zoom first schooling, there’s so many interesting things that the IT administrators have had to do to lock down these machines because the kids obviously would be all over the social media and YouTube and they’d be on just doing things they shouldn’t be all day. And of course, part of the problem though, is in order to lock it down and keep it secure from some of that stuff, it also has made it almost impossible at times to use these machines, like sending a simple email to a parent, they can’t send them because of the way they’ve locked down domains, for instance, that you can only email to your school, things like that, that we’ve noticed like.

Or getting an attachment share, they want to send me an attachment to print because they’re not on the network. And they can’t send the attachment to me because my email’s a futurumresearch.com email and that’s banned from them, they can only send… And my point is, is that you see this and all these kids want to do is get something done.

Joanna Burkey: Exactly.

Daniel Newman: And now, they’re pulling out their hair or something I cannot relate to. But the concept, and that just becomes, like I said, there’s orders of magnitude bigger because the more someone in your role wants to really make sure you’re locking things down, keeping the organization and the data secure, which is critical, because endpoints are such a vulnerability.

Joanna Burkey: Yes.

Daniel Newman: But at the same time, it’s a tradeoff. If you’re going to make it really secure and you’re going to be really limiting, you’re going to also create a lot of challenges and that’s hard. And so you talked about how it impacts the people, the users, but how does this sort of balance impact you? How does this impact people in your role?

Joanna Burkey: Daniel, similarly, you may have a hard time pulling your hair out. I found this wonderful gray-white thing going on during the pandemic, and every day that goes by it doesn’t get smaller. And a lot of that is due to exactly what you just highlighted. What does this mean, for everyone really? Not only the employees and the people just trying to get by and do what they need to do every day, what does it mean to people like us, who need to determine the tools, who need to set the technical strategies, who need to set the broader strategies? One thing we uncovered in the research, and this is no surprise, you’ll see a lot of people talking about this, especially in year two and entering year three of the pandemic is, the mental health and motivation toll that it has taken on cyber security and on IT teams. We are tasked with really a privilege. We have the privilege of protecting enterprises and protecting good people, who don’t deserve to have bad things happen to them.

Daniel Newman: Mm-hmm (affirmative).

Joanna Burkey: But the doing of that, again, it can lead to rebellion, it can lead to people bypassing tools, hardly ever for nefarious reasons, but that really does take a toll on operational teams over time, especially the folks in your security operations, the folks in your IT operations. They don’t want to be bad guys, they don’t want for employees to hate to see them come around the virtual corner. And this does take a toll over time. So that’s the downside, which is we really do see this take a human toll on the folks that need to make it real. But the silver lining there is, it has led us to search out and to develop technologies that can be more transparent, that can serve everybody. If we continue to load down the humans in cyber and IT, with more and more and more, we will break them. We have to find a way for technology to take a lot of that load and also to communicate and work with that end user in a collaborative and bidirectional way, to get their feedback, to make changes, make this a living strategy that won’t break anybody.

Daniel Newman: Yeah. Nobody wants to be broken Joanna. So talk about that, you started alluding to the technologies that exist. And this is probably one of the more exciting and significant areas of innovation at HP, but not necessarily something that’s often talked about. We kind of live in a world, we all talk about power, performance, battery life, even now camera and audio quality, all important, but there are important technologies that can be developed to provide greater securities. So what are those technologies that you guys are building? What are the technologies more broadly that you’re seeing? How is the Wolf giving CISOs the ability to pivot their strategy, so that employees don’t have to rebel and that IT DMS are feeling like they have some control?

Joanna Burkey: It has been, in my career in technology, and again, coming back to the white hair, it’s been a long career at this point, there’s periods where you really see a lot of change, and it’s fun to see those periods. I feel like we are seeing and driving one of those at HP right now, where there’s certain technologies like containerization in virtual sandboxing, that have been around for a long time, very long time. But especially in the early days, there wasn’t enough power in the endpoint to really make it as user friendly, or as transparent as we wanted it to be. And the endpoint assets have now caught up with that. And we can really use containerization, for example, in a much more user-friendly, and in fact, user-transparent way, that’s a massive tool for us.

And it’s really exciting that we are playing in that space as a company. One thing too, that we don’t talk about a lot in the industry, but that HP’s been doing for years, is focusing on firmware and hardware-level security. That is a real boon to the CISO and to the IT department because my philosophy very much, like a lot of my colleagues in the industry, I believe strongly in layered defense. You’re never going to put all your eggs in one basket, you’re never going to roll out one tool and go, “All right, we’re good. Let’s go have beer all the rest of the day now.” You need a lot of layers out there. And if you can put some layers at the firmware and the hardware level, that are there and always on, and always active, that’s wonderful because it means the humans in my org can go focus on operations and tasks that are better for the humans to do, and leave some of this always-on security up to the technology that it is very well suited for.

Daniel Newman: Yeah. The layered defense, there’s probably a good NFL analogy given that we’re recording this right ahead of the Super Bowl, and given some of those crazy endings in games.

Joanna Burkey: Yeah.

Daniel Newman: Defense or lack of, I don’t know, those were some great games.

Joanna Burkey: They were amazing. I feel like I watched three Super Bowls, honestly.

Daniel Newman: Yeah, it’s been so good. By the way, it’s Tuesday, February 1st, because I know people don’t always listen to this. So we are talking right ahead of the Super Bowl, but you may be listening to this afterwards. So don’t fault us for taking a little sidebar here in our conversation to talk about what’s current events. So you’ve brought up a lot of things, you’ve brought up a lot of strategic initiatives.

Something that I sort of spoke to earlier, Joanna, was shadow IT. And this is something that is a different challenge because when you’re talking about putting security and educating your teams and of course leading your security strategy for the devices that you distribute out to your employees, there’s a certain level of control.

But when you talk about the fact that most companies now have to at least deal with a mobile device that’s going to be what is quote-unquote “shadow IT”, and for anybody out there that’s not familiar with the term, it’s effectively technology tools like a mobile device or a laptop, or maybe someone that has a house has a Mac, and they put a web app that allows them to have access to a CRM or ERP or an email, or just different data of the company. There’s a lot going on. And that plays a whole different challenge because it used to be, you could really create a, “Here’s the wall and your stuff, our stuff, our stuff’s never on your stuff.”

But at this point, everything from just people that email themselves, they’ll download a file out of an ERP system that they want to take home for the weekend, but they have a workstation, so they email it and then they go home and they pull it up on their laptop. And then their laptop ends up with their kid and their kid’s at the coffee shop. And they accidentally leave a thumb draw. You know what I’m saying? It’s just, these are the way things to go wrong.

Joanna Burkey: Mm-hmm (affirmative).

Daniel Newman: It’s usually not one thing. So talk about shadow IT, talk about the challenges it’s creating. We’ll start there, and then I also want to hit you on phishing, but let’s start with shadow IT.

Joanna Burkey: You mentioned earlier and I agree with you, that hybrid work was going to be always around now, after effect from the pandemic. You can argue that we were already going in that direction, but the pandemic really accelerated it. I also think that an always-on effect, going forward, is going to be the multiple ways that people use their devices. One of the findings in our that that was also eye-opening to me was how much the employer-issued device is used for personal tasks, and how much the personal device is used for work tasks. I don’t believe that’s ever going to go away. And I think we need to acknowledge that. We’re not going to be able to control that either. Let’s be realistic about what we can really do there. This is where the concepts of zero trust and having good, robust MFA really play into, I think, a resilient strategy because we have to assume that visibility is going to be a bit clouded.

Now, again, some of these more user-friendly and transparent tools help us greatly with visibility. It is entirely possible to have appropriate visibility on an employee’s mobile device, for example, where you’re still giving them the appropriate privacy in the right places, but you still have the appropriate visibility only when it’s about work. I think we’re really going to see more use and an explosion of these concepts, where we’re just going to accept that assets are used for various reasons. And when you talk about shadow IT, I think of one thing in particular. Think about how many devices people are buying on their own. That then, like you said, can either touch work systems or used to do actual work.

Generally, the security of those devices is not going to be front of mind, for the individual that’s purchasing it. So we need to accept that, plan for it. Take that into our strategies, right? I mentioned zero trust concepts here, where I think this is very important. And you hit the nail in the head where, I think for a long time, we thought we had perimeters. We probably thought that we had perimeters past the point where those perimeters were getting pretty porous. We don’t really have perimeters anymore. That’s why segmentation is so important, robust authentication is so important, and not automatically trusting a certain endpoint. You don’t know who’s on the other end of that endpoint. These concepts are going to become a lot more important, I think, in the strategies across enterprises now, and they really help everybody. It’s not only about helping and protecting the enterprise. It’s about keeping the employee and their own data safe, their own families safe as well.

Daniel Newman: Yeah, you’re absolutely right. And the commingling of the data is almost, it’s alarming how much of it goes on and how much risk it creates. I saw a data point the other day, and I don’t remember the exact, but it was something like 80% of people cannot discern today’s typical spear phishing attacks. Just wanting to pivot over to the phishing conversation for a minute. Basically, it’s a combination of a couple things. One, is the black hats have gotten so good at creating these things. And B, people are not well educated and well trained in how to actually identify them. Some of the most common ones are coming in text messages now, you’re also seeing them coming in emails that look like they’re coming from maybe your bank.

I got one from last week from Wells Fargo Bank. It was not from Wells Fargo, but it was, someone grabbed their logo and they created what was really compelling, other than a few typos, that was actually in the communication and then a link. But then you’ll actually go to the top and you’ll look at where the email’s from, and it’s just some crazy obscure, and you’re like, “Oh my gosh.” But we’re all teetering. It’s like we’re almost all standing on a ledge of a building just with one foot hanging off. And all you do is click that button and it can turn your whole life upside down, literally just one little click, and you’ve just opened up the whole world to all your info and all your data. What about that? What are you seeing there about, how do you help your employees and the people, your communities and your cohort, what are you guys thinking about when it comes to the phishing that’s going on these days?

Joanna Burkey: We, for sure, especially at the very beginning of the pandemic, we saw a massive rise in both attempted phishing attacks and successful ones at a global level. And a lot of this is human reasons, especially when humans are out of their routine, or they’re stressed, or things aren’t feeling in control. You’re much more likely to get snuckered in by a bad actor, with something like this. Especially, we saw a ton of COVID themed phishing going on, now we see vaccine related phishing, employer mandate related phishing. The attackers are super smart. When it comes to social engineering, they’re always going to be. And I believe strongly, you can always find this argument on people say, “Human training is most important.” And the other people say, “No, you’re never train the human, you have to have technology.”

I say, yes, you need both. We have, I believe, an onus to do what we can to educate people on how to detect phishing attacks as much as possible because, again, it’s not only about them protecting their employer, we want them to be protected as individuals. We don’t want someone to accidentally expose their family’s data because they got snuckered in. So I don’t think you can over say, “Well, humans are always going to fall for something, so there’s no point in teaching them.” No, you can educate people enough so that they don’t fall every time. But we have to assume that there’s going to be the errant click. I don’t think I’m ever going to get over, it was probably 15 or 16 years ago now that I fell for one, and I couldn’t believe myself. I thought, “Oh my gosh, Joanna, you need to take yourself out of the cybersecurity industry. What did you do?”

We have to assume that that’s going to happen, so the technological backstops, all really important. There’s a lot of great tools out there now to stop it at the source, stop it at the mail server. Once a bad thing is detected, remove it from all the other inboxes in the enterprises. Those tools are great. But again too, this is where, let’s say someone does click, having appropriate authentication, segmentation, MFA, all of those additional backstops, that layered defense, if you will, are going to continue to help protect both the enterprise and employee.

Daniel Newman: Yeah, that’s a great answer. So we only have a couple minutes, Joanna, and I’ve had so much fun, time has flown through this conversation. So I always like to end with something bigger picture, broader, thoughtful, or maybe forward looking, in this case, having you here, a CISO of a very large, well-recognized brand on a global scale, I’m sure there’ll be other CISOs that’ll be listening into this, just trying to get inside your head just a little bit, what they can learn. So if you had to give one or two really big recommendations, whether that’s macro or micro about how to approach modern security, how to create the safest enterprise, and how to empower employees, what would be one or two bits of advice that you’d give to all those CSOs out there?

Joanna Burkey: What I work to keep top of mind for myself and my org, and I think is applicable to everybody, is to think about the breadth of what we do in terms of, we call it the three Cs; it’s capabilities, culture, and coverage. Capabilities, of course, is what everybody pays attention to. What technologies do I have? What technical gaps do I have? Where am I on my [inaudible] assessment? Super important, but it’s not enough. You can’t only focus on that. The culture is really important. And I don’t mean that there’s a right culture and a wrong culture. Know the culture of your company and your cyber strategy should complement that culture, your strategy should fit the company that work within. What is important to your leaders? What’s important to your individual contributors? That is different for different companies. That’s a good thing. That difference is good.

So think about those elements. When you’re developing your strategy. You can develop the greatest strategy ever, but if it’s not a fit for your company culture, you’re going to struggle. And coverage is the third C, that’s really, and I mentioned this at the beginning, what is your scope as a CISO organization? What is your mandate? Does it fit the risk appetite of your company? Does it fit the business strategy of your company? We know various enterprises can be in sustaining mode, they can be in growth mode, they can be in business pivot mode, be in the throes of digital transformation mode. All of those things change what your appropriate coverage as a CISO is. And I think once you start looking with a little bit of a nuanced eye, there’s not one checklist, there’s not one magic bullet recipe, your strategy needs to fit your enterprise, in all those three different ways.

I think then that is not only a big step toward having a strategy that’ll work and be resilient, but it’s also a strategy against burnout, for us and our organizations. We can’t boil the ocean, we never will. So let the three Cs dictate what part of the ocean that you need to focus on.

Daniel Newman: Yeah, I like the analogy about eating the elephant a bite at a time, but the boiling the ocean is another one. I think there’s some metaphor class we all take in grad school.

Joanna Burkey: Analogies, metaphors.

Daniel Newman: Same analogies, same metaphors. And then, of course for me, it became dad jokes, but we’ll save that for the next time we talk, Joanna. I want to thank you so much for joining me here on The Futurum Tech Webcast, very entertaining conversation. And you can be assured we will be having you back at some point in the future because there’s going to be so much more to add to this discussion in the coming years.

Joanna Burkey: Well, I look forward to having the coffee in person at some point, but it is always a pleasure to talk to you, Daniel. I appreciate the time.

Daniel Newman: Absolutely. So, hey, for everybody out there, thank you so much for tuning in. Check out the show notes, where we’ll get you some links so you can learn more about the HP Wolf campaign. Thanks to HP for providing and partnering on this podcast and on this webcast. It was a lot of fun to have Joanna here. We will look forward to sharing more updates on this podcast and others. Of course, subscribe to our podcast because we have so many great guests here on the interview series. And of course our regular shows here on Futurum Research. For this episode though, time to say goodbye. See you later.

About the Author

Daniel Newman is the Principal Analyst of Futurum Research and the CEO of Broadsuite Media Group. Living his life at the intersection of people and technology, Daniel works with the world’s largest technology brands exploring Digital Transformation and how it is influencing the enterprise. Read Full Bio