Hewlett-Packard isn’t a securities company, but it’s delving deeper into the securities realm, in part to further aid existing clients in protecting their own products, but generally addressing the rising demand for incorporated security offerings within virtual environments. Just yesterday, HP announced its new Application Lifecycle Management 11 services (ALM), designed to provide a software solution.

The veer in direction is a matter of remaining relevant for HP, as security is becoming par for the course when it comes to data sets, server storage, virtualization and accessing various aspects of the booming cloud, whatever that means for an enterprise or a smaller suite of solutions.  Thanks to key acquisitions such as Mercury Software and ArcSight, HP has been building up its resources for offering more integral security tools along with its products.  As part of this growing push, we have some security tips from Chris Whitener, Chief Strategist for HP, who began our interview with a hearty perspective on corporate care:

“What we’re trying to do at HP is look at the whole problem our customers have. We’re unique in that way, because of our huge portfolio, but also because we’re not just looking at security for storage, or apps; we have everything from Palm phones to the biggest computers on the planet.  We’ve got this incredible amount of stuff, and I face the problem more like customers in that respect, because I have to look at all of it.”

1.    Create an organized information security system incorporating a range of policies, security products, technologies and procedures.

This is addressing an industry-wide issue, as many companies move towards unified communications.  The rest of the security tips follow in line with this mantra. “The industry has been used to building cars like they did in the 1950s, with no seat belts, etc.  And if you wanted seat belts, you had to bolt them on yourself,” Whitener describes.   “For a lot of vendors, it’s a lot like that.  Instead, we’re trying to create a system with ABS, and airbags, that work together.”

“One of the main ideas is to give customers an organized look at the system.  It can be considered like a flight recorder system, monitoring the entire system as a whole.  Having an organized series of information is key to saving money, in a couple of respects.  Some of the things you can do is look to see if you’re over-spending. What’s covered, what’s not.  An obvious example is overspending on anti-virus and firewalls, but underspending in other areas.  This is a common scenario.”

2.    Establish a sound management structure to achieve an effective control structure.

“Second is an effective control structure.  Don’t put controls in place for something that’s not going to work for you. For example, we had an CFO come to us and say they don’t want info leaked to the press, and they’d like an encryption system.  But my first question to them was, do you know where the files are, and who has access to them?  Encrypting may work for compliance, but gaining those files is where the real control is.  When we talk about controls, people’s eyes glaze over, but you’ve got to determine that the knobs you’re turning are the right ones.

3.    Apply a unified approach to information security and compliance.

“There’s a vast array of things that go into cloud use today – it’s kind of mobile.  One of the reasons we bought a phone company is that we know you can’t have a complete system if you leave a hole open.  For instance, people could steal money from a bank long before computers, by misplacing a number in a ledger.  Banks realized a long time ago that security needs to be put in place.  Layers of defense, but not layers in the sense that you’re not just piling them on and hoping for something.”

4.    Deploy end-to-end encryption as a way of securing data and properly protecting critical infrastructure components.

This is all about “organization and risk tolerance,” Whitener goes on.  “You need to understand what you’re protecting.  If a bank or Amazon cant’ do a secure a transaction, no one will shop there.   Focusing on these as an organizational risk is more important than meeting outlined complience issues. ”

An odd but true example was the SARS breakout that happened a few years back.  The threat alone “actually shut down banks, though it was a risk they’d never thought about,” Whitener recalls.   “A human virus being able to shut out their personnel, not their computer systems. But now their risk and controls better align with those types of things.”  This point allays to a few other security tips in HP’s list, as follows.

5.    Implement an information security system to ensure assets are properly protected at all layers of defense.

6.    Select appropriate control measures that are aligned with organizational risk tolerance.

7.    Provide transparency and visibility into security as well as continuity control performance to determine whether or not they are providing the level of protection needed.

“Providing transparency and visibility is critical,” warns Whitener.  “If you can’t show your boss why you’re doing some of this stuff, they’re not likely to understand it, fund it, or do the right thing.  That goes for any kind of company.  Even here at HP we really have to consider the controls we put in, on privacy, our retail site, our employees.  We’re a user of this info as well, and if we can’t come up with something to determine how we’re making progress, we’re in bad shape.

“Another reason for buying ArcSight was this continuous need to improve.  It doesn’t have to be something you give up on, but you constantly maintain vigilaince.  There are compainies that look at risk and expense, and some have a budget just for this (the finance industry uses a fraud pool they put aside to balance risk and actions).  Likewise, security has to do that.  You must first see the info, then balance it.”

8.    Determine if controls types are misaligned with protection strategies.

“You can’t lock your business down to the point where it doesn’t function,” heeds Whitener.  “Security has to be an enabler.  They have to understand these things as a company.  Going back to the car example: one reason for brakes is so you can drive fast.  If there were no brakes, you’d drive considerably differently (i’m stealing this from someone else, but it’s a good point).  The protection of your company has to be aligned wwhat your company is trying to do.

“Another example is determining what it is you’re really doing.  If you use [a security service] from down the street instead of a larger company, there’s a different scenario based on the disaster scene.  Iit’s easier for them to close shop, walk down the street and open another shop.  So you have to pick the right partner for your needs.  You have to match what you’re using them for with your goals.

Whitener goes on to specifically discuss the use of the cloud.  “What you put in the cloud — you should think about your cloud provider when you determine what you’re putting there.  Make sure they’re secure.”

Interestingly enough, this final example was a word to the wise regarding the use of the personal cloud as well.  A number of services, including social networks, are discovering the need to be transparent in their security measures and intentions with consumer data, so that consumers remain knowledgable and protected.  As with most operations that originate at the enterprise level, aligning your individual purposes for cloud use with the service you’re using is something to think about, whether you’re posting a photo on Facebook or sharing your Amazon purchases and wish lists.