Modern enterprises today face many security risks, and getting a grasp on the big picture isn't always easy. Hewlett-Packard is now aiming to help make it easier for organizations to understand their security risks with the new HP Security Metrics Service.
Richard Archdeacon, chief technologist, HP Enterprise Security Services, explained to eWEEK that HP has filed for patent registration for the methodology and framework behind the new service, which is designed to help address a gap in metrics analysis.
"Most metrics services are typically technology-based and reference the operation of a specific technology," Archdeacon said. "That's great for managing one piece of technology, but when you are looking at hundreds of devices and tools in large IT environments, the volume of granular data is mind-boggling."
In the HP approach, there is a methodology and a framework that together form a system that uses the HP Executive Scorecard dashboard to aggregate data and apply rigor to align it to specific risks, threats, assets and objectives.
"In short, the system allows business leaders to remove the guess work around information security," Archdeacon said. "With this tool, they can very quickly see where their real security risks are and make informed decisions to mitigate them."
HP has multiple security-tracking tools in its portfolio, including the Arcsight SIEM (or security information and event management) technology platform. Archdeacon noted that the HP Security Metrics Service is technology-agnostic.
"We are able to configure the system to harvest data from all technologies from all vendors, even home-grown tools, so the user has a truly comprehensive view into the data that they need," Archdeacon said.
The HP solution is entirely technology-independent and sits at a level that makes security decisions more meaningful to the business, he said, adding that the service is designed to enable a business leader to make decisions about resources, technology deployments and security control effectiveness in alignment with their organization's objectives.
"The full intent is to facilitate a more effective conversation between the IT leader and, say, the human resources leader or CFO, about how their information processes are at risk and what should be done to further protect those processes," Archdeacon said. "While the HP Security Metrics Service is not a threat-protection service innately, it can be used as an identifier of potential threat impact allowing protective measures to be deployed more quickly and effectively."
HP's approach to security metrics includes some 34 identified key risk components. Archdeacon noted that the 34 components are an amalgamation of the risk components of both the Open Web Application Security Project (OWASP) and the Payment Card Industry Data Security Standard (PCI DSS), as well as other governing bodies.
Archdeacon added that a financial services organization would find PCI-DSS risk components more valuable than an automobile manufacturer might. The system is flexible and allows HP's consultants to tailor it to the client's sector, size and business unit leaders' assets, goals and processes.
"As part of the service, we are able to adapt the deployed system to accommodate specific risk components from the client's industry to maximize the value," Archdeacon said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.