Catch Pekka Usva, VP, Corporate Security Business, F-Secure in a conversation with Sanchit Vir Gogia, Chief Analyst & Group CEO,Greyhound Research on Greyhound Research’s knowledge sharing series ONTrigger.
Don’t have enough bandwidth to stream a video? No worries! Hear the conversation as a podcast on #GreyhoundRadio Click on the icon on the right.
BTW, if you like what you read below, just click the twitter birdy (in text, in blue) to tweet 😉
Sanchit Vir Gogia: Good morning! Good afternoon! Good evening! Thank you all our friends and subscribers to take the time out to see our first ever video of the interview series Greyhound Research ONTrigger. In case you have missed it, we made this big announcement last week and you can find out more about it by going on twitter and searching with the #ONTrigger. So as part of the first interview we have the good fortune of having Mr. Pekka Usva who happens to be the Vice President Corporate Security at F Secure Corporation. Welcome to the show.
Pekka Usva: Thanks for inviting. It is great to be here
SVG: It’s a pleasure to have you here. Pekka has been for a long time in the security industry, about 16-17 years?
PU: 20 this year.
SVG: 20 this year. Wow! That’s really long.
PU: It is. It is.
SVG: He also was appointed as part of the management team in July, 2012. So the idea behind this show is to put together a comprehensive understanding of how the security landscape has changed over the years. So Pekka, few comments about the fact that look the entire security paradigm is changing. There are five layers to security, there is the application, end point, network, data centre, and of course policies. Now with organisations aggressively using mobility, aggressively using cloud delivered workloads, be it private cloud or public or be it even managed services, how do you think the entire security landscape has changed over the last few years?
PU: What I believe is increasing mobility is a great promise for working mobile workforce. You can access any of your device, any of your service from anywhere at any time in the moment. That is a great thing but then comes the question that how do you make it secure enough so at the same time it is highly useful and productive to use those device. I think the biggest topic we are still looking in security I would say is vendor side, still figuring out what’s the best way to do it in a highly intuitive and a simple way because that kind of all the way goes back to bring your own device movement and I think the times are new . You really have to embrace the productivity and our people, our users, workers to conduct your business agenda, also private agenda the most convenient way, yet to be able to protect you in an adequate level. And I think it will happen mostly in the end points because the end points are many and many more to come and people use end points.
SVG: So are you suggesting that end point is the right starting point for organisations of all sizes?
SVG: Is Software less Security real?
PU: Depends whom you refer but I mean things that are being said or stated, I believe it’s really not simple because it starts from the end point as the user is the one who quite often makes the mistake and definitely end point is the device or the access point for the corporate or to the private data services what-so-ever. So I think the product at the end point, be it the PC or post PC era devices is highly relevant and what’s on top of that is then to be figured out as well.
SVG: Are we complicating end points because people are taking mobility differently, PCs differently, tablets differently. Shouldn’t the security for all these end points be looked at in a singular fashion?
PU: I very much believe so. Regardless of the end point, the use cases are pretty much the same. The way you use not the device but through the device the services, the data, your connections, connectivity is pretty much the same. It doesn’t matter if it is PC or laptop or smart phone or tablet, it’s all the same. So why would then the security paradigm or the security received be any different from PC to post PC devices. From relevant point of view I think it should be all equal.
SVG: To be all equal you say. Okay, so let’s talk about the fact that when an organisation goes through this change, brings in the mobiles, brings up the cloud workloads, what’s the level of preparedness? How should they be viewing security really?
PU: I think the preparedness I would claim it, where I saw that, and maybe even before the security the first question is, okay, do you know your fleet? What are the devices you have or you might have? PCs might still be roughly right, you know your stuff but when you go to a company, what post PC era device like smart phones, tablets, what brand, version and so forth, how many of those, who’s using, most likely there is no answer at all. So how do I plan the security on such a base. You have to first figure out fleet and then you can figure out, okay, now I know what I want to do next with that.
SVG: But do you think the way that organisations look at security vendors has changed because the way security was looked at was not really part of the CIO agenda and all of a sudden the board is asking very hard questions to the CIO and saying look, data privacy is important to us, and there have been so many cases, Sony for example off late has suffered a massive loss. So, when you talk to these organisations do you still talk to the CIO or has your conversation gone beyond the CIO to the more CEO board level conversations.
PU: I think the kind of important and modern time we are living in, it is obvious for, well it is kind of a new level, a new type of discussion, we didn’t use to have eighteen months ago. But that’s awfully healthy. Now at least we are talking about it and kind of trying to understand it as to what’s the security in depth. It’s not about the software only or the solution, it’s all about the practices, the policies, the education, the awareness and then wrap it around with a solution or software. So I think it is definitely more on the discussion with the C level people and is supposed to be because maybe it’s only about the question of say, business continuity or securities, quite often a bit kind of disconnected from the core people or business personnel making business or when not having the security in place, not making business anymore. So I think that way it makes it relevant and now highly visible.
SVG: I speak to so many CIOs and the CIOs tell me that look you talk about security to me on a high level but when it comes to the nitty gritties, don’t talk to me, I’ve got a CISO. So I think the fact that security should be a part of the CIO agenda and not just the CISO agenda is a very important change that we need to go through.
PU: Yeah, I think it’s about risk management at the end of the day. You protect your core business against whatever kind of business risk and of course security is one way to deal not with all risks but to a certain quite relevant segment.
SVG: Let’s talk about the wallet size. I’m sure you love the entire sound of the wallet size, the more dollars coming in. Has the wallet size for security really changed or is it sort of squeezing now and you know everything is cloud delivered, it’s like one dollar at the end point, so how’s the wallet size now?
PU: Honestly, most likely, I would give you a wrong number if I would say anything about whether it’s increasing or not. I would bet that not only there are new layers of security but also new security players in the market. Of course you know, the market per say is growing so that’s a healthy sign and of course it’s great to be in a market which grows and there are certain growth pockets growing like double, maybe triple digits year over year and that’s healthy. And then it’s maybe kind of inside the security, I would say the market, the question is on what areas or pockets do the investments today go into. But I think security quite often goes in, maybe always, so it’s part of the IT investment thinking and the IT security is a part of that. I would bet that quite often it’s not the case that IT security would be considered as an only investment pocket or an area.