HP CISO Joanna Burkey on securing the hybrid workforce and her biggest fear

HP’s differentiators on endpoint security and the growing use of AI/ML in security

HP CISO Joanna Burkey on securing the hybrid workforce and her biggest fear

As HP Inc.'s CISO, Joanna Burkey is not only responsible for the PC and printer giant’s own cybersecurity posture - she’s also the preeminent expert when it comes to the security capabilities of the vendor’s products.

Burkey recently spoke with our sister site CRN on both topics - noting both the ways that the pandemic and the shift to hybrid work have altered security strategy, for her and for all CISOs, as well as the ways HP specifically is helping to enable secure work today.

Burkey is a longtime HP executive, who spent 13 years with the company during her first stint and then spent a few years at Siemens, before re-joining HP as CISO just a few months into the pandemic in 2020. While the hybrid world is nothing new at this point, the adjustments are massive and ongoing, particularly in security. For instance, "some of the tools we had that were specific to the office scenario are no longer as effective any longer," Burkey said.

To help with that transition, HP has brought a focus on offering endpoint security capabilities that serve as "an embedded bolt-on with what we're already selling," she said. "And that's music to the ears of CISOs like me … If I'm already purchasing and running my endpoint fleet from a vendor, and they can bolt-on some layers in there for me, that's great."

Burkey also spoke with CRN about the possibility that we will see a greater number of cyberattacks in 2023, the growing use of AI/ML in security and her biggest fear.

What follows is an edited portion of CRN 's interview with Burkey.

How would you summarise your strategy for securing HP Inc. as a company? And how has it evolved in recent years?

The hybrid way of working has definitely changed how we think about cyber strategy. Cyber leaders for a long time - and I'm a big believer in this strategy - we believe in layered defense, in "defence in depth."

However you want to call it, it's the idea that no solution or tool or technology is going to be a magic bullet. But if you take them like pieces of strategically stacked Swiss cheese, you can stack the strengths and the holes in a way where you get a pretty good layer in there, all the way from protection to detection to resilience to recovery, when attackers are trying to do bad things to you. So the hybrid world changed those Swiss cheese slices a little bit. Some of the tools we had that were specific to the office scenario, are no longer as effective.

That really grew the focus on what other layers we could put in there. And for example, when you've got a lot of people working on various types of endpoints, isolation becomes a really big tool in your tool belt.

Isolation can help tremendously when you might have limited ability to activate real-time stuff on endpoints, when you might need people to have a certain layer of protection regardless of what endpoint they're on. That's an example of sort of a new layer of Swiss cheese that became more important in hybrid.

In terms of HP's strategy as a provider of security tools, how would you summarise your strategy there?

We don't [say], "Hey, HP is going to stand up a portfolio of standalone tools, and we're going to go after a totally new [market]." That is not our strategy. Our strategy is an embedded bolt-on with what we're already selling to a very large [total addressable market].

That's music to the ears of CISOs like me, because number one, we all need to do more with less. That means optimising what I've got. If I'm already purchasing and running my endpoint fleet from a vendor, and they can bolt-on some layers in there for me, that's great.

But then secondly, we are able to do more things transparently to that user at the endpoint - things that used to happen transparently in the network, can now happen transparently at the endpoint. The user gets to continue with their life and their work. But we're able to continue to put some of those layers in that layered approach by taking advantage of new tools.

In terms of endpoint security, how do you fit in with EDR (endpoint detection and response) tools?

The easiest way to put it is that we augment what the EDR does. We don't look to replace EDR and we don't look to duplicate functionality of an EDR or an XDR. EDR is actually a huge piece of my own strategy to cover the HP enterprise.

What EDR is not always great at, though, can be detecting micro-movements at the endpoint - especially if something is happening at the BIOS and firmware level. EDR agents don't always have visibility into that. They're very much working at the OS and the application level, to look for abnormal behavior. So that BIOS and firmware level is a place where tools like HP's can augment what EDR is doing, and sort of cover some of those holes in the Swiss cheese that EDR has by nature.

We're not going to sell you tools that are going to sit on your Exchange server and proactively go through and parse out your email. There's other tools out in the market that do that. What we will do though - because we recognise that those tools aren't foolproof - is we will give you the ability, when a user clicks a link in an email, we'll take you to a micro VM before opening what's actually in that email to make sure there's nothing malicious.

That's another example of how we want to augment the tools that are already out there, catch some of the holes that they have. We're not looking to wholesale replace those or duplicate what they do.

Are there other examples of holes that you feel HP is able to fill in terms of security?

There's another place where a lot of the email tools [have a hole]. I'm not calling the email tools weak. It's all about the complexity of how a threat is actually made real. Tools that are sold today that sit either on the Exchange server, or they sit down the chain before email actually makes it to a user device. One of the strong [capabilities] that those use is they sort of crowdsource information. So if an email gets to a user, and that user notices there's something weird about it, and reports it as a phish, then that tool will go in and pull that email from all the other users. But you still have a hole in there - because what about that first user? What if they didn't detect that it was a phish? They thought it was real, they clicked on it.

This is where isolation can really help you. By putting the results of that click in a micro VM, you're able to put an additional net in there for the things that the email tools, writ large, don't catch on the front end.