HP Makes Enterprise Security Push
When he laid out his plans to transform the company at a speech in San Francisco in March, Hewlett-Packard CEO Léo Apotheker said IT security would play a big role going forward.
Today, HP presented a new strategy intended to boost its role in the business of supplying IT security to large businesses. With two big shifts hitting the corporate computing environment — cloud computing and scores of worker-selected mobile devices entering the workplace — there are a lot of new security challenges giving CIOs headaches.
“If you look at those trends, they challenge the traditional notions of enterprise security,” says Tom Reilly, HP’s VP and general manager for Enterprise Security Products. “So we want to address those challenges.”
The traditional approach in IT security was to establish strong perimeters around the network and around a company’s computers that could keep bad guys out and let good guys in, and then setting strict rules about what people allowed access can do.
Cloud computing obviates the need for a perimeter, because all the computing resources are, well, in the cloud. They live on some virtualized server in someone else’s data center. And someone who brings their iPhone to the office expects to have the same level of access to the resources they need to do the job. The old models don’t really apply anymore.
Meanwhile, attacks are surging. A study by the Ponemon Institute — which, in fairness, was sponsored by HP’s subsidiary ArcSight — found that cyberattacks against a group of 50 large companies grew by 44 percent last year versus the prior year. The companies in the sample group — all of which had 700 or more users — were hit with a combined 72 successful attacks per week, averaging more than one per company per week. The study also found that the costs to mitigate these attacks went up by 56 percent year over year.
“The bad guys are getting better, but as we change our IT environment we’re giving them more surface area from which to launch these attacks,” Reilly says.
So HP is coming into the picture with what it says is a new approach. It turns out HP has been quietly building up its security bona fides through acquisitions. Last year it paid $1.5 billion to acquire security intelligence firm ArcSight, of which Reilly was CEO. In 2009, it acquired TippingPoint, a network security outfit that came with the $2.7 billion acquisition of 3Com. Another pair of acquisitions, Fortify and SPI Dynamics, both specialize in application security.
HP’s plan is to mix these security capabilities into its Enterprise services offerings, Reilly says. Rather than try to sell each company new firewalls or other stuff, HP can come in and augment whatever security the company is already using with better information about threats and a new set of tools that can see how the company’s infrastructure is being used, not just on-premise, but within cloud-based environments, as well.
The point, Reilly says, is not so much to sell specific new security products to companies, but to take a service-based approach that helps a company get a better handle on the new security troubles it may be facing.
The trouble is that HP hasn’t generally been viewed as a player in the IT security market, and risk-averse CIOs are usually slow to embrace new vendors, because they tend to have long-term relationships with suppliers. But with the nature of the threats changing, HP is apparently hoping to use its status as an established supplier of servers, PCs and other IT products and services, to start a conversation around security with its customers.
There has been a lot of activity around security in the last few years. Intel spent more than $7 billion to acquire the security software firm McAfee earlier this year, and IBM already offers a muscular set of security products and services. It will quickly run into competitors, for sure.
If nothing else, following as it does in the wake of HP’s plans to divest itself of PCs and its mobile device business, a robust security offering is something that enterprise customers are going to expect. If there’s really going to be a new enterprise-centric HP, expect to see more moves like this. Whether or not they’ll work is another matter.