Enterprise Services Blog
Get the latest thought leadership and information about the role of Enterprise Services in an increasingly interconnected world at HP Communities.

Securing the value chain: A brief chat with HP's Mary Ann Mezzapelle

In a retail environment, “consumer-facing” can sometimes mean chaotic, considering the average retail organization faces numerous security threats. As consumer industry companies and retailers evolve to serve customers across new media, devices, and distribution channels, they face significant threats across industries, national borders, and enterprise systems. The omni-channel approach to the New Style of IT for consumer and retail industries means companies need more reliable, ubiquitous availability from critical systems—yet most traditional security models are still siloed, heavily fragmented, and reactionary in nature.


With HP Protect 2014 due to start in Washington D.C. on September 8, we asked Mary Ann Mezzapelle, Americas CTO for Enterprise Security Services at HP for her insight into securing the value chain for retail and consumer enterprises. Her answers offer valuable, insightful and practical ways consumer-facing companies can survive in this complex environment.


environment.pngES: Lately we’ve seen a lot of information about “thinking like a bad guy.” Can you shed some light on what that really means?

MAM: What “thinking like a bad guy” essentially means is thinking about your security investments in a different way. Companies need to look at the full lifecycle of the threat chain. Historically, organizaitons invest 80 percent of their security budget in the “defense” part of the threat lifecycle—and often not very effectively. We’re hoping companies will use that budget to invest in protecting other areas of their value chain. In order to do that, companies need to adopt proactive and adaptive security, capable of stopping threats at every step in the process bad guys use. By thinking like the bad guys, retailers and other consumer-facing companies can better protect their critical assets, including customer information.


ES: In order to deploy a more comprehensive security strategy, do you see any value in traditional “purchase a black box” security measures. Or are consumer industries moving toward more of an “as-a-service” model?

MAM: In security it’s a very complex decision. Typcially, consumer organizations can have as many as 50 or 75 different tools they have to maintain to implement security across their whole infrastructure. And none of these tools “talk” to each other very often. So some CISOs use this as a proof point to move from CAPEX to OPEX. But this information can also provide CISOs another reason to bring in security features they can deploy quickly with enough effectiveness to be able to respond to the fast-changing environment.


ES: Are companies reluctant to hire security consultants?

MAM: Security is usually a closely held capability. Because business leaders have a difficult time understanding it, they are reluctant to trust somebody else. For this reason, it’s usually a consultative approach with larger companies because they can (and will) buy security products to plug holes. So security is not something that companies typically “give over” to a service provider. The consultancy becomes more of a delegated authority to oversee the entire environment and suggest changes or improvements. That’s why references go a long way in the security space. Companies are reluctant to purchase products or employ professional consultants unless they come highly recommended and experienced.


ES: In your recently published viewpoint paper, Secure the Value Chain there’s quite a bit of emphasis placed on the complexity of the consumer environment. Can you shed light on how best to address this complexity?

MAM: Well, the most important takeaway is that there’s no longer a single “line” enterprises need to defend. We used to talk about this perimeter that was drawn around an enterprise. But in the New Style of IT, all your processing doesn’t happen in one data center. Your suppliers, your customers, even your employees are all accessing that system through external networks. So there is no perimeter, and just keeping people out is no longer effective. Today’s cybercriminals do more research and they share information among themselves. It’s a $104B blackmarket. That’s why threat intelligence is very important. And then, during the discovery and capture steps, we have highly effective responsive techniques to employ a layered approach to defend the assets of a consumer-facing company.


perimeter.pngES: Finally, if today we’re talking about a $104B black market of information, what do you think we’ll be talking about in five years?

MAM: The New Style of IT is certainly an intriguing thing to think about from a security standpoint, because it opens up even more possibilities for cyberattacks. And it’s hard to enter into discussions with consumer-facing companies without scaring them too much. But the lifecycle approach to security is really where I believe the emphasis should be placed. In five years, with the Internet of Things and Wearables and so forth, the opportunity for breaches increases exponentially. However, a lifecycle-based strategy will help consumer organizations protect their data, customers, and businesses.


If you wish to interact with HP security professionals from around the world, consider attending HP Protect 2014, the premier HP event that will help you “Think like a bad guy.” No one knows more about security flaws than bad guys. They trade secrets day and night with a single-minded purpose: winning. Your applications, information, networks, and online payments are all at risk. To succeed today, security professionals have to think just like them.



MAM at COT2013.jpgAbout Mary Ann Mezzepelle

Mary Ann Mezzapelle is the Americas CTO for HP Enterprise Security Services. She works on services strategy and advises major clients focusing on security and privacy. She is the Chair of Security Forum at The Open Group, and is an Information Systems Security Association (ISSA) Distinguished Fellow. Mary Ann writes HP viewpoint papers, contributes to ISSA board activities and InfraGard programs. She is a standards author and frequent conference speaker. She has ITIL, CISSP and CSSLP certifications. In her spare time, she supports the US troops at home and seeks a cure for T1D (Type 1 Diabetes).


Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.