Peter Altabef is president of Dell Services. He assumed the role after the acquisition of his former employer Perot Systems by Dell in 2009. In this interview with SC UK editor Paul Fisher he talks about Dell's plans for integrated secure services and the wider issues affecting the security of enterprises.
Why did Dell buy into Perot rather than develop services in-house?
We actually started working with Dell back in March 2007 to help them build services capabilities. We were doing that on a white label basis so that by the time of the acquisition Dell had become one of our top five commercial clients.
Dell had actually already developed a quite substantial services group in-house, in excess of US$4 billion of revenue a year, but that group and the Perot team were very complementary in skills.
So in terms of software, the service offerings, in terms of modular services, remote delivery and management, the Dell Services team had world-class skills. What they had not focused on was outsourcing of data centres, business consulting, application development and business process services.
By putting these all together, we are creating an end-to-end services organisation.
Okay so what's different about Dell's proposition?
The first meeting I was in after the acquisition occurred was around an initiative we had throughout the company called Best Value Solutions. This lies at the intersection of hardware, software and services to help us create the next generation of products.
Whether that's building security into those products or building a level of knowledge and detail around how to best service those products, it is now going directly in at the design level.
When you launch these products, you also want to launch a full suite of services around them.
What percentage of your role now would you say is given over to security and data security, cyber security and serving the customers' needs in those areas?
Well, security is at the heart of all services. Certainly from a managed services standpoint, an outsourcing services standpoint, you have responsibility and are charged to secure the environment for your clients and customers. We do work in addition to that at the government level. We also are involved all the way to product design and how to build security right into the hardware and software.
Security consulting, as a standalone is a business that is beginning to grow, although still fairly modest. There are some issues such as healthcare privacy laws, European privacy laws and we need to be on top of the game from a regulatory standpoint.
There are some anomalies. Some of the regulations around violating healthcare privacy laws - the providers of the services can be punished more severely in some cases than the actual perpetrators who are trying to steal the data.
One would expect that to change over time, but different laws are in different areas of development. But it's good to see, from a cyber security standpoint, many countries now developing pretty rigorous laws and regulatory schemes to try to make it very clear what is prohibited conduct and go after that.
India, for instance, revised substantially in 2008 its cyber security rules and regulations and has now put in place really quite robust systems and regulations and you're seeing more and more of that around the world.
You must talk to a lot of CISOs. What are they saying to you and what do you think their main challenges are right now?
Yes. In my discussions with the C-suite executives I can sense a growing awareness of the risks and dangers of cyber security.
Research data shows that probably 70 per cent of large companies are now under fairly frequent attacks, and that's getting their attention.
That's markedly different from the conversations I was having even as recently as two years ago, where cyber security was something that was really left to the people working in the IT organisation.
One thing that you've talked about in the past is a cooperative, multinational approach to cyber security. What do you think is preventing that happening now?
If you think of the term cyber security as a cohesive set of issues, you're unlikely to get any progress because there are five levels of detail below that and you need to treat each of the five differently.
So you have cyber criminals, corporate espionage, governments spying on other governments, governments investing in offensive cyber capabilities. You also have terrorist organisations that may want to use the internet as a platform to launch terrorist attacks.
If you treat all of cyber security as a whole and you don't split it up into at least those five sectors, I think it's going to be very hard to make progress, either at the government level or at the private partnership level, because they all need a different approach.
One of the problems is that you might get a multinational agreement or a multiparty agreement, but at the same time the same nations that are signing up to this are doing the things you've just been talking about, either advanced persistent threats or investing in offensive cyber operations. So it makes for a very difficult environment to clean up the internet.
It does, but I don't think that that level of difficulty should stop people from progressing. I actually think it's that level of complexity that requires an incremental approach and not a boil the ocean approach. I think efforts to comprehensively deal with all five of those issues are simply too hard to expect to get meaningful improvement. At some, I think it's actually pretty easy. I think cultures around the world recognise that stealing other people's stuff is ethically and morally wrong and ultimately affects the spread of commerce and affects growth of economies.
So start at a very basic level by agreeing that stealing others' stuff is wrong and start firming up from there. I don't think it's necessary that you try to reach all of these things at the same time. I think you certainly can deal with the others on a concurrent basis.
What effect has the financial crisis had on your business and also on people investing in cyber security solutions?
We're very fortunate at Dell to have a very solid business and the power of innovation in our hardware and software is driving the business forward.
With respect to cyber security, we are getting to a non-negotiable point. Financial data has to be protected regardless of whether a financial institution is having trouble on its P&L line or not. When you look at things like healthcare regulations, the governments around the world are strengthening the privacy laws around healthcare regulations and the protection of data. That will have to be done regardless of cost.
While everything follows the economy in general, some of these issues, while not countercyclical, have their own impetus...
Dell is moving to security with its services, along with IBM, HP and Cisco. Is the writing on the wall for the smaller pure play security businesses?
Excellence in execution will always have a place and I believe that, regardless of size, you will find some outstanding security organisations providing IT security throughout enterprises.
There's still absolutely a place for high quality, smaller IT services providers, focusing on security. There are some advantages, as I mentioned.
Conversely, we're integrating security into the design of products and software, which brings advantages to certain levels of scale also.
Frankly, I think there's a tremendous shortage of cyber security professionals out there today and I welcome security efforts at all levels and with firms of all sizes.
What kind of professionals do you mean?
I mean services technologists who are trained in security protocols. We're actively recruiting and training at Dell a large number of security trained and certified professionals but there aren't as many out there as there should be.
That's a growth industry for college graduates to take note, and also I would tell you that I think it's one again that our clients and customers are now more willing to fund and pay for than they have in the past.
Do you think that security suffers from an image problem or people don't realise the opportunities within it?
I think it's the newness. When you look at this entire field, it's less than 20 years old, so it takes a while for colleges and universities to begin to scale, to focus on relatively new things.
We're working with colleges and universities around the globe on this, by the way, in helping them set up coursework and work with them. The speed with which the cyber criminals are changing their modes of behaviour is daunting and it requires a level of nimbleness to confront it.
This requires courses to be changed every semester, rather than every three or four or five years. So there is a certain amount of investment that comes with this training because of the amount of change that has to go on in the curriculum. That makes it, by the way, all the more fascinating, all the more interesting and all the more challenging for the people in the field. So none of that is a negative, other than it is expensive to launch the curricula.
Perhaps we can have a brief peek into the future. Given everything you've said, given the problems we face and education, where will we be five years from now?
I'm an optimist so I think where we will be and where I'd like us to be is going to be the same. I do believe that we will make progress on the low-hanging fruit. I do believe that we will get some consensus around the areas of both cyber crime and industrial cyber espionage. I think we will have law enforcement organisations working in a much more cohesive and organised fashion.
