William McCormick
Todd Gustafson, president of HP Federal and head of Public Sector business, recently spoke with ExecutiveBiz for the publication’s latest Executive Spotlight interview detailing the challenges that federal agencies are facing as hybrid workforces drive the need for security hygiene and data protection.
In addition, Gustafson also discussed the importance of endpoint threat detection and zero trust security as well as the establishment of ensuring an organized customer ecosystem and more.
“From the perspective of our team, we’re heavily focused on the outcomes of how we’re going to market. That’s about the customer’s mission and understanding where they want to end up. The second is security and everything that we do has a security basis to it.”
You can read the full Executive Spotlight with Todd Gustafson below:
ExecutiveBiz: As we continue to see drastic changes within federal agencies to evolve into hybrid workforces, what can agencies do to educate remote/hybrid workers on security hygiene and mitigate the increasing number of breaches?
“The first step is the federal government taking a cyber-centric dominant mindset with regards to how they’re managing through the current changes in hybrid work environments. There’s some evidence of that across different venues.
For example, there have been two executive orders published during the current and previous administrations about cybersecurity. These both include endpoint devices and how they are managed. As human beings, we all think and interpret information differently. There’s an element of cyber that I would call ‘traditional awareness training’.
The government had a lot of these policies in place prior to the pandemic. Our government continues to follow down that path to align with new capabilities, build tools into the infrastructure that will also be multi-layered, and not rely too much on one technology or method in the future. That works to reduce human error as much as possible.
In addition, there’s been recognition that the government wants to adopt commercial best practices. They believe that much of what industry has done can be leveraged along with best practices, so the outreach for OEMs in the market and other technology providers has been fairly robust. As a result, an agency like NIST has been very engaged with industry to understand today’s technology along with guidance into the future to help government agencies stay ahead.
I would say that DOD and civilian agencies need to respond with an endpoint security plan and cybersecurity and resiliency plan within 90 days, which was just confirmed by the current administration.
The big opportunity for the government is about working to drive out the lowest cost and price mentality, which the government has been great at doing to drive value. In the marketplace, you’ll have one competing demand that’s being driven by the contracting officer and on the other side cybersecurity demands driven by CIOs and CISOs.
Normally, those two concepts don’t meet in the middle. The government may decide that this cyber approach is the best thing for the agency, but it may only be available by one or two vendors in the marketplace. The issue there is that it may eliminate the requirement for more people to compete, but it creates a real cyber risk. I think the biggest opportunity is to develop a more comprehensive view that also recognizes best value.”
ExecutiveBiz: What can you tell us about the importance of endpoint threat detection and zero trust security as it relates to a hybrid workforce for federal agencies?
“First and foremost, I’m a big fan of zero-trust. Andy Grove, founder of Intel, said that, ‘Only the paranoid survive.’ I think about zero-trust and the core of what it is. It’s essentially a multi-layered security approach from endpoint devices through your supplier community, agency and national standards like NIST. I think about how layered the concept is and there are really three different ways that HP has seen zero-trust from an endpoint security perspective.
If you remember Stuxnet, Iran was developing nuclear capability, but they had to shut down their program for about 10 years because the centrifuge program was compromised at the operational security bios level. At the time, the industry was highly focused on antivirus software.
The dirty little secret of the antivirus community at the time was that any virus was only one aspect and it focused on the OS. It was always in reaction mode. The bad actors knew in advance about the behaviors of antivirus programs, so they were able to evade them by modifying the payload in order to go undetected.
If you think about bios as the heart of the operating system, what happens is if you’re able to rewrite and attack the bios, you can stay hidden under the OS and go on undetected. HP Sure Start performs digital signaling processes (hash) with an onboard chip (Trusted Compute Module) to ensure that the bios hasn’t been compromised. If it has been, the product will automatically self-heal to revert to the original digital status of your bios.
We have the bios level intrusion protection on any endpoint device, then you have attacks at the OS. As an example, we do something here at HP called the ‘Sure Click.’ I would explain ‘Sure Click’ as micro virtualization. If you fire something up that has malicious code on it, it stays in that micro virtual machine and not impact your operating system.
As soon as you click or shut down that micro virtualization application, it disappears. It’s based on Bromium technology developed by a Professor at the University of Cambridge in the UK as the underlying technology. You have micro virtualization machines that shut down as soon as you click off. It operates its own little sandbox; malware can never affect anything outside of that sandbox. In order for government agencies to have strong adoption in that, there will also be a lot of emphasis on data protection and data privacy.”
Visit our Executive Spotlight Page on ExecutiveBiz.com to learn more about the most significant leaders of consequence to the government contracting (GovCon) and federal sectors and their experiences driving growth, new business and capabilities in the fiercely competitive federal landscape.
ExecutiveBiz: What are the greater pain points and security concerns for HP Federal customers and how do the top lessons of teamwork, stickiness and listening play a part in ensuring an organized customer ecosystem?
“When it comes to government and industry working together, I believe that the two best align when there’s an established understanding with a mission and a predicted outcome. All too often, the usual approach between the government and industry doesn’t demonstrate the government’s mission and what they’re actually working to accomplish. In military terms, our warfighters need to best understand the mission at hand, why they’re there, and what they are going to accomplish.
The government needs to recognize that every hardware purchase is a security purchase moving forward. At the end of the day, that decision helps defend our national security and opens everything up for unnecessary risk. At minimum, that should be a part of the decision criteria. That’s still in progress and the current administration has made some good progress so far, but we still have more room to grow in that area.
From the perspective of our team, we’re heavily focused on the outcomes of how we’re going to market. That’s about the customer’s mission and understanding where they want to end up. The second is security and everything that we do has a security basis to it.
And third is about sustainability. We’re all living on this planet and we’d love to continue to leave it to our children and their children, etc. We continue to practice the success that the EPA had about 15 years ago when they rolled out the energy consumption guidelines.
It’s not just about the benefits and the environment, per se. I just think the government could take a more proactive approach to incorporate reusability standards in terms of things like ocean recyclability. I’m just proud to be a part of this company that has taken a stance on this issue and recognizes the importance of taking care of these issues sooner rather than later.”
