HPE’s Liz Joyce: ‘The cybersecurity industry is facing a huge talent gap’

15 Feb 2019

Liz Joyce. Image: Hewlett Packard Enterprise

Hewlett Packard Enterprise’s Liz Joyce warns that as security threats get more sophisticated, we need to get more people in cybersecurity.

Liz Joyce is vice-president and CISO at Hewlett Packard Enterprise (HPE). Joyce is responsible for building world-class, extensible security capabilities that protect HPE’s assets and workforce, as well as enabling and extending business capabilities.

All aspects of information security – strategy, architecture and operations; product security, information and threat management; governance, risk and compliance; third-party assessment; identity and access management; security transformation and training – fall under her purview.

‘Having a diverse talent pool can also foster different ways of thinking and innovating within a company – and, when it comes to beating the bad guys, you can’t have too much innovation’

Joyce holds a PhD in information security from University of Plymouth in the UK and an honours bachelor’s degree in computer science from University College Dublin.

Tell me about your own role and responsibilities in driving tech strategy.

I’m responsible for leading the team, technology strategy and processes which keep our enterprise assets and information protected. With cybercriminals and malware growing more and more sophisticated every day, it’s no easy task, but having the right people and technology in place helps.

Are you spearheading any major product/IT initiatives you can tell us about?

HPE is going through our own digital transformation to build our Next-Generation IT (NGIT) infrastructure. This is an intensive nine-quarter IT transformation dedicated to completely revamping and refreshing HPE’s internal IT systems. The goal is to invest in resilient, next-generation systems that can support our evolving business, both now and in the future, and provide better services and experience to our customers, partners and employees. This work is driven by our CIO, Archie Deskus.

My team works closely with hers to drive the new security architecture and operating model that protects and enables NGIT to operate securely – and covers everything from our identity and access management strategy, to how we secure our edge and core. While a significant challenge, I have the distinct advantage of working in a company where I can leverage our own products and solutions – from our silicon root of trust and AI expertise, to our edge solutions. This is a significant multi-year project.

And, in a bit of a departure from the IT side, we also recently launched an initiative with the Girl Scouts that I’m very proud of. My cybersecurity team – specifically a group of very passionate and talented women on my team – worked to launch a curriculum and interactive online game called Cyber Squad, which aims to teach Girl Scouts fundamental cybersecurity knowledge and skills. The idea was to simulate the real-world impact of risky online behaviour, and to teach kids to take what they see on the internet beyond face value. This basic cybersecurity literacy is so important especially as kids become reliant and independent on the internet and social media. But beyond that, because we’ve launched this in a fun, gamified format, it has the potential to get girls excited about exploring STEM, unlocking the cybersecurity puzzle and fighting the bad guys – in this case, the bad guys being cybercriminals.

The cybersecurity industry is facing a huge talent gap with an estimated shortage of 3.5m skilled cyber professionals by 2021. As a cyber professional, I can’t stress enough how much of a challenge that is, especially with breaches rising in frequency and sophistication. I believe making more people aware about the profession as a whole and opening that possibility up to everyone is so important to closing the gap. Having a diverse talent pool can also foster different ways of thinking and innovating within a company – and, when it comes to beating the bad guys, you can’t have too much innovation. I hope partnerships like ours with the Girl Scouts are a start here and will encourage other tech organisations to work with the community to do the same.

How big is your team? Do you outsource where possible?

I lead a large global team of cybersecurity professionals spread out across multiple global locations, including HPE’s core Cyber Fusion Centers. I am fortunate to have a highly skilled team that delivers everything from our governing risk and compliance function, to our cybersecurity (fusion) operations, right through to our operations and engineering capabilities, to support those services.

While we certainly have a robust team, I do leverage other consulting skills to ensure my team is properly supported and we are moving as fast as the business needs us to. HPE actually has a huge focus on partnering and consulting with our Pointnext services practice so I’m lucky to be able to tap our talented ecosystem of partners and experts. Using outside resources also frees up my team to focus on more strategic issues and new emerging cyber challenges within the organisation.

What big tech trends do you believe are changing the world and your industry specifically?

AI will have a huge impact on both our world and security. From a bigger picture, AI has the potential to completely revolutionise how we deliver healthcare, make research breakthroughs and live. But, at the same time, AI is a very powerful tool that cybercriminals now have access to, which can be frightening.

With AI, you also gain other things you now need to protect: the AI algorithm itself and its data. We need to ensure that these are not manipulated to cause unforeseen outcomes. As AI becomes increasingly integrated into our daily lives, these assets will become very valuable goldmines for malicious actors.

On the flip side, for cybersecurity practitioners, AI has immense potential to accelerate response times, provide more context about complex situations and automate mundane processes – freeing us up to focus on more complex security concerns and analysis. Automation and orchestration will also be very valuable tools here, especially with the looming cybersecurity skills gap.

This dichotomy is true for each new emerging technology; they have the power to help us be better security practitioners but also become very desirable assets for hackers and, in their hands, equally powerful weapons.

In terms of security, what are your thoughts on how we can better protect data?

There tends to be a lot of emphasis on protecting data and detecting threats but, too often, infosecurity teams overlook understanding the data and how to recover that data. With how pervasive cyberthreats are these days, it’s only a matter of when you are going to undergo a breach, and so you have to know where your critical data is (eg is it regulated data or business-critical data or intellectual property?) and you have to be cyber-resilient to ensure you can quickly and smoothly recover it without losing valuable time, money and data.

If you look at recent attacks such as WannaCry and NotPetya, you can see how negatively impacting that was for some companies and institutions around the globe, and for the people that were relying on them for services. It wasn’t just a few hours or days they were impacted – it was weeks and months.

How resilient you are and how you recover from such attacks is just way too important. To better protect data and your business, you need to already be thinking about and planning for how to recover your data in the worst-case scenario.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years