What's one of the biggest problems with online security today? Lack of personal accountability, says Andrzej Kawalec, Global Chief Technology Officer at HP Enterprise Security Services.
"As individuals, we don't take responsibility for our own data and privacy," Kawalec said in a wide-ranging interview with eSecurity Planet. "If I'm the subject of [online] credit card fraud, then I pretty much expect my bank and credit card to cover me for that."
Credit card companies have no way of knowing whether users are taking the appropriate precautions to ensure their own safety -- such as running anti-virus software -- Kawalec says. In his view, there's a lack of awareness around personal accountability for online privacy and security, and the consequence is that governments and enterprises are forced to pick up the tab when users' naive view of online security gets them in trouble.
"We have locks on windows and doors at home and we put our money in the bank," Kawalec said. "I don't think people are doing that with their personal data in the online world. So I think there is a big warning sign there."
That said, security and privacy have now become a board-level agenda item at many companies.
"There is a realization and acceptance that you can not be 100 percent safe," Kawalec said. "So that ambiguity is driving activity, and investment in this area is huge."
Andrzej Kawalec, Global Chief Technology Officer of HP Enterprise Security Services.
Part of Kawalec's role is to help HP and its clients stay ahead of the curve when it comes to mitigating IT security risks.
"What it comes down to for us is helping a CEO or a CIO to see all of their security events and then helping them to understand what it means to them," Kawalec said.
With HP's global scale and 54 million security users, Kawalec said that HP tracks some 2.5 trillion security events every month. That massive volume of data gives HP insight into threats and their sources as well as helping to provide direction in how to protect against security risks.
When it comes to best practices for IT security, Kawalec pointed out a few approaches to consider. For one, every organization needs to have basic security controls in place that include an understanding of assets and the ability to secure them. Additionally, basic security controls include the ability to know and track the identity of the people that operate within an organization.
Best practices also involve looking beyond point solutions and taking a more holistic approach to understanding data attacks and leakage. Kawalec noted that to understand how data flows in and out of an organization, enterprises need sophisticated tools to spot trends and conduct pattern analysis.
"Best practices aren't just a case of going down a compliance check box list of items," Kawalec said. "If you have valuable intellectual property and data, people will come and try and take it from you, irrespective of the controls you have in place, so you really need to understand what the best possible risk posture for your data is."
Kawalec stressed that the approach HP takes is about assets and risk, as well as understanding the motivation of why someone might attack an enterprise.
"Embrace compliance by all means and use it as a huge lever internally to get things done and call out bad behavior," Kawalec said. "But don't think that it's the 'be-all-and-end-all' of the way security needs to be."
Kawalec's view on security being about more than just compliance is not a unique one in 2012. It's a view that is shared by other high-level security executive including Eddie Schwartz, Chief Information Security Officer at RSA. In a recent interview with eSecurity Planet, Schwartz also stressed the importance of looking beyond compliance to achieve real security.