Given the insane security environment we are in, it may seem weird to suggest that a tech company is too good at security. How can you be too good at something that is critical to the safety and operational resilience of companies and nations?
Security is weird that way. I grew up in the security business – my family owned one of the largest tech security firms when I was a kid. I worked for Pinkerton’s Security undercover, as a Sheriff’s Deputy. Security teams and analysts have reported to me in a couple of positions, at development and analyst firms. I worked as a security auditor. In short, I know security and take it very seriously. The problem in HP’s case is that buyers aren’t taking security seriously enough – and that could probably be said for hardware buyers in general.
Security is always about two things: Being good enough so that if there’s a problem you don’t look negligent, and being better than your peer companies so that attackers attack them and not you. Now, there are different levels of security. Financial institutions, healthcare, pharma, government and critical infrastructure often require high levels of security, but even then, it is just a different level of “good enough” – although in an era of advanced persistent threats and software supply chain attacks, “good enough” probably means that a lot more security is needed than there used to be.
HP’s Security Investment
Most tech vendors are on the same “good enough” page. But HP stands out and excels at security. There is a method to the madness, and while I respect and appreciate HP’s extreme efforts, with some noted exceptions, HP’s security efforts go further than most buyers think they need to go, even though it is clear to me and a lot of other people that the bar has been set way too low.
HP has created a company within a company called Wolf Security, which operates uniquely as a unit to address security problems broadly. They have a unique AI implementation that looks for behavioral changes in the user or environment and moves to stop irregularities allowing for a relatively robust zero day defense. They put a unique security chip in their commercial hardware that provides a level of hardware security that is currently unmatched. And their security screen implementation is currently market-leading (you can only see the information if directly facing the screen when this is on). They’re even publishing their own unique, cutting-edge cybersecurity research.
The problem is that IT buyers don’t appreciate all that and rarely even it give it their full attention, resulting in under-utilized and underappreciated security features – and it also means that HP investors don’t get the full potential return from their investment.
Let’s explore HP’s security investment conundrum – and what it tells us about the IT market in general.
HP’s Security Not Valued by IT Buyers
I refer to HP’s high security standards as a “problem” because they adversely impact the company’s bottom line, but really, it’s also a public problem because we are all vulnerable to attack. Even though we are facing massive efforts from nation-states and others to disrupt and damage our cyber infrastructure, we still don’t take device security seriously enough. CSOs (Chief Security Officers) are rarely involved in setting equipment specifications, and on the rare occasions when they do, they don’t often get all their requirements met.
I met with HP’s security team last week and they expressed frustration that their intensive focus on security wasn’t resulting in a higher ranking by corporate RFQs (requests for quotes). When they did get CSOs involved, they would only set the specifications but wouldn’t assure they were met, and the competing vendors just clicked the box saying they were compliant when they weren’t.
With China, Russia, North Korea and a growing number of criminal organizations funding attempts to steal data or disrupt operations on a global scale at ever-growing levels, we should be taking security far more seriously, but devices and employees remain overexposed to attacks that range from phishing to malware insertion.
The resulting breaches are presented as unavoidable when they are anything but. This is because security is still not a high enough priority to not only ensure that systems are more secure, but also to ensure that IT doesn’t strip out the security functionality off these systems when they reimage them prior to deployment.
So HP’s problem (and it’s really everyone’s problem because we are the ones exposed) is that purchasing and CSOs aren’t taking device security seriously enough and, as threats continue to escalate, this leaves us badly exposed and HP’s products not performing to their potential.
HP’s Security ‘Problem’ is Our Problem
The bar is set too low for device security given the current global cyber war environment we live in. Companies, employees and individuals are at risk because we just aren’t taking security seriously enough. CSOs should be engaged when it comes to connected hardware to ensure that hardware can stand up to the current threat challenges.
For me this is less about HP’s financial performance than it is about keeping me and the people I care for safe. HP’s deep defenses should be the standard but they’re not. That’s why HP’s big security problem is an even bigger problem for all of us.
We need IT buyers to begin to value HP’s security investments – and for other vendors to follow suit.
Read next: The Best Antivirus Software of 2022