PODCAST

Getting IT to Speak Business-ese: Q&A With HP VP Andy Isherwood

Let’s explore the major enterprise software and solutions trends and innovations that are making news across the global HP ecology of customers, partners and developers.

I’m Dana Gardner, principal analyst at Interarbor Solutions. Join me now in welcoming Andy Isherwood, vice president and general manager of HP Software and Solutions.

Dana Gardner: Clearly a part of doing more for less, which has been, unfortunately, a theme that most people are grappling with these days, has involved the need to run IT more like a business to get more insight into what’s going on from a business requirements and financial expectations perspective.

Tell me a little bit, if you could, about what you’re seeing in terms of how organizations are both dealing with this lack of funds but the need to change the way in which they can deliver the results back to the business?


Listen to the podcast (12:51 minutes).


Isherwood:

I’ve been in IT for quite a long time, and we’ve been talking long and hard about IT being at the core of business, and IT being in the business, but the reality probably hasn’t changed significantly. IT people still operate in their own space, with their own jargon, and don’t really link that well to the business.

Obviously, it’s a huge generalization, but the reality is that, in many organizations, IT is this separate silo, quite often not reporting to the CEO, and therefore quite disconnected from the business drivers.

As we’re seeing more and more CIOs reporting to the CEO and being involved in board meetings, the reality is now changing. People now understand what the core business drivers are. People are being coached heavily, because they might not have come from an IT background. They might have come from the business. They’re better able to link the business drivers of the organization to what IT can actually deliver, but not in IT terms. In terms what is the value to the business and how does it address those business drivers.

The other question that’s linked is, what’s happening with budgets, and, therefore, what are the priorities? Clearly, we are in very uncertain times. A year ago, we moved into a recessionary period. Budgets for ’09 were set, and they were typically significantly less.

All the conversations I’ve had with CIOs are that the capital expenditure is typically being reduced by anything between 0 and 40 percent, and operating expenditures being decreased by up to 10 percent. It’s less, but still pretty significant.

So you’ve ended up with a significantly smaller budget to do stuff, which can cause big problems for organizations. They have a certain amount of infrastructure in day-to-day activities to maintain. This means that they have to spend all their budget on existing projects and keeping the lights on, rather than any innovation. If you can’t innovate, then you can’t deliver value back to the business and you become just an IT function delivering the core value.

IT budgets, if you’re not very careful, are driving the organization to just do the core IT functions, rather than link back into the business and add real value in a period, in which it’s probably the most important thing to do. So, how do we innovate and how do we use the budget more effectively than we do today to allow us not just to keep the lights on, but to do this huge amount of innovation?

If we don’t do it now, we won’t be able to do it in the future, because as demand picks up, it’s just going to be “all hands to the pump” to be able to deliver just the demand that picks up, as we come out of the recession.

It will be interesting, as we go into the new budgeting period for [fiscal year] ’10. Are there enough green shoots of recovery to allow people to have confidence to increase budgets and invest, or are we going to have another year of kind of tight budgets? People are very much at the crossroads of needing to innovate and do things differently, but are constrained by budgets, which is a difficult balance.

Gardner: We also see, as they’re grappling with these organizational transformational issues, similar opportunities in the form of a variety of sourcing options. We’re hearing awful lot about the interest in cloud, questions about cloud computing. People are opening up to this notion of the need to examine what we do internally and find some aspects of that that are better served more economically and just as well outside the organization.

We’re dealing with more than just services, software solutions. We’re now looking at sourcing. That, to me, is a decision beyond just technology.

It’s about transforming how your business works. How are the folks you’re talking to here managing this new dimension of sourcing options?

Isherwood:

As you say, people are being given a number of different options. Now that can be good and bad. People have a lot of choice, but they quite often find it difficult to make a decision on the best choice. Other people feel that the choice gives them a lot more scope to do things differently, to manage budgets in a different way, and do things more effectively.

Whether it’s insourced, outsourced, a partner activity, whether it’s on premise or off premise, all of these options give people choices. From an HP standpoint, we have the ability to give people the choice. Our recent acquisition of EDS clearly adds the last pillar of choice, given that we have now an outsourcing business, which is significant.

We can go sell solutions. We can deliver stuff through the cloud and via Software-as-a-Service (SaaS) offerings. We’ve got the complete breadth of offerings to allow people to make those choices.

We’re finding that people want advice around the choices. It’s all well and good to have all these choices equivalent to modes of transport, but people need to be given direction, which we’re trying to do. What I’m hearing from customers is that they want advice on what should they insource, what should they outsource, what should they put in the cloud, and what should they have as a SaaS offering.

That’s a really important job and an important role for someone like an HP, which actually doesn’t have a bias, because we’ve got all the options. If we were only a cloud computing or any outsourcing company, we’d be giving customers one option. Our role as a consultant to not only evaluate what is best for those organizations, but what is good for them financially, is a very important part of the role HP can play and should play.

Sourcing is important. The good news is we’ve got all the options, and the good news is we now have consulting capability to advise people — not tell people, but advise people — on what those options are and what we think is the right strategy for them as an organization.

The pricing pressures and the budget pressures that we talked about earlier may force people to outsource or put stuff into the cloud, which is going to be a different driver in a year’s time, when we’re through recessionary period. The financial situation at the moment is driving a more intense look at those sourcing options and what it does from a financial point of view for that particular organization.

SaaS is a great offering. We’ve been in that business for nine years and we have 700 customers. So, we know that business well. We know that in times, in which capital expenditure is being restrained, they can move to a more operating expense oriented budget, but still be able to innovate, which is a pretty compelling proposition. As we move through, and capital expenditure is freed up, that might change, but at least people have the option.

Gardner: Part and parcel with these options is to assess risk and to understand not only what you might be able to do, but what penalties might be involved. This, to me, is a function of governance — being able to forecast, implement, and then to adjust and amend a few policies and automate that across organizations or across boundaries. So, when we look at this process going forward through the lens of governance, how do you see that unfolding and what does HP bring to the table on that?

Isherwood:

The management of all of these sourcing options is a key consideration. Take the example of an organization putting things onto a public cloud. They’re still going to have the same requirements from a governance and management standpoint, but it might be a lot harder than having it in-house.

Management requirements on governance around what data is out there, what performance is like, and what scalability is like, are all considerations and discussions that we help with. It can make the whole world a lot more complex for CIOs. Therefore, the management capability that we have around all of those options becomes even more important.

It’s less important for them to understand and worry about that in-house infrastructure. What they need to do is manage the service that’s being delivered by people outside of their organization. It becomes more of a management of the service, than management of the infrastructure that develops or delivers the service. So, our role is about governance, management and control of the services that are delivered to an organization, rather than the product, power or the storage that’s delivered to a company.


Dana Gardner is president and principal analyst at Interarbor Solutions, which tracks trends, delivers forecasts and interprets the competitive landscape of enterprise applications and software infrastructure markets for clients. He also produces BriefingsDirect sponsored podcasts. Follow Dana Gardner on Twitter. Disclosure: HP sponsored this podcast.


Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

How often do you update your passwords?
Loading ... Loading ...

Technewsworld Channels

Linux Security Study Reveals When, How You Patch Matters

Computer security only happens when software is kept up to date. That should be a basic tenet for business users and IT departments.

Apparently, it isn’t. At least for some Linux users who ignore installing patches, critical or otherwise.

A recent survey sponsored by TuxCare, a vendor-neutral enterprise support system for commercial Linux, shows companies fail to protect themselves against cyberattacks even when patches exist.

Results reveal that some 55 percent of respondents had a cybersecurity incident because an available patch was not applied. In fact, once a critical or high priority vulnerability was found, 56 percent took five weeks to one year on average to patch the vulnerability.

The goal of the study was to understand how organizations are managing security and stability in the Linux suite of products. Sponsored by TuxCare, the Ponemon Institute in March surveyed 564 IT staffers and security practitioners in 16 different industries in the United States.

Data from respondents shows that companies take too long to patch security vulnerabilities, even when solutions already exist. Regardless of their inaction, many of the respondents noted that they felt a heavy burden from a wide range of cyberattacks.

This is a fixable issue, noted Igor Seletskiy, CEO and founder of TuxCare. It is not because the solution does not exist. Rather, it is because it is difficult for businesses to prioritize future problems.

“The people building the exploit kits have gotten really, really good. It used to be 30 days was best practice [for patching], and that is still an ideal best practice for a lot of regulations,” TuxCare President Jim Jackson, told LinuxInsider.

Main Takeaways

The survey results expose the misconception that the Linux operating system is not rigorous and foolproof without intervention. So unaware users often don’t even activate a firewall. Consequently, many of the pathways for intrusion result from vulnerabilities that can be fixed.

“Patching is one of the most important steps an organization can take to protect themselves from ransomware and other cyberattacks,” noted Larry Ponemon, chairman and founder of Ponemon Institute.

Patching vulnerabilities is not just limited to the kernel. It needs to extend to other systems like libraries, virtualization, and database back ends, he added.

In November 2020, TuxCare launched the company’s first extended lifecycle support service for CentOS 6.0. It was wildly successful right off the bat, recalled Jackson. But what continues to trouble him is new clients coming for extended lifecycle support who had not done any patching.

“I always ask the same question. What have you been doing for the last year and a half? Nothing? You haven’t patched for a year. Do you realize how many vulnerabilities have piled up in that time?” he quipped.

Labor-Intensive Process

Ponemon’s research with TuxCare uncovered the issues organizations have with achieving the timely patching of vulnerabilities. That was despite spending an average of $3.5 million annually over 1,000 hours weekly monitoring systems for threats and vulnerabilities, patching, documenting, and reporting the results, according to Ponemon.

“To address this problem, CIOs and IT security leaders need to work with other members of the executive team and board members to ensure security teams have the resources and expertise to detect vulnerabilities, prevent threats, and patch vulnerabilities in a timely manner,” he said.

The report found that respondents’ companies that did patch spent considerable time in that process:

  • The most time spent each week patching applications and systems was 340 hours.
  • Monitoring systems for threats and vulnerabilities took 280 hours each week.
  • Documenting and/or reporting on the patch management process took 115 hours each week.

For context, these figures relate to an IT team of 30 people and a workforce of 12,000, on average, across respondents.

Boundless Excuses Persist

Jackson recalled numerous conversations with prospects who repeat the same sordid tale. They mention investing in vulnerability scanning. They look at the vulnerability report the scanning produced. Then they complain about not having enough resources to actually assign somebody to fix the things that show up on the scan reports.

“That’s crazy!” he said.

Another challenge companies experience is the ever-present whack-a-mole syndrome. The problem gets so big that organizations and their senior managers just do not get beyond being overwhelmed.

Jackson likened the situation to trying to secure their homes. A lot of adversaries lurk and are potential break-in threats. We know they are coming to look for the things you have in your house.

So people invest in an elaborate fence around their property and monitor cameras to try to keep an eye on every angle, every possible attack vector, around the house.

“Then they leave a couple of windows open and the back door. That is kind of akin to leaving vulnerabilities unpatched. If you patch it, it is no longer exploitable,” he said.

So first get back to the basics, he recommended. Make sure you do that before you spend on other things.

Automation Makes Patching Painless

The patching problem remains serious, according to Jackson. Perhaps the only thing that is improving is the ability to apply automation to manage much of that process.

“Any known vulnerability we have needs to be mitigated within two weeks. That has driven people to automation for live patching and more things so you can meet tens of thousands of workloads. You can’t start everything every two weeks. So you need technologies to get you through that and automate it,” he explained as a workable solution.

Jackson said he finds the situation getting better. He sees more people and organizations becoming aware of automation tools.

For example, automation can apply patches to open SSL and G and C libraries, while services are using them without having to bounce the services. Now database live patching is available in beta that allows TuxCare to apply security patches to Maria, MySQL, Mongo, and other kinds of databases while they’re running.

“So you do not have to restart the database server or any of the clients they use. Continuing to drive awareness definitely helps. It seems like more people are becoming aware and realizing they need that kind of a solution,” said Jackson.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Security

Canonical Lets Loose Ubuntu 22.04 LTS ‘Jammy Jellyfish’

Image Credit: Canonical

Canonical’s Ubuntu 22.04 LTS, aka “Jammy Jellyfish,” is now generally available with features that raise the bar for open source — from cloud, to edge, to IoT and workstations.

The desktop version is one of the biggest LTS releases from Ubuntu with respect to visual and feature changes. This major upgrade to GNOME 42 brings changes to the desktop itself in terms of layout, appearance, and how things work.

If the Ubuntu desktop is your only connection to Canonical’s infrastructure, you can expect some mild and minor hands-on adjustments. If you deal with the rest of Ubuntu’s enterprise world, you will find a lot more hardcore improvements in security and performance for IoT and cloud computing connections.

Canonical announced the new release on Thursday, detailing features that bring significant leaps forward in cloud confidential computing, real-time kernel for industrial applications, and enterprise Active Directory, PCI-DSS, HIPAA, FIPS, and FedRAMP compliance.

The new desktop release, however, comes without the anticipated new installer, which uses flutter, an open-source user interface, noted Oliver Smith, Canonical’s program manager for the Ubuntu desktop. The flutter element is not fully ready for deployment. Instead, Canonical will release a build of 22.04 that does feature the new installer later in the update cycle.

“I think when you are dealing with something that we want to support for five years, and we were expecting a huge amount of adoption, we just did not feel that we would have the opportunity to test across all the different sort of ranges of hardware and use cases that we wanted to get (for) confidence to go live out of the box,” Smith explained.

“It is evolving a lot in the background, but just the timing did not quite work out for this release.”

Ubuntu Desktop Still in Focus

The range of use cases that involve Ubuntu Server, IoT, and cloud OS installations, is not making the Ubuntu desktop edition less significant, according to Mark Shuttleworth, CEO of Canonical. He denied the Ubuntu desktop itself is less important now than other enterprise factors in response to a reporter’s question Tuesday during a virtual presentation.

“Our mission is to be a secure, reliable, and consistent open-source platform everywhere,” he said. “Ubuntu 22.04 LTS unlocks innovation for industries with demanding infrastructure security requirements, such as telecommunications and industrial automation, underpinning their digital transformation.”

So the desktop is sort of central to Ubuntu’s narrative, Shuttleworth added. It is also central to the kind of innovation work a lot of the company’s developers do within Intel.

“For example, [improvements] enable the same sorts of high-end capabilities whether those are battery life or performance capabilities on Linux that they achieve on platforms like Windows,” he said. “Those are really important.”

In terms of resources, Canonical has about 60 people working with its various partners — Dell, HP, Lenovo — and the industry supply chain on the desktop. Plus, another 20 engineers or so work on core desktop capabilities, he noted.

Ubuntu Adoption Grows Deep

Ubuntu is deeply integrated into public clouds and optimized for performance, security, and ease of use. A key new capability is confidential computing, which greatly improves data protection and privacy in leading public clouds without requiring any changes to existing application deployments.

Ubuntu is the only Linux distribution supporting Azure confidential VMs, according to Vikas Bhatia, head of product for Azure Confidential Computing at Canonical. To ensure great performance on Arm, Canonical also optimized Ubuntu 22.04 LTS images for AWS Graviton.

On AWS, Ubuntu is available from EC2, with multiple images including support for the latest Graviton chips, all the way to containers. This includes the latest Arm servers, Ampere A1, that provide high-performing and cost-effective solutions for all types of workloads, he said.

Other Major Ubuntu Plaudits

Innovators on Raspberry Pi get the first long-term support release with Ubuntu Desktop support on the Raspberry Pi 4. The entire recent Raspberry Pi device portfolio is supported for the very first time, from the new Raspberry Pi Zero 2W to the Raspberry Pi 4, said Eben Upton, CEO of Raspberry Pi Trading.

“It is great to see a certified Ubuntu Desktop release that includes support for the 2 GB Raspberry Pi 4, giving developers all over the world access to the most affordable development desktop environment,” he said.

Ubuntu WSL (Windows Subsystem for Linux) delivers deep integration with native Windows development environments like Visual Studio Code and Docker Desktop across a shared file system. Users mix Windows and Linux commands to create efficient workflows for data science, web development, and IT systems management. Users of Ubuntu WSL can upgrade to 22.04 LTS directly.

For Windows and macOS developers, Multipass provides Ubuntu 22.04 LTS VMs on-demand with full cloud-init for cloud prototyping at home. Multipass gains Apple M1 support, making it the best way to drive development for new ARM cloud instances, according to Canonical. Multipass has also added support for Docker workflows to unify the developer experience for cloud and cloud-native applications.

For shared development environments, multi-user LXD offers per-user project segregation. This addition restricts specific user permissions so multiple people can safely share the same LXD cluster.

Foundation for Data-Sensitive Workloads

Ubuntu is the platform of choice to run Microsoft SQL Server on Azure with enterprise-grade support, noted Canonical. SQL Server on Ubuntu Pro LTS for Azure offers scalability and performance.

It also gives business-critical SQL Server workloads access to comprehensive open-source security on Azure. Nvidia virtual GPU (vGPU) software drivers are generally available now.

Data scientists can natively install Nvidia vGPU Software 14.0 and benefit from highly-performant GPU resources across multiple virtual machines simultaneously. This allows data scientists to use parallel, isolated advanced AI/ML workloads to help ensure that the underlying hardware resources are used efficiently.

“Enterprises, data scientists and developers building AI solutions require integrated systems and software that easily support MLOps workflows,” said Manuvir Das, vice president of Enterprise Computing at Nvidia.

“Organizations can now run Nvidia AI on Ubuntu to help solve some of humanity’s biggest challenges with new products and systems that simplify operations, boost safety, and improve communication,” Das added.

Other Ubuntu Strengths

The Ubuntu 22.04 LTS base image is available on Docker Hub along with a Canonical-maintained portfolio of secure and stable LTS application container images. Existing LTS Docker images on Ubuntu will receive new long-term supported 22.04-based tracks.

These include MySQL, PostgreSQL, and Nginx. The open-source applications portfolio is expanding further, focusing on Observability and Big Data, with new Grafana Loki, Apache Kafka, and Apache Cassandra container images.

“Ubuntu plays an essential role on Docker Hub, as one of the most popular Docker Official Images,” said Webb Stevens, senior vice president of Secure Software Supply chain at Docker.

Real-Time Kernel, Too

Canonical also reported that the Ubuntu 22.04 LTS real-time kernel is available in beta.

Designed to meet telco network transformation needs for 5G, the real-time kernel delivers performance, guaranteed ultra-low latency, and security for critical infrastructure. This new kernel also serves latency-sensitive use cases in industrial automation and robotics. It handles real-time applications like Cloud RAN,” said Dan Lynch, marketing director at Intel.

“The real-time kernel in Ubuntu 22.04 LTS leverages the acceleration from Intel hardware, allowing us to compete on even terms with the biggest network equipment providers,” said Radoslaw Adamczyk, technical lead at IS-Wireless, which develops and delivers mobile networks in the OpenRAN model.

That offers the ability to have one platform for the whole stack, from bare metal with MaaS to Ubuntu OS, LXD VM and Microk8s on the edge. Ubuntu 22.04 LTS adds Rust for memory-safe systems-level programming. It also moves to OpenSSL v3, with new cryptographic algorithms for elevated security.

Desktop Highlights

Ubuntu’s default GNOME desktop gains significant usability, battery, and performance improvements with the GNOME 42 upgrade featuring GNOME power profiles and streamlined workspace transitions alongside significant optimizations which can double the desktop frame rate on Intel and Raspberry Pi graphics drivers.

GNOME 42 brings a horizontal workspace view alongside the horizontal application view. The changes in will require some muscle memory changes to get used to updated and new applications.

Expect lots of new looks. Some of the notable upgrades involve changes to the base color scheme and the Jammy Jellyfish default wallpaper.

File Manager has a more compact look, and new screenshot tools changes how you do captures.

Available for Download

Ubuntu 22.04 LTS Jammy Jellyfish is available now on Ubuntu Downloads and major public clouds.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Operating Systems