Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Conversation with an HP Instructor: “Cyber Security is part of the job for business people today”

Published 10/09/2015

Conversation with an HP Instructor: “Cyber Security is part of the job for business people today”

By Kelly P. Baig, Education Services Instructor, HP

hplogofacebook2012_400x400Are you aware of the latest trends in cyber-security attacks and the tactics used by bad actors to exploit your security weak points? More importantly, have you put in place appropriate protection against these threats? One starting point as cited by one of our Education Services instructors, Lauri Harris, is the HP 2015 Cyber Risk Report.

If you are wondering how to be sure you are controlling your risks, you are not alone. In my conversation with Lauri Harris, I found her advice and insights to be invaluable to understanding the scope of the threat environment – as well as some practical starting points for closing the threat exposures. If you are interested in hearing from Lauri directly yourself, you may find it useful to attend one of her HP security courses.

For more information on the upcoming CSA Summits – and to register to attend Lauri’s course – see these registration pages:

Conversation with Lauri Harris

Kelly: Lauri, thanks for taking some time from your busy training schedule to speak with me! I’m interested to hear your opinions of the latest threats and trends. But let’s start with you; what is your background and how long have you been with HP?

Lauri: I started originally with HP in 1998. Then I took a leave of absence to serve active duty with the USAF following 9/11. I also had a short service with the US Patent & Trademark Office as a Patent Examiner. But, I couldn’t stay away from HP. I’ve been back as an HP Education Consultant since 2010. I am an instructor for all ITIL and security courses, as well as the Cloud Security courses.

Kelly: What did you work on originally for HP?

Lauri: I was always an instructor; I taught HP-UX in the beginning – all the UNIX System and Network Administration courses. I also had technologies like MC Service Guard for high availability, Data Protector for enterprise backup solutions, Network Node Manager and Operations for network discovery and remote node management on both Windows and UNIX. I taught everything from POSIX shell scripting to Service Manager; I tried to teach just about everything that I could get my hands on.

Kelly: Do you find that your varied technology background – and your real-world service – helps with your security training?

Lauri: Yes, I think that a varied background really helps a lot. I find that a holistic approach to the practice of security is what is needed. Security cuts across technologies – across hardware, software, and networking. The advantage of my varied background is that I can talk to the whole picture of what you might run into from a security perspective.

Kelly: Who do you find attends your security courses? What types of students to you get?

Lauri: I get people from all different types of backgrounds, some are very technical and some are non-technical leaders; it runs the gamut. For me as an instructor – and I hope for the students in the courses – teaching security is very interesting because of the varied questions that I get. It is an opportunity to sketch out the flow of data and determine the appropriate controls depending on the data type, laws governing the data, and the necessary processing and required hardware and software to process the data.

For example, I taught a Cloud Security course in April at the RSA event. Keep in mind that at these conferences, like the upcoming CSA Summits, these are real courses that I’m teaching. I’m not just doing a summary overview or talk. So, I had a student in that April course that asked me about a particular aspect of how audits fit into cyber security – and we did a deep dive on that based on the interest in the room. We keep the courses small enough to make sure that we have that type of conversation –deep dives– as we go through. I’ve found at the conferences that it’s a lot of fun, because we tend to get the security specialists so we do really deep dives on the technology and processes.

Kelly: You mentioned that having business people in these courses is a more recent trend?

Lauri: Yes, it’s really just more recently that I’m seeing the managers coming in to take security courses. I think this is reflective of a paradigm shift that is happening across the board in business: technology is now embedded as a part of everything we do, from service delivery to customers, to the Internet of Things (IoT). This makes it extremely important for all people to be technology savvy, and especially security savvy.

So what I’m seeing, is that more managers are attending our security courses and cloud security, in particular. They want to gain some understanding of the courses that we offer to determine which team members should attend which courses and to improve their own knowledge of cyber security for making better business decisions.

In short, security is part of the job for business people these days. Digital skills development is also part of the requirement for any professional.

Kelly: On security, what has your students most concerned? What questions do you get asked the most?

Lauri: The topic that comes up the most is cloud: Almost everyone coming to any of our security courses, is asking about cloud. Data in the cloud is the biggest concern. And, they have questions about their continued responsibility of ensuring that the data is safe and protected. They have questions about how much control over data protection they have between purchasing infrastructure as a service (IaaS), platform as a service (PaaS), versus software as a service (SaaS). These are questions we address in class.

Also, the physical location of data in the cloud is a big concern, and we wind up talking about this a lot in our courses. The fact is that all governments can subpoena data that is being collected or stored within their jurisdiction, if they think they have a need for it, not just the US government. But in reality, the vast majority of data collection is being done by private companies, not government agencies. And the data collected is governed by the organization’s security policy along with the local and federal laws.

Kelly: What are the topics that you cover in the HP CCSK Foundation Cloud Security course?

Laurie: We come in and we talk about the basic terms of cloud, security vectors, where the accountability lies in moving data to the cloud. We also talk about where the real risks are in putting applications and data in the cloud – and how to manage them. We help make sure that the students know how to get the right kinds of cloud contracts in place, with the right levels of service and the right types of terms to meet their business needs.

Kelly: Are the perceived risks of putting data in the cloud over-stated?

Lauri: Well, it depends. I like to use this analogy: imagine that you have a $30K diamond ring and you’re going to wear it to a gala event. So, where would you prefer to store it when you are not using it? Would you feel comfortable putting it into a jewelry box on a shelf in your home? Do you have a vault in your floor? Or, would you be better protected using a safety deposit box at the bank – and then have to go to the bank to get that ring when you want to wear it?

If you are a billionaire, then maybe you have great home security. But, if you’re like most people, then the bank is probably better protection for your ring.

Kelly: Are people understanding security better now?

Lauri: I think we are going in the right direction, but it was startling for me to read in our HP 2015 Cyber Threat report that the top two themes noted are: “well-known attacks commonplace” and "misconfigurations are still a problem”.

Kelly: Any closing remarks?

Lauri: As an instructor, I love my job. The thing that I like best is that I’m constantly challenged by new configurations and new questions. It pushes me to keep current with what’s the latest technology or what’s the latest trend. I read constantly, to stay current, because someone is going to come to class and ask about the latest trend or software or gadget. It’s really an on-going relationship and feedback loop between myself, my students, and what is happening with security in the industry.

Want your own opportunity to speak with Lauri and learn from her insights?

You can take the HP CSSK Cloud Security Foundation course to learn directly from Lauri Harris. A great opportunity for this, is at the upcoming CSA Summits in October and December 2015. CSA is partnering with HP to offer the CSSK Cloud Security Foundation course at its lowest possible cost. Lauri will be at the Summits in-person to lead those courses.

Share this content on your favorite social network today!